Date: Tue, 7 May 2002 00:08:30 +0530 (IST) From: Vishwas <vtp@PKI.ecom.tifr.res.in> To: Jason P Holland <jholland@cs.selu.edu> Cc: freebsd-questions@FreeBSD.ORG Subject: Re: my FreeBSD-4.5 gets rebooted everyday at 3:03am !! Message-ID: <20020507000405.M18456-100000@PKI.ecom.tifr.res.in> In-Reply-To: <Pine.LNX.4.44.0205060905530.24206-100000@cs.selu.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi Jason,
Your suggestion worked.
my system gets rebooted when it executes /etc/security file.
am pasting the file here......
may be one can tell me the exact cause. I can figure out the runlevel is
getting set to REBOOT. But where and why ? I don't know.
--------------/etc/security-------------start-------
PATH=/sbin:/bin:/usr/bin
LC_ALL=C; export LC_ALL
rc=0
LOG=/var/log
TMP=/var/run/_secure.$$
separator () {
echo ''
echo ''
}
catmsgs() {
find $LOG -name 'messages.*' -mtime -2 |
sort -t. -r -n +1 -2 |
xargs zcat -f
[ -f $LOG/messages ] && cat $LOG/messages
}
sflag=FALSE ignore=
while getopts ams c
do
case "$c" in
a) ignore="$ignore|^amd:";;
m) ignore="$ignore|^mfs:";;
s) sflag=TRUE;;
esac
done
yesterday=`date -v-1d "+%b %e "`
host=`hostname`
umask 027
echo 'Checking setuid files and devices:'
# Don't have ncheck, but this does the equivalent of the commented out
block.
# Note that one of the original problems, the possibility of overrunning
# the args to ls, is still here...
#
MP=`mount -t ufs | grep -v " nosuid" | awk '{ print $3 }' | sort`
set ${MP}
while [ $# -ge 1 ]; do
mount=$1
shift
find $mount -xdev -type f \
\( -perm -u+x -or -perm -g+x -or -perm -o+x \) \
\( -perm -u+s -or -perm -g+s \) -print0
done | xargs -0 -n 20 ls -liTd | sort +10 > ${TMP}
if [ ! -f ${LOG}/setuid.today ]; then
[ $rc -lt 1 ] && rc=1
separator
echo "No ${LOG}/setuid.today"
cp ${TMP} ${LOG}/setuid.today || rc=3
fi
if ! cmp ${LOG}/setuid.today ${TMP} >/dev/null; then
[ $rc -lt 1 ] && rc=1
separator
echo "${host} setuid diffs:"
diff -w ${LOG}/setuid.today ${TMP}
mv ${LOG}/setuid.today ${LOG}/setuid.yesterday || rc=3
mv ${TMP} ${LOG}/setuid.today || rc=3
fi
# Show changes in the way filesystems are mounted
#
[ -n "$ignore" ] && cmd="egrep -v ${ignore#|}" || cmd=cat
if mount -p | $cmd > $TMP; then
if [ ! -f $LOG/mount.today ]; then
[ $rc -lt 1 ] && rc=1
separator
echo "No $LOG/mount.today"
cp $TMP $LOG/mount.today || rc=3
fi
if ! cmp $LOG/mount.today $TMP >/dev/null 2>&1; then
[ $rc -lt 1 ] && rc=1
separator
echo "$host changes in mounted filesystems:"
diff -b $LOG/mount.today $TMP
mv $LOG/mount.today $LOG/mount.yesterday || rc=3
mv $TMP $LOG/mount.today || rc=3
fi
fi
separator
echo 'Checking for uids of 0:'
n=$(awk -F: '/^#/ {next} $3==0 {print $1,$3}' /etc/master.passwd |
tee /dev/stderr |
sed -e '/^root 0$/d' -e '/^toor 0$/d' |
wc -l)
[ $n -gt 0 -a $rc -lt 1 ] && rc=1
separator
echo 'Checking for passwordless accounts:'
n=$(awk -F: 'NF > 1 && $1 !~ /^[#+-]/ && $2=="" {print $0}'
/etc/master.passwd |
tee /dev/stderr | wc -l)
[ $n -gt 0 -a $rc -lt 1 ] && rc=1
# Show denied packets
#
if ipfw -a l 2>/dev/null | egrep "deny|reset|unreach" > ${TMP}; then
if [ ! -f ${LOG}/ipfw.today ]; then
[ $rc -lt 1 ] && rc=1
separator
echo "No ${LOG}/ipfw.today"
cp ${TMP} ${LOG}/ipfw.today || rc=3
fi
if ! cmp ${LOG}/ipfw.today ${TMP} >/dev/null; then
[ $rc -lt 1 ] && rc=1
separator
echo "${host} denied packets:"
diff -b ${LOG}/ipfw.today ${TMP} | egrep "^>"
mv ${LOG}/ipfw.today ${LOG}/ipfw.yesterday || rc=3
mv ${TMP} ${LOG}/ipfw.today || rc=3
fi
fi
# Show ipfw rules which have reached the log limit
#
IPFW_LOG_LIMIT=`sysctl -n net.inet.ip.fw.verbose_limit 2> /dev/null`
if [ $? -eq 0 ] && [ "${IPFW_LOG_LIMIT}" -ne 0 ]; then
ipfw -a l | grep " log " | perl -n -e \
'/^\d+\s+(\d+)/; print if ($1 >= '$IPFW_LOG_LIMIT')' >
${TMP}
if [ -s "${TMP}" ]; then
[ $rc -lt 1 ] && rc=1
separator
echo 'ipfw log limit reached:'
cat ${TMP}
fi
fi
# Show IPv6 denied packets
#
if ip6fw -a l 2>/dev/null | egrep "deny|reset|unreach" > ${TMP}; then
if [ ! -f ${LOG}/ip6fw.today ]; then
[ $rc -lt 1 ] && rc=1
separator
echo "No ${LOG}/ip6fw.today"
cp ${TMP} ${LOG}/ip6fw.today || rc=3
fi
if ! cmp ${LOG}/ip6fw.today ${TMP} >/dev/null; then
[ $rc -lt 1 ] && rc=1
separator
echo "${host} IPv6 denied packets:"
diff -b ${LOG}/ip6fw.today ${TMP} | egrep "^>"
mv ${LOG}/ip6fw.today ${LOG}/ip6fw.yesterday || rc=3
mv ${TMP} ${LOG}/ip6fw.today || rc=3
fi
fi
# Show ip6fw rules which have reached the log limit
#
IP6FW_LOG_LIMIT=`sysctl -n net.inet6.ip6.fw.verbose_limit 2> /dev/null`
if [ $? -eq 0 ] && [ "${IP6FW_LOG_LIMIT}" -ne 0 ]; then
ip6fw -a l | grep " log " | perl -n -e \
'/^\d+\s+(\d+)/; print if ($1 >= '$IP6FW_LOG_LIMIT')' >
${TMP}
if [ -s "${TMP}" ]; then
[ $rc -lt 1 ] && rc=1
separator
echo 'ip6fw log limit reached:'
cat ${TMP}
fi
fi
# Show kernel log messages
#
if dmesg -a 2>/dev/null > ${TMP}; then
if [ ! -f ${LOG}/dmesg.today ]; then
[ $rc -lt 1 ] && rc=1
separator
echo "No ${LOG}/dmesg.today"
cp ${TMP} ${LOG}/dmesg.today || rc=3
fi
if ! cmp ${LOG}/dmesg.today ${TMP} >/dev/null 2>&1; then
[ $rc -lt 1 ] && rc=1
separator
echo "${host} kernel log messages:"
diff -b ${LOG}/dmesg.today ${TMP} | egrep "^>"
mv ${LOG}/dmesg.today ${LOG}/dmesg.yesterday || rc=3
mv ${TMP} ${LOG}/dmesg.today || rc=3
fi
fi
# Show login failures
#
separator
echo "${host} login failures:"
n=$(catmsgs | grep -ia "^$yesterday.*login failure" | tee /dev/stderr | wc
-l)
[ $n -gt 0 -a $rc -lt 1 ] && rc=1
# Show tcp_wrapper warning messages
#
separator
echo "${host} refused connections:"
n=$(catmsgs | grep -i "^$yesterday.*refused connect" | tee /dev/stderr |
wc -l)
[ $n -gt 0 -a $rc -lt 1 ] && rc=1
rm -f ${TMP}
exit $rc
-------------end-----------/etc/security-----------------
On Mon, 6 May 2002, Jason P Holland wrote:
>
> you could try and run the job manually, watch and see if something obvious
> shows up.
>
> Jason
>
> > Thanks Bill:
> > Yes Bill, you are right. The time in /etc/crontab is set for
> > 3:01am for daily jobs. And after checkups the system is getting rebooted
> > at 3:03!!
> >
> > But how will I go to the root of the problem ? Is there any way to find
> > out the cause ? Even i tried to analyse the log
> > files.../var/log/messages, last etc. but not getting a clue ..... :-(
> >
> > I think you are getting my problem !
> >
> > best regards,
> > Vishwas.
> >
> >
> > On Mon, 6 May 2002, Bill Moran wrote:
> >
> > > Vishwas wrote:
> > > > Hello All:
> > > > My FreeBSD-4.5 reboots automatically everynight at 3:03. I have
> > > > checked the cron entries. I haven't done any modifications to the system
> > > > after installation.
> > > >
> > > > Am I the one who has been singled out by FreeBSD or someone else is also
> > > > there ? :-))
> > >
> > > This comes up every so often. 3:00AM is when certain system maintenance tools
> > > run, and this is likely causing your problem.
> > > First thing to do is to disable the daily run in /etc/crontab and see if the
> > > problem goes away. If it does, you've found the culpret and the solution is
> > > a little more involved.
> > > Hopefully you can afford some testing time on the machine. The first thing to
> > > do is to cvsup and update your system to the latest stable, in case it's a
> > > problem that's already been fixed:
> > > http://www.freebsd.org/handbook/cutting-edge.html
> > > Enable kernel crash dumps as described here:
> > > http://www.freebsd.org/doc/en_US.ISO8859-1/books/developers-handbook/kerneldebug.html
> > > And analyze what's going on. If you don't understand kernel debugging, post
> > > the results of a gdb session to the list asking for advice. Michael Lucas
> > > wrote an excellent article on this for onlamp.com, I suggest you read that
> > > as well.
> > >
> > > --
> > > Bill Moran
> > > Potential Technology
> > > http://www.potentialtech.com
> > >
> > >
> >
> >
> > To Unsubscribe: send mail to majordomo@FreeBSD.org
> > with "unsubscribe freebsd-questions" in the body of the message
> >
>
> --
>
> .-.
> __| |__
> [__ __]
> | |
> | |
> | |
> '-'
>
>
>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020507000405.M18456-100000>