The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

root log file

Discussion in 'General Discussion' started by web3k, Mar 16, 2006.

  1. web3k

    web3k Registered

    Mar 11, 2006
    Likes Received:
    Trophy Points:
    I am new to cpanel, and am still using the 15 day trial, but i have a several questions on the log file root sends me every day.

    First of all, here is an exert of my log, i replaced the user domain name with the word DOMAIN. but otherwise these are from my actual log.

    Can anyone explain this to me in laymans terms?

    My server has officially been up since 9 March 06.

    --------------------- pam_unix Begin ------------------------
    Authentication Failures:
    unknown ( 2782 Time(s)
    root ( 223 Time(s)
    mysql ( 20 Time(s)
    postgres ( 16 Time(s)
    news ( 14 Time(s)
    apache ( 9 Time(s)
    bin ( 9 Time(s)
    root ( 8 Time(s)
    rpm ( 8 Time(s)
    nobody ( 7 Time(s)
    squid ( 7 Time(s)
    mail ( 6 Time(s)
    postfix ( 6 Time(s)
    ftp ( 5 Time(s)
    games ( 5 Time(s)
    lp ( 5 Time(s)
    mailman ( 5 Time(s)
    sshd ( 5 Time(s)
    adm ( 4 Time(s)
    ntp ( 4 Time(s)
    operator ( 4 Time(s)
    daemon ( 3 Time(s)
    halt ( 3 Time(s)
    mailnull ( 3 Time(s)
    named ( 3 Time(s)
    nscd ( 3 Time(s)
    rpcuser ( 3 Time(s)
    shutdown ( 3 Time(s)
    smmsp ( 3 Time(s)
    sync ( 3 Time(s)
    xfs ( 3 Time(s)
    gopher ( 2 Time(s)
    nfsnobody ( 2 Time(s)
    pcap ( 2 Time(s)
    rpc ( 2 Time(s)
    uucp ( 2 Time(s)
    cpanel ( 1 Time(s)
    Invalid Users:
    Unknown Account: 2782 Time(s)
    ---------------------- pam_unix End -------------------------

    --------------------- Connections (secure-log) Begin ------------------------

    **Unmatched Entries**
    Cp-Wrap[15299]: Pushing "32003 RESELLERSUSERS DOMAIN " to '/usr/local/cpanel/bin/reselleradmin' for UID: 32003
    Cp-Wrap[15299]: CP-Wrapper terminated without error
    Cp-Wrap[11597]: Pushing "32006 LISTDBS" to '/usr/local/cpanel/bin/postgresadmin' for UID: 32006
    Cp-Wrap[11597]: CP-Wrapper terminated without error
    Cp-Wrap[11601]: Pushing "32006 GETDISK" to '/usr/local/cpanel/bin/mysqladmin' for UID: 32006
    Cp-Wrap[11601]: CP-Wrapper terminated without error

    Over 100 other cp-wrap entries.....

    ---------------------- Connections (secure-log) End -------------------------

    --------------------- SSHD Begin ------------------------

    Failed logins from these: 8 times 403 times

    Illegal users from these: 2782 times

    ---------------------- SSHD End -------------------------
  2. webignition

    webignition Well-Known Member

    Jan 22, 2005
    Likes Received:
    Trophy Points:
    The sshd authentication failures is something you should keep an eye on.

    The top-most section lists the unix users for which SSH authentication failed, and the number of failed attempts.

    The vast majority of these, if not all, will be 'people' trying to establish an SSH connection by using known standard usernames and selections of common or random passwords.

    I say 'people' as ultimately a person will be responsible however the actual commands will most likely be issued by a script or program.

    You should be concerned as if there is nothing to protect your server against such brute force attacks, someone might eventually compromise your machine by getting a password right.

    A good suggestion is to install APF and BFD. APF is an iptables-based firewall and whilst useful on it's own, in this context it is required for BFD to work effectively.

    BFD, brute force detector, is a cron-operated script that runs every X minutes and checks certain logs for certain errors. In practice this means it can spot brute force attacks. It can then issue a command via APF to block the relevant IP address.

    Furthermore, you might want to check the users listed under the ssh failed authentication list and remove those of no use to your server - a few may have been created by default by the OS and may be of no use on a cPanel server. The fewer unix users there are, particularly common ones, the fewer usernames someone has with which to launch a brute force attack.

    To mitigate the chances of a brute force attack being successful, you should always ensure that all user passwords are strong - at least 8 characters and a combination of uppercase and lowercase characters and numbers and, preferably, special characters (!"£$%^&* etc).

    If at all possible, do not let users reset their cPanel passwords - I simply tell mine that for security reasons this is not an option. I explain to users that whilst they might pick a decent password (so that they don't think I'm singling them out), others might not. This seems to satisfy the majority and I'm happy with that.

    For more details on APF, BFD and other security concerns, take a look at the thread A Beginner's Guide to Securing Your Server
  3. web3k

    web3k Registered

    Mar 11, 2006
    Likes Received:
    Trophy Points:
    Thanks, I will definitely check it out!
  4. xidica

    xidica Well-Known Member

    Apr 21, 2005
    Likes Received:
    Trophy Points:
    Best bet is to simply change the port that SSH listens on as these brute force scripts(namely ssh-scan) are generally only looking for port 22 being open. Editing the /etc/ssh/sshd_config file and changing the Port variable and then restarting sshd will do that for you. Just make sure if you have any firewall/router/NAT in front of the box to have the other port open and forwarded beforehand.

Share This Page