Date: Wed, 02 Sep 2009 09:23:15 +0200 From: Mark Stapper <stark@mapper.nl> To: Kurt Buff <kurt.buff@gmail.com> Cc: freebsd-questions@freebsd.org Subject: Re: Daily security report oddity... Message-ID: <4A9E1D63.8030101@mapper.nl> In-Reply-To: <a9f4a3860909011556m4ceafe2drf93460842a64e99a@mail.gmail.com> References: <a9f4a3860909011556m4ceafe2drf93460842a64e99a@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig35233AFE8B862355909BBC40 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Kurt Buff wrote: > I got a daily security run email from one of my machines on Monday > morning, with the following entry: > > zmx1.zetron.com login failures: > Aug 30 06:57:17 zmx1 su: BAD SU mlee to root on /dev/ttyp2 > Aug 30 09:42:17 zmx1 su: BAD SU mlee to root on /dev/ttyp0 > > What's puzzling is that this account has been completely inactive for > well over a year - this fellow is long gone, and I simply didn't clean > it up - that's my bad, but that's not the puzzling part. > > I traced it down, and found out that he had not logged in on Sunday. > The auth.log is, as you can see from the listing below, quite old. The > entries referenced above are from two years ago. > > zmx1# ll /var/log/a* > -rw------- 1 root wheel 71845 Sep 1 15:42 /var/log/auth.log > -rw------- 1 root wheel 6087 Aug 29 2007 /var/log/auth.log.0.bz2 > -rw------- 1 root wheel 5774 Aug 12 2007 /var/log/auth.log.1.bz2 > -rw------- 1 root wheel 5795 Jul 24 2007 /var/log/auth.log.2.bz2 > -rw------- 1 root wheel 6813 Jul 6 2007 /var/log/auth.log.3.bz2 > > > So, a couple of questions: > > Why would the daily security run pick up something from *two years > ago* and only report it again today? The machine hasn't been rebooted > in a very long time, if that makes a difference. > > Is there any way to prevent something like this happening again - or > perhaps can I force the entry of the year into the date field for the > auth.log entries? > > Kurt > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd= =2Eorg" > =20 Hello, If you look at the syntax of the logfile, you will see no year is listed.= Most likely the whole file is parsed on security run. Since the logfile has been rotated the 30th of august 2007, it's very much possible you'll get all your messages all over again. Perhaps it's wise to rotate you logfiles once a year just in case... And it make no difference the machine hasn't been rebooted in a very long time... (define "very long time" ;-) http://uptimes-project.org/hosts/view/150 ) --------------enig35233AFE8B862355909BBC40 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkqeHWMACgkQN9xNqOOVnWAkiQCfRm/XbdvGNrbznfLVW+8Z8hUv +ZAAn1GRSx7HSUshV8sEpZSPoxBurF2R =o28s -----END PGP SIGNATURE----- --------------enig35233AFE8B862355909BBC40--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4A9E1D63.8030101>