Thread: [SOLVED] Zimbra logwatch.
View Single Post
  #1 (permalink)  
Old 06-07-2008, 12:27 AM
nishith nishith is offline
Special Member
  
Posts: 123
Default [SOLVED] Zimbra logwatch.
I m using zcs 5.0.5 suite. I am getting logwatch message on daily basis in my admin account. But,I don't know from where the message is comming......!!!!!!!!

So, could anybody tell me where to find logwatch ? Is it installed with ZIMBRA or installed in my linux PC?

Below is the logwatch message.


################### Logwatch 7.3.4 (02/17/07) ####################
Processing Initiated: Sat Jun 7 04:53:05 2008
Date Range Processed: yesterday
( 2008-Jun-06 )
Period is day.
Detail Level of Output: 0
Type of Output: unformatted
Logfiles for Host: webmail
################################################## ################

--------------------- Named Begin ------------------------

**Unmatched Entries**
client 58.68.123.50 RFC 1918 response from Internet for 12.1.168.192.in-addr.arpa: 1 Time(s)
client 58.68.123.50 RFC 1918 response from Internet for 84.1.168.192.in-addr.arpa: 1 Time(s)
client 58.68.123.55 RFC 1918 response from Internet for 12.1.168.192.in-addr.arpa: 2 Time(s)

---------------------- Named End -------------------------


--------------------- pam_unix Begin ------------------------

kscreensaver:
Authentication Failures:
root(0,0) on display :0: 1 Time(s)

sshd:
Authentication Failures:
unknown (58.40.157.78): 328 Time(s)
unknown (218.30.71.75): 115 Time(s)
root (58.40.157.78): 111 Time(s)
root (218.30.71.75): 73 Time(s)
root (210.51.15.70): 56 Time(s)
unknown (210.51.15.70): 23 Time(s)
apache (58.40.157.78): 3 Time(s)
apache (218.30.71.75): 2 Time(s)
backuppc (218.30.71.75): 2 Time(s)
mysql (210.51.15.70): 2 Time(s)
news (210.51.15.70): 2 Time(s)
postgres (210.51.15.70): 2 Time(s)
postgres (58.40.157.78): 2 Time(s)
tomcat (210.51.15.70): 2 Time(s)
backuppc (58.40.157.78): 1 Time(s)
ldap (58.40.157.78): 1 Time(s)
mail (58.40.157.78): 1 Time(s)
root (122.255.108.2): 1 Time(s)
root (200.63.215.58): 1 Time(s)
root (219.230.55.22): 1 Time(s)
smmsp (58.40.157.78): 1 Time(s)
squid (58.40.157.78): 1 Time(s)
zimbra (58.40.157.78): 1 Time(s)
Invalid Users:
Unknown Account: 466 Time(s)

su-l:
Sessions Opened:
(uid=0) -> zimbra: 5 Time(s)


---------------------- pam_unix End -------------------------


--------------------- SSHD Begin ------------------------


Failed logins from:
58.40.157.78: 122 times
122.255.108.2: 1 time
200.63.215.58 (58.215.uio.satnet.net): 1 time
210.51.15.70: 64 times
218.30.71.75: 77 times
219.230.55.22: 1 time

Illegal users from:
58.40.157.78: 328 times
210.51.15.70: 23 times
218.30.71.75: 115 times

Users logging in through sshd:
zimbra:
58.68.123.55 (webmail.renovau.net): 3 times


Received disconnect:
11: Bye Bye : 726 Time(s)
11: Closed due to user request. : 3 Time(s)

**Unmatched Entries**
reverse mapping checking getaddrinfo for 58.215.uio.satnet.net [200.63.215.58] failed - POSSIBLE BREAK-IN ATTEMPT! : 1 time(s)

---------------------- SSHD End -------------------------


--------------------- Sudo (secure-log) Begin ------------------------


================================================== ============================

zimbra => root
--------------
/opt/zimbra/bin/zmcertmgr - 1 Times.
/opt/zimbra/libexec/zmmailboxdmgr - 3176 Times.
/opt/zimbra/libexec/zmmtastatus - 1948 Times.
/opt/zimbra/libexec/zmqstat - 2 Times.
/opt/zimbra/postfix/sbin/postconf - 4 Times.

---------------------- Sudo (secure-log) End -------------------------


--------------------- Disk Space Begin ------------------------

Filesystem Size Used Avail Use% Mounted on
/dev/sda1 29G 4.5G 23G 17% /
/dev/sda5 20G 1.3G 18G 7% /opt
/dev/sda3 20G 1.1G 18G 6% /var
/dev/sda2 20G 173M 19G 1% /home


---------------------- Disk Space End -------------------------


###################### Logwatch End #########################


It seems that i am facing serious attacked from outside world. How can I block them?

Below is the second logwatch message.


