[CentOS] odd entries in logwatch
James B. Byrne
ByrneJB at Harte-Lyne.caWed Mar 22 14:03:25 UTC 2006
- Previous message: [CentOS] error with gftp while using FTPS (Error with certificate at depth: 0) on centos4.x
- Next message: [CentOS] odd entries in logwatch
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
I am concerned about these entries reported this morning in the
logwatch from one of our servers running CentOS4-2. Before I
invest a lot of time and effort tracking this down I wonder if
anyone here recognizes what is going on and why these entries
exist.
These are sealed servers with no local user accounts beyond those
needed by system and application software. Login authentication is
primarily by SSL certificate, however ssh password logins for
certain backdoor accounts are enabled as a fallback. There are no
records of unexpected logins via ssh or by userids not customarily
associated with routine maintenance. Telnet is disabled. Only
anonymous ftp is the permitted and that service is provided by
vsftpd. The only thing that I can bring to mind that might account
for these records internally is that yesterday we ran "yum update"
on this machine. Might the update account for this trace?
> Changed users GID: mailman: 41 -> 41
>
> **Unmatched Entries**
> usermod[25137]: change user `mailman' shell from `/sbin/nologin'
> to `/sbin/nologin'
> usermod[25150]: change user `gdm' shell from `/sbin/nologin' to
> `/sbin/nologin'
... much sendmail stuff
-------------------- SSHD Begin ------------------------
SSHD Killed: 2 Time(s)
SSHD Started: 2 Time(s)
Failed to bind:
0.0.0.0 port 22 (Address already in use) : 2 Time(s)
Users logging in through sshd:
xxxxxxx:
inet05.hamilton.harte-lyne.ca (216.185.71.25): 1 time
---------------------- SSHD End -------------------------
--------------------- vsftpd-messages Begin ------------------------
Failed FTP Logins:
(81.57.169.170): anonymous - 9 Time(s)
(83.170.32.48): anonymous - 7 Time(s)
(80.194.231.91): anonymous - 9 Time(s)
---------------------- vsftpd-messages End -------------------------
Please note that I am a digest subscriber, so that the favour of a
direct copy of your reply would be great appreciated.
Regards,
Jim
--
*** e-mail is not a secure channel ***
mailto:byrnejb.<token>@harte-lyne.ca
James B. Byrne Harte & Lyne Limited
vox: +1 905 561 1241 9 Brockley Drive
fax: +1 905 561 0757 Hamilton, Ontario
<token> = hal Canada L8E 3C3
- Previous message: [CentOS] error with gftp while using FTPS (Error with certificate at depth: 0) on centos4.x
- Next message: [CentOS] odd entries in logwatch
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the CentOS mailing list