Ho notato un elevato utilizzo della CPU e ho notato che l'utente dinko aveva un elevato utilizzo della CPU con il processo sshd
quando ho digitato top
.
L'utente dinko era solo un utente casuale che ho creato e con un'applicazione Ruby in esecuzione.
Ho immediatamente eliminato quell'utente e riavviato il server. Ora va bene, ma mi chiedo se c'è qualcosa di sospetto in questo auth.log?
Feb 22 10:43:07 host1 su[11859]: Successful su for host1 by root
Feb 22 10:43:07 host1 su[11859]: + ??? root:host1
Feb 22 10:43:07 host1 su[11859]: pam_unix(su:session): session opened for user host1 by (uid=0)
Feb 22 10:43:07 host1 su[11859]: pam_unix(su:session): session closed for user host1
Feb 22 10:44:01 host1 CRON[16191]: pam_unix(cron:session): session opened for user dinko by (uid=0)
Feb 22 10:44:01 host1 CRON[16191]: pam_unix(cron:session): session closed for user dinko
Feb 22 10:44:53 host1 sshd[20291]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=cm-84.209.49.43.getinternet.no user=root
Feb 22 10:44:54 host1 sshd[20291]: Failed password for root from 84.209.49.43 port 53108 ssh2
Feb 22 10:45:01 host1 CRON[21063]: pam_unix(cron:session): session opened for user root by (uid=0)
Feb 22 10:45:01 host1 CRON[21064]: pam_unix(cron:session): session opened for user dinko by (uid=0)
Feb 22 10:45:01 host1 CRON[21064]: pam_unix(cron:session): session closed for user dinko
Feb 22 10:45:01 host1 su[21144]: Successful su for postgres by root
Feb 22 10:45:01 host1 su[21144]: + ??? root:postgres
Feb 22 10:45:01 host1 su[21144]: pam_unix(su:session): session opened for user postgres by (uid=0)
Feb 22 10:45:01 host1 su[21144]: pam_unix(su:session): session closed for user postgres
Feb 22 10:45:02 host1 CRON[21063]: pam_unix(cron:session): session closed for user root
Feb 22 10:45:04 host1 sshd[20291]: message repeated 5 times: [ Failed password for root from 84.209.49.43 port 53108 ssh2]
Feb 22 10:45:04 host1 sshd[20291]: error: maximum authentication attempts exceeded for root from 84.209.49.43 port 53108 ssh2 [preauth]
Feb 22 10:45:04 host1 sshd[20291]: Disconnecting: Too many authentication failures for root [preauth]
Feb 22 10:45:04 host1 sshd[20291]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=cm-84.209.49.43.getinternet.no user=root
Feb 22 10:45:04 host1 sshd[20291]: PAM service(sshd) ignoring max retries; 6 > 3
Feb 22 10:45:06 host1 sshd[16407]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.49 user=root
Feb 22 10:45:09 host1 sshd[16407]: Failed password for root from 116.31.116.49 port 26110 ssh2
Feb 22 10:45:13 host1 sshd[16407]: message repeated 2 times: [ Failed password for root from 116.31.116.49 port 26110 ssh2]
Feb 22 10:45:13 host1 sshd[16407]: Received disconnect from 116.31.116.49: 11: [preauth]
Feb 22 10:45:13 host1 sshd[16407]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.49 user=root
Feb 22 10:46:01 host1 CRON[25863]: pam_unix(cron:session): session opened for user dinko by (uid=0)
Feb 22 10:46:01 host1 CRON[25863]: pam_unix(cron:session): session closed for user dinko
Feb 22 10:46:35 host1 saslauthd[1891]: pam_unix(smtp:auth): check pass; user unknown
Feb 22 10:46:35 host1 saslauthd[1891]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Feb 22 10:46:37 host1 saslauthd[1891]: DEBUG: auth_pam: pam_authenticate failed: Authentication failure
Feb 22 10:46:37 host1 saslauthd[1891]: do_auth : auth failure: [[email protected]] [service=smtp] [realm=brilliantstonegroup.com] [mech=pam] [reason=PAM auth error]