################### Logwatch 7.3.4 (02/17/07) ####################
Processing Initiated: Fri Jun 6 04:53:06 2008
Date Range Processed: yesterday
( 2008-Jun-05 )
Period is day.
Detail Level of Output: 0
Type of Output: unformatted
Logfiles for Host: webmail
################################################## ################

--------------------- Cron Begin ------------------------

**Unmatched Entries**
Jun 5 14:52:01 webmail crond[22898]: User not known to the underlying authentication module
Jun 5 14:52:01 webmail crond[22898]: CRON (zimbra) ERROR: failed to open PAM security session: Success
Jun 5 14:52:01 webmail crond[22898]: CRON (zimbra) ERROR: cannot set security context
Jun 5 14:54:01 webmail crond[22908]: User not known to the underlying authentication module
Jun 5 14:54:01 webmail crond[22908]: CRON (zimbra) ERROR: failed to open PAM security session: Success
Jun 5 14:54:01 webmail crond[22908]: CRON (zimbra) ERROR: cannot set security context
Jun 5 14:55:01 webmail crond[22910]: User not known to the underlying authentication module
Jun 5 14:55:01 webmail crond[22910]: CRON (zimbra) ERROR: failed to open PAM security session: Success
Jun 5 14:55:01 webmail crond[22910]: CRON (zimbra) ERROR: cannot set security context
Jun 5 14:56:01 webmail crond[22913]: User not known to the underlying authentication module
Jun 5 14:56:01 webmail crond[22913]: CRON (zimbra) ERROR: failed to open PAM security session: Success
Jun 5 14:56:01 webmail crond[22913]: CRON (zimbra) ERROR: cannot set security context
Jun 5 14:58:01 webmail crond[22917]: User not known to the underlying authentication module
Jun 5 14:58:01 webmail crond[22917]: CRON (zimbra) ERROR: failed to open PAM security session: Success
Jun 5 14:58:01 webmail crond[22917]: CRON (zimbra) ERROR: cannot set security context
Jun 5 15:18:01 webmail crond[1338]: User not known to the underlying authentication module
Jun 5 15:18:01 webmail crond[1338]: CRON (zimbra) ERROR: failed to open PAM security session: Success
Jun 5 15:18:01 webmail crond[1338]: CRON (zimbra) ERROR: cannot set security context
Jun 5 15:22:01 webmail crond[6759]: User not known to the underlying authentication module
Jun 5 15:22:01 webmail crond[6759]: CRON (zimbra) ERROR: failed to open PAM security session: Success
Jun 5 15:22:01 webmail crond[6759]: CRON (zimbra) ERROR: cannot set security context
Jun 5 15:24:01 webmail crond[6771]: User not known to the underlying authentication module
Jun 5 15:24:01 webmail crond[6771]: CRON (zimbra) ERROR: failed to open PAM security session: Success
Jun 5 15:24:01 webmail crond[6771]: CRON (zimbra) ERROR: cannot set security context
Jun 5 15:25:01 webmail crond[6773]: User not known to the underlying authentication module
Jun 5 15:25:01 webmail crond[6773]: CRON (zimbra) ERROR: failed to open PAM security session: Success
Jun 5 15:25:01 webmail crond[6773]: CRON (zimbra) ERROR: cannot set security context
Jun 5 15:26:01 webmail crond[6776]: User not known to the underlying authentication module
Jun 5 15:26:01 webmail crond[6776]: CRON (zimbra) ERROR: failed to open PAM security session: Success
Jun 5 15:26:01 webmail crond[6776]: CRON (zimbra) ERROR: cannot set security context
Jun 5 15:28:01 webmail crond[6780]: User not known to the underlying authentication module
Jun 5 15:28:01 webmail crond[6780]: CRON (zimbra) ERROR: failed to open PAM security session: Success
Jun 5 15:28:01 webmail crond[6780]: CRON (zimbra) ERROR: cannot set security context
Jun 5 15:30:01 webmail crond[6875]: User not known to the underlying authentication module
Jun 5 15:30:01 webmail crond[6875]: CRON (zimbra) ERROR: failed to open PAM security session: Success
Jun 5 15:30:01 webmail crond[6875]: CRON (zimbra) ERROR: cannot set security context
Jun 5 15:30:01 webmail crond[6876]: User not known to the underlying authentication module
Jun 5 15:30:01 webmail crond[6876]: CRON (zimbra) ERROR: failed to open PAM security session: Success
Jun 5 15:30:01 webmail crond[6876]: CRON (zimbra) ERROR: cannot set security context
Jun 5 15:30:01 webmail crond[6877]: User not known to the underlying authentication module
Jun 5 15:30:01 webmail crond[6877]: CRON (zimbra) ERROR: failed to open PAM security session: Success
Jun 5 15:30:01 webmail crond[6878]: User not known to the underlying authentication module
