Results 1 to 7 of 7

Thread: Newb server question, what do these entries in auth.log mean?

  1. #1
    Join Date
    Feb 2009
    Beans
    18

    Question Newb server question, what do these entries in auth.log mean?

    I have a lamp server that beyond my initial setup on it, other than using it for lamp stuff I don't pay it much mind. Anyway, I decided to look at the auth.log and I'm baffled by what I saw. I'm not that savvy with the command line, marginally more-so with the gui. Is the information in the below image normal? or bad? automated process? or attacks? I know I didn't log in during that time frame.


  2. #2
    Join Date
    Jan 2012
    Beans
    753

    Re: Newb server question, what do these entries in auth.log mean?

    Looks fine to me. If it was an automated attack, there would be a lot of failed logins.

    Run this command:
    Code:
    grep fail < /var/log/auth.log
    If there's a lot of output then it means something has been trying to log in and failed repeatedly, which could be an indication of an attack.

  3. #3
    Join Date
    Jul 2011
    Beans
    3,037
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Newb server question, what do these entries in auth.log mean?

    Usually, "nobody" is a system user, which is used to run services. Find out more about "nobody":

    Code:
    sudo grep nobody /etc/passwd
    On my system, it reveals something like this:

    Code:
    nobody:x:99:99:nobody:/:/bin/false
    The last entry in the line (/bin/false) means, that the user nobody is not allowed to execute a login shell such as /bin/bash and therefore it can't regularly login to your system.

  4. #4
    Join Date
    Feb 2009
    Beans
    18

    Question Re: Newb server question, what do these entries in auth.log mean?

    Thanks you two!

    The only thing that comes up from grep'ing for fail is a reverse mapping checking getaddrinfo that fails with my company firewall address. These all coincide with timeframes where I ssh'd into my home server from work so I'm assuming this is just saying it couldn't reverse traverse my NAT at work?

    When I grep to find nobody's attributes I get the following:

    Code:
    nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
    Does that mean I should change some configurations on what nobody is allowed to do?

  5. #5
    Join Date
    Jul 2011
    Beans
    3,037
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Newb server question, what do these entries in auth.log mean?

    Good question, but highly depends on how concerned you are about security. In general, if nobody has a login shell, as it is in Ubuntu, the nobody account may become the target of a brute force attack. If the permissions on what nobody is allowed to do is changed, there is a certain risk, that some things are no longer working:

    https://wiki.ubuntu.com/nobody

    However, I think it would be save to change the login shell for the nobody account:

    http://secnut.blogspot.de/2009/11/ub...body-user.html
    http://linuxg.net/the-linux-and-unix-nobody-user/

    This is quite a little change, but would at least prevent anybody from attacking this user account.

  6. #6
    Join Date
    Jan 2012
    Beans
    753

    Re: Newb server question, what do these entries in auth.log mean?

    Quote Originally Posted by ausrick View Post
    Does that mean I should change some configurations on what nobody is allowed to do?
    I don't think you need to. That's what the output is on my computer and a fresh install in VirtualBox.

  7. #7
    Join Date
    Jan 2012
    Beans
    753

    Re: Newb server question, what do these entries in auth.log mean?

    Quote Originally Posted by 2F4U View Post
    Good question, but highly depends on how concerned you are about security. In general, if nobody has a login shell, as it is in Ubuntu, the nobody account may become the target of a brute force attack.
    I thought the nobody account is locked, and only root can log in?

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •