FAQ
Greetings.

I'm running CentOS on multiple machines and a few third-party VPS's and
have some odd logging issues today. It all started when tcpwrappers
couldn't seem to recognize my PC's hostname as being a valid hostname
for access. Fortunately I was able to get in with a direct IP.

When trying to discover what's going on, I found some very odd entries
in the secure log...
(IP's changed to protect the identity of my PC and the machines)

Mar 8 17:55:53 server123 sshd[3053]: Failed publickey for root from
::ffff:192.168.87.119 port 45686 ssh2
Mar 8 17:55:55 server123 sshd[3053]: Accepted password for root from
::ffff:192.168.87.119 port 45686 ssh2
Mar 8 09:55:55 server123 sshd[3052]: Accepted password for root from
::ffff:192.168.87.119 port 45686 ssh2
Mar 8 18:01:18 server123 sshd[4743]: Failed publickey for root from
::ffff:192.168.87.119 port 45692 ssh2
Mar 8 18:01:20 server123 sshd[4743]: Accepted password for root from
::ffff:192.168.87.119 port 45692 ssh2
Mar 8 10:01:20 server123 sshd[4742]: Accepted password for root from
::ffff:192.168.87.119 port 45692 ssh2
Mar 8 10:01:38 server123 sshd[4792]: reverse mapping checking
getaddrinfo for s0106001111e058c2.myispdomain.net failed - POSSIBLE
BREAKIN ATTEMPT!
Mar 8 10:01:38 server123 sshd[4792]: Accepted password for root from
::ffff:10.10..161.102 port 57689 ssh2
Mar 8 10:01:38 server123 sshd[4793]: Accepted password for root from
::ffff:10.10..161.102 port 57689 ssh2
Mar 8 18:07:19 server123 sshd[6411]: Connection closed by
::ffff:10.10..161.102
Mar 8 18:09:02 server123 sshd[6699]: Accepted password for root from
::ffff:10.10..161.102 port 58017 ssh2
Mar 8 10:09:02 server123 sshd[6698]: Accepted password for root from
::ffff:10.10..161.102 port 58017 ssh2

This snippet is in order that it appears in the database. Notice the
timestamp. It starts off thinking it's almost 6pm then reverts th the
correct time of almost 10am, then to 6pm, then back to 10am and so on
and so forth.
Upon looking back even further, I can see that this has been happening
as far back as the secure logs go... Early February.

Checking through other machines, most seem to have this behavior, but
some do not. The machines I've updated using "yum update" recently seem
to be the ones with this odd behavior. Machines that are less
up-to-date don't seem to have any weird logging and accept my SSH as
expected.

I've been watching the server time using date and it seems to always
report what it should...

--
Mike

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.centos.org/pipermail/centos/attachments/20070308/c5e86d68/attachment.htm

Search Discussions

  • Matthew Miller at Mar 8, 2007 at 7:14 pm

    On Thu, Mar 08, 2007 at 11:09:49AM -0800, Mike wrote:
    This snippet is in order that it appears in the database. Notice the
    timestamp. It starts off thinking it's almost 6pm then reverts th the
    correct time of almost 10am, then to 6pm, then back to 10am and so on and
    so forth. Upon looking back even further, I can see that this has been
    happening as far back as the secure logs go... Early February.
    Here is the root cause:

    <https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id#1326>

    I'm not sure what in SSH or PAM is running in GMT, though.


    --
    Matthew Miller mattdm@mattdm.org <http://mattdm.org/>
    Boston University Linux ------> <http://linux.bu.edu/>
  • Matt Hyclak at Mar 8, 2007 at 7:21 pm

    On Thu, Mar 08, 2007 at 02:14:31PM -0500, Matthew Miller enlightened us:
    This snippet is in order that it appears in the database. Notice the
    timestamp. It starts off thinking it's almost 6pm then reverts th the
    correct time of almost 10am, then to 6pm, then back to 10am and so on and
    so forth. Upon looking back even further, I can see that this has been
    happening as far back as the secure logs go... Early February.
    Here is the root cause:

    <https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id#1326>

    I'm not sure what in SSH or PAM is running in GMT, though.
    It has to do with the chroot. /etc/localtime doesn't get put in the chroot,
    so the processes running inside the root log in GMT, outside they log in
    localtime. This has been discussed on this mailing list and there is at
    least one report on redhat's bugzilla.

    Matt

    --
    Matt Hyclak
    Department of Mathematics
    Department of Social Work
    Ohio University
    (740) 593-1263
  • Matthew Miller at Mar 8, 2007 at 7:25 pm

    On Thu, Mar 08, 2007 at 02:21:10PM -0500, Matt Hyclak wrote:
    Here is the root cause:
    <https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id#1326>
    I'm not sure what in SSH or PAM is running in GMT, though.
    It has to do with the chroot. /etc/localtime doesn't get put in the chroot,
    so the processes running inside the root log in GMT, outside they log in
    localtime. This has been discussed on this mailing list and there is at
    least one report on redhat's bugzilla.
    Ah, here:

    <http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id 3671>


    --
    Matthew Miller mattdm@mattdm.org <http://mattdm.org/>
    Boston University Linux ------> <http://linux.bu.edu/>
  • Mike at Mar 8, 2007 at 7:26 pm

    Matt Hyclak wrote:
    On Thu, Mar 08, 2007 at 02:14:31PM -0500, Matthew Miller enlightened us:
    This snippet is in order that it appears in the database. Notice the
    timestamp. It starts off thinking it's almost 6pm then reverts th the
    correct time of almost 10am, then to 6pm, then back to 10am and so on and
    so forth. Upon looking back even further, I can see that this has been
    happening as far back as the secure logs go... Early February.
    Here is the root cause:

    <https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id#1326>

    I'm not sure what in SSH or PAM is running in GMT, though.
    It has to do with the chroot. /etc/localtime doesn't get put in the chroot,
    so the processes running inside the root log in GMT, outside they log in
    localtime. This has been discussed on this mailing list and there is at
    least one report on redhat's bugzilla.

    Matt
    Thanks Matts. So long as it's a known bug I'll stop worrying something
    fishy is going on.
    -------------- next part --------------
    An HTML attachment was scrubbed...
    URL: http://lists.centos.org/pipermail/centos/attachments/20070308/21b6555f/attachment.htm

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
groupcentos @
categoriescentos
postedMar 8, '07 at 7:09p
activeMar 8, '07 at 7:26p
posts5
users3
websitecentos.org
irc#centos

People

Translate

site design / logo © 2022 Grokbase