Feb 22 10:47:01 host1 CRON[30582]: pam_unix(cron:session): session opened for user dinko by (uid=0)
Feb 22 10:47:01 host1 CRON[30582]: pam_unix(cron:session): session closed for user dinko
Feb 22 10:47:38 host1 sshd[32484]: Received disconnect from 221.194.47.249: 11: [preauth]
Feb 22 10:48:01 host1 CRON[3033]: pam_unix(cron:session): session opened for user dinko by (uid=0)
Feb 22 10:48:01 host1 CRON[3033]: pam_unix(cron:session): session closed for user dinko
Feb 22 10:48:05 host1 su[3582]: Successful su for projectslcp by root
Feb 22 10:48:05 host1 su[3582]: + ??? root:projectslcp
Feb 22 10:48:05 host1 su[3582]: pam_unix(su:session): session opened for user projectslcp by (uid=0)
Feb 22 10:48:05 host1 su[3582]: pam_unix(su:session): session closed for user projectslcp
Feb 22 10:48:06 host1 su[3588]: Successful su for host1 by root
Feb 22 10:48:06 host1 su[3588]: + ??? root:host1
Feb 22 10:48:06 host1 su[3588]: pam_unix(su:session): session opened for user host1 by (uid=0)
Feb 22 10:48:06 host1 su[3588]: pam_unix(su:session): session closed for user host1
Feb 22 10:48:12 host1 saslauthd[1887]: pam_unix(smtp:auth): check pass; user unknown
Feb 22 10:48:12 host1 saslauthd[1887]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Feb 22 10:48:14 host1 saslauthd[1887]: DEBUG: auth_pam: pam_authenticate failed: Authentication failure
Feb 22 10:48:14 host1 saslauthd[1887]: do_auth : auth failure: [user=field] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
Feb 22 10:49:01 host1 CRON[7956]: pam_unix(cron:session): session opened for user dinko by (uid=0)
Feb 22 10:49:01 host1 CRON[7956]: pam_unix(cron:session): session closed for user dinko
Feb 22 10:50:01 host1 CRON[12776]: pam_unix(cron:session): session opened for user root by (uid=0)
Feb 22 10:50:01 host1 CRON[12777]: pam_unix(cron:session): session opened for user dinko by (uid=0)
Feb 22 10:50:01 host1 CRON[12777]: pam_unix(cron:session): session closed for user dinko
Feb 22 10:50:01 host1 su[12875]: Successful su for postgres by root
Feb 22 10:50:01 host1 su[12875]: + ??? root:postgres
Feb 22 10:50:01 host1 su[12875]: pam_unix(su:session): session opened for user postgres by (uid=0)
Feb 22 10:50:01 host1 su[12875]: pam_unix(su:session): session closed for user postgres
Feb 22 10:50:02 host1 CRON[12776]: pam_unix(cron:session): session closed for user root
Feb 22 10:51:01 host1 CRON[17639]: pam_unix(cron:session): session opened for user dinko by (uid=0)
Feb 22 10:51:01 host1 CRON[17639]: pam_unix(cron:session): session closed for user dinko
Feb 22 10:52:01 host1 CRON[22451]: pam_unix(cron:session): session opened for user dinko by (uid=0)
Feb 22 10:52:01 host1 CRON[22451]: pam_unix(cron:session): session closed for user dinko
Feb 22 10:53:01 host1 CRON[27310]: pam_unix(cron:session): session opened for user dinko by (uid=0)
Feb 22 10:53:01 host1 CRON[27310]: pam_unix(cron:session): session closed for user dinko
Feb 22 10:53:07 host1 su[27944]: Successful su for projectslcp by root
Feb 22 10:53:07 host1 su[27944]: + ??? root:projectslcp
Feb 22 10:53:07 host1 su[27944]: pam_unix(su:session): session opened for user projectslcp by (uid=0)
Feb 22 10:53:07 host1 su[27944]: pam_unix(su:session): session closed for user projectslcp
Feb 22 10:53:07 host1 su[27951]: Successful su for host1 by root
Feb 22 10:53:07 host1 su[27951]: + ??? root:host1
