/var/log/messages weird entries

blizunt7 · 10-25-2005, 07:27 PM

Hey all,
Got 2 questions both deal with /var/log/messages

A) I have entries every hour from root, saying a crond is openeing a sessions for root by root, and then at the exact same time, crond is closing the session

Code:

Oct 23 17:01:01 localhost crond(pam_unix)[5913]: session opened for user root by
(uid=0)
Oct 23 17:01:01 localhost crond(pam_unix)[5913]: session closed for user root

Why is this happening?? There are no crontab jobs for root.

B) I also have entries from annonymous users, obviously trying to hack any machine they can. Is there a way to sto this from happening (Aside from blocking all IPs)??

Thanks so much!!!

Josh

solveit · 10-25-2005, 08:07 PM

How do the entries from anonymous users look ?

blizunt7 · 11-01-2005, 11:47 AM

Sorry for the long wait, had other server issues:
Annonymouns user entried look like this:

Code:

Oct 30 21:20:15 localhost sshd(pam_unix)[3697]: authentication failure; logname= uid=0 euid
=0 tty=ssh ruser= rhost=211.61.138.34  user=root

and then there are some that look like this, almost the same:

Code:

Oct 30 21:23:12 localhost sshd(pam_unix)[3795]: check pass; user unknown
Oct 30 21:23:12 localhost sshd(pam_unix)[3795]: authentication failure; logname= uid=0 euid
=0 tty=ssh ruser= rhost=211.61.138.34

does anyone know how to prevent this from happening, without simply blocking this specific IP?

THanks

solveit · 11-01-2005, 02:46 PM

Add a line like this in /etc/ssh/sshd_config :

AllowUsers user1 user2

Try "man sshd_config" for details.

blizunt7 · 11-01-2005, 05:50 PM

Yes thats great.
I have already implemented this security measure.

THanks

blizunt7 · 11-01-2005, 05:56 PM

Yes thats great.
I have already implemented this security measure.

THanks