I am concerned about these entries reported this morning in the logwatch from one of our servers running CentOS4-2. Before I invest a lot of time and effort tracking this down I wonder if anyone here recognizes what is going on and why these entries exist.
These are sealed servers with no local user accounts beyond those needed by system and application software. Login authentication is primarily by SSL certificate, however ssh password logins for certain backdoor accounts are enabled as a fallback. There are no records of unexpected logins via ssh or by userids not customarily associated with routine maintenance. Telnet is disabled. Only anonymous ftp is the permitted and that service is provided by vsftpd. The only thing that I can bring to mind that might account for these records internally is that yesterday we ran "yum update" on this machine. Might the update account for this trace?
Changed users GID: mailman: 41 -> 41
**Unmatched Entries**
usermod[25137]: change user `mailman' shell from `/sbin/nologin' to `/sbin/nologin'
usermod[25150]: change user `gdm' shell from `/sbin/nologin' to `/sbin/nologin'
... much sendmail stuff
-------------------- SSHD Begin ------------------------
SSHD Killed: 2 Time(s)
SSHD Started: 2 Time(s)
Failed to bind: 0.0.0.0 port 22 (Address already in use) : 2 Time(s)
Users logging in through sshd: xxxxxxx: inet05.hamilton.harte-lyne.ca (216.185.71.25): 1 time
---------------------- SSHD End -------------------------
--------------------- vsftpd-messages Begin ------------------------
Failed FTP Logins: (81.57.169.170): anonymous - 9 Time(s) (83.170.32.48): anonymous - 7 Time(s) (80.194.231.91): anonymous - 9 Time(s)
---------------------- vsftpd-messages End -------------------------
Please note that I am a digest subscriber, so that the favour of a direct copy of your reply would be great appreciated.
Regards, Jim
-- *** e-mail is not a secure channel *** mailto:byrnejb.<token>@harte-lyne.ca James B. Byrne Harte & Lyne Limited vox: +1 905 561 1241 9 Brockley Drive fax: +1 905 561 0757 Hamilton, Ontario <token> = hal Canada L8E 3C3