Feb 22 10:53:07 host1 su[27951]: pam_unix(su:session): session opened for user host1 by (uid=0)
Feb 22 10:53:07 host1 su[27951]: pam_unix(su:session): session closed for user host1
Feb 22 10:53:40 host1 sshd[24692]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.49 user=root
Feb 22 10:53:42 host1 sshd[24692]: Failed password for root from 116.31.116.49 port 46022 ssh2
Feb 22 10:53:47 host1 sshd[24692]: message repeated 2 times: [ Failed password for root from 116.31.116.49 port 46022 ssh2]
Feb 22 10:53:47 host1 sshd[24692]: Received disconnect from 116.31.116.49: 11: [preauth]
Feb 22 10:53:47 host1 sshd[24692]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.49 user=root
Feb 22 10:54:01 host1 CRON[32201]: pam_unix(cron:session): session opened for user dinko by (uid=0)
Feb 22 10:54:01 host1 CRON[32201]: pam_unix(cron:session): session closed for user dinko
Feb 22 10:55:01 host1 CRON[4705]: pam_unix(cron:session): session opened for user root by (uid=0)
Feb 22 10:55:01 host1 CRON[4706]: pam_unix(cron:session): session opened for user dinko by (uid=0)
Feb 22 10:55:01 host1 CRON[4706]: pam_unix(cron:session): session closed for user dinko
Feb 22 10:55:02 host1 su[4849]: Successful su for postgres by root
Feb 22 10:55:02 host1 su[4849]: + ??? root:postgres
Feb 22 10:55:02 host1 su[4849]: pam_unix(su:session): session opened for user postgres by (uid=0)
Feb 22 10:55:02 host1 su[4849]: pam_unix(su:session): session closed for user postgres
Feb 22 10:55:02 host1 CRON[4705]: pam_unix(cron:session): session closed for user root
Feb 22 10:55:26 host1 saslauthd[1891]: pam_unix(smtp:auth): check pass; user unknown
Feb 22 10:55:26 host1 saslauthd[1891]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Feb 22 10:55:28 host1 saslauthd[1891]: DEBUG: auth_pam: pam_authenticate failed: Authentication failure
Feb 22 10:55:28 host1 saslauthd[1891]: do_auth : auth failure: [user=float] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
Feb 22 10:56:01 host1 CRON[9538]: pam_unix(cron:session): session opened for user dinko by (uid=0)
Feb 22 10:56:01 host1 CRON[9538]: pam_unix(cron:session): session closed for user dinko
Feb 22 10:57:01 host1 CRON[14359]: pam_unix(cron:session): session opened for user dinko by (uid=0)
Feb 22 10:57:01 host1 CRON[14359]: pam_unix(cron:session): session closed for user dinko
Feb 22 10:58:01 host1 CRON[19161]: pam_unix(cron:session): session opened for user dinko by (uid=0)
Feb 22 10:58:01 host1 CRON[19161]: pam_unix(cron:session): session closed for user dinko
Feb 22 10:58:06 host1 su[19730]: Successful su for projectslcp by root
Feb 22 10:58:06 host1 su[19730]: + ??? root:projectslcp
Feb 22 10:58:06 host1 su[19730]: pam_unix(su:session): session opened for user projectslcp by (uid=0)
Feb 22 10:58:06 host1 su[19730]: pam_unix(su:session): session closed for user projectslcp
Feb 22 10:58:06 host1 su[19738]: Successful su for host1 by root
Feb 22 10:58:06 host1 su[19738]: + ??? root:host1
Feb 22 10:58:06 host1 su[19738]: pam_unix(su:session): session opened for user host1 by (uid=0)
Feb 22 10:58:06 host1 su[19738]: pam_unix(su:session): session closed for user host1
Feb 22 10:59:01 host1 CRON[24154]: pam_unix(cron:session): session opened for user dinko by (uid=0)
Feb 22 10:59:01 host1 CRON[24154]: pam_unix(cron:session): session closed for user dinko
Feb 22 11:00:01 host1 CRON[28995]: pam_unix(cron:session): session opened for user root by (uid=0)