This is.... odd.
We're seeing a *lot* of sshd[8400]: Timeout, client not responding. So I'm trying to find out whose client is having issues. Trying to figure that, after processes are gone, I tried looking in lastlog, which is where it gets odd. lastlog shows root coming in, and it shows a security account coming in... years ago.
I see one of our users logging in a goodly number of times... but lastlog doesn't show him. I just logged in as myself, no password, using keys... and lastlog doesn't show me, or my manager, or anyone else.
Does anyone have any idea why lastlog's not recording *all* logins?
mark
On Tue, Jan 30, 2018 at 12:26 PM, m.roth@5-cent.us wrote:
This is.... odd.
We're seeing a *lot* of sshd[8400]: Timeout, client not responding. So I'm trying to find out whose client is having issues. Trying to figure that, after processes are gone, I tried looking in lastlog, which is where it gets odd. lastlog shows root coming in, and it shows a security account coming in... years ago.
I see one of our users logging in a goodly number of times... but lastlog doesn't show him. I just logged in as myself, no password, using keys... and lastlog doesn't show me, or my manager, or anyone else.
Does anyone have any idea why lastlog's not recording *all* logins?
You can look at /var/log/audit/audit.log to see more detail than what last shows. A nice tip is to pipe the output through another tool to convert the timestamps to human readable date and time.
tail -f /var/log/audit/audit.log | ausearch -i or tail -f /var/log/audit/audit.log | perl -pe 's/(\d+)/localtime($1)/e'
via https://serverfault.com/questions/327846/convert-selinux-log-date-format-fro...
On 30 January 2018 at 13:40, Jon Pruente jpruente@riskanalytics.com wrote:
On Tue, Jan 30, 2018 at 12:26 PM, m.roth@5-cent.us wrote:
This is.... odd.
We're seeing a *lot* of sshd[8400]: Timeout, client not responding. So I'm trying to find out whose client is having issues. Trying to figure that, after processes are gone, I tried looking in lastlog, which is
where
it gets odd. lastlog shows root coming in, and it shows a security
account
coming in... years ago.
I see one of our users logging in a goodly number of times... but lastlog doesn't show him. I just logged in as myself, no password, using keys... and lastlog doesn't show me, or my manager, or anyone else.
Does anyone have any idea why lastlog's not recording *all* logins?
You can look at /var/log/audit/audit.log to see more detail than what last shows. A nice tip is to pipe the output through another tool to convert the timestamps to human readable date and time.
tail -f /var/log/audit/audit.log | ausearch -i or tail -f /var/log/audit/audit.log | perl -pe 's/(\d+)/localtime($1)/e'
Also check that /var/log/wtmp is set up correctly
[smooge@smoogen-laptop ~]$ ls -lZ /var/log/wtmp -rw-rw-r--. root utmp system_u:object_r:wtmp_t:s0 /var/log/wtmp [smooge@smoogen-laptop ~]$ ls -l /var/log/wtmp -rw-rw-r--. 1 root utmp 116352 2018-01-30 13:55 /var/log/wtmp
Sometimes wtmp gets rotated at the beginning of the year so there is usually another file like /var/log/wtmp-20180117 or something.
via https://serverfault.com/questions/327846/convert- selinux-log-date-format-from-epoch-to-normal _______________________________________________ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
On Tue, Jan 30, 2018 at 3:26 PM, m.roth@5-cent.us wrote:
This is.... odd.
We're seeing a *lot* of sshd[8400]: Timeout, client not responding.
Is it possible you are testing ssh availability from nagios, monit, or some other software that connects to the port 22 without logging in?
-- Marcelo
"¿No será acaso que esta vida moderna está teniendo más de moderna que de vida?" (Mafalda)
Marcelo Roccasalva wrote:
On Tue, Jan 30, 2018 at 3:26 PM, m.roth@5-cent.us wrote:
This is.... odd.
We're seeing a *lot* of sshd[8400]: Timeout, client not responding.
Is it possible you are testing ssh availability from nagios, monit, or some other software that connects to the port 22 without logging in?
Ok, I guess I wasn't clear. First, selinux is in permissive mode. Second, I, my manager, and another user have all logged into the server. Yet lastlog | grep -v Never shows only root and the years-old security account. It doesn't show any of us.
mark
Interesting. lastlog was always my go-to. However, at least in C6, last gets it, while lastlog does not.
How odd.
mark
On 01/30/18 16:21, m.roth@5-cent.us wrote:
Interesting. lastlog was always my go-to. However, at least in C6, last gets it, while lastlog does not.
How odd.
Did you check /var/log/secure ?
last
command not mentioning logged i9n users will raise very big red flag for me. I also would check for something benign, like full filesystem. And hard drive errors. But the very first thing I would do: check the integrity of your box - whichever host integrity tool you use...
Good luck.
Valeri
mark
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
-
Jon Pruente -
m.roth@5-cent.us -
Marcelo Roccasalva -
Stephen John Smoogen -
Valeri Galtsev