Jun 5 15:30:01 webmail crond[6877]: CRON (zimbra) ERROR: cannot set security context
Jun 5 15:30:01 webmail crond[6878]: CRON (zimbra) ERROR: failed to open PAM security session: Success
Jun 5 15:30:01 webmail crond[6878]: CRON (zimbra) ERROR: cannot set security context
Jun 5 15:32:01 webmail crond[6889]: User not known to the underlying authentication module
Jun 5 15:32:01 webmail crond[6889]: CRON (zimbra) ERROR: failed to open PAM security session: Success
Jun 5 15:32:01 webmail crond[6889]: CRON (zimbra) ERROR: cannot set security context
Jun 5 15:34:01 webmail crond[6902]: User not known to the underlying authentication module
Jun 5 15:34:01 webmail crond[6902]: CRON (zimbra) ERROR: failed to open PAM security session: Success
Jun 5 15:34:01 webmail crond[6902]: CRON (zimbra) ERROR: cannot set security context
Jun 5 15:35:02 webmail crond[6904]: User not known to the underlying authentication module
Jun 5 15:35:02 webmail crond[6904]: CRON (zimbra) ERROR: failed to open PAM security session: Success
Jun 5 15:35:02 webmail crond[6904]: CRON (zimbra) ERROR: cannot set security context
Jun 5 15:36:01 webmail crond[6907]: User not known to the underlying authentication module
Jun 5 15:36:01 webmail crond[6907]: CRON (zimbra) ERROR: failed to open PAM security session: Success
Jun 5 15:36:01 webmail crond[6907]: CRON (zimbra) ERROR: cannot set security context
Jun 5 15:38:01 webmail crond[6924]: User not known to the underlying authentication module
Jun 5 15:38:01 webmail crond[6924]: CRON (zimbra) ERROR: failed to open PAM security session: Success
Jun 5 15:38:01 webmail crond[6924]: CRON (zimbra) ERROR: cannot set security context
Jun 5 15:40:01 webmail crond[6928]: User not known to the underlying authentication module
Jun 5 15:40:01 webmail crond[6928]: CRON (zimbra) ERROR: failed to open PAM security session: Success
Jun 5 15:40:01 webmail crond[6928]: CRON (zimbra) ERROR: cannot set security context
Jun 5 15:40:01 webmail crond[6929]: User not known to the underlying authentication module
Jun 5 15:40:01 webmail crond[6929]: CRON (zimbra) ERROR: failed to open PAM security session: Success
Jun 5 15:40:01 webmail crond[6929]: CRON (zimbra) ERROR: cannot set security context
Jun 5 15:40:01 webmail crond[6930]: User not known to the underlying authentication module
Jun 5 15:40:01 webmail crond[6930]: CRON (zimbra) ERROR: failed to open PAM security session: Success
Jun 5 15:40:01 webmail crond[6931]: User not known to the underlying authentication module
Jun 5 15:40:01 webmail crond[6930]: CRON (zimbra) ERROR: cannot set security context
Jun 5 15:40:01 webmail crond[6931]: CRON (zimbra) ERROR: failed to open PAM security session: Success
Jun 5 15:40:01 webmail crond[6931]: CRON (zimbra) ERROR: cannot set security context
Jun 5 15:42:01 webmail crond[6978]: User not known to the underlying authentication module
Jun 5 15:42:01 webmail crond[6978]: CRON (zimbra) ERROR: failed to open PAM security session: Success
Jun 5 15:42:01 webmail crond[6978]: CRON (zimbra) ERROR: cannot set security context
Jun 5 15:44:01 webmail crond[6987]: User not known to the underlying authentication module
Jun 5 15:44:01 webmail crond[6987]: CRON (zimbra) ERROR: failed to open PAM security session: Success
Jun 5 15:44:01 webmail crond[6987]: CRON (zimbra) ERROR: cannot set security context
Jun 5 15:45:01 webmail crond[6989]: User not known to the underlying authentication module
Jun 5 15:45:01 webmail crond[6989]: CRON (zimbra) ERROR: failed to open PAM security session: Success
Jun 5 15:45:01 webmail crond[6989]: CRON (zimbra) ERROR: cannot set security context
Jun 5 15:46:01 webmail crond[6992]: User not known to the underlying authentication module
Jun 5 15:46:01 webmail crond[6992]: CRON (zimbra) ERROR: failed to open PAM security session: Success
Jun 5 15:46:01 webmail crond[6992]: CRON (zimbra) ERROR: cannot set security context
Jun 5 15:48:01 webmail crond[6997]: User not known to the underlying authentication module
Jun 5 15:48:01 webmail crond[6997]: CRON (zimbra) ERROR: failed to open PAM security session: Success
Jun 5 15:48:01 webmail crond[6997]: CRON (zimbra) ERROR: cannot set security context
Jun 5 15:50:01 webmail crond[7004]: User not known to the underlying authentication module
Jun 5 15:50:01 webmail crond[7004]: CRON (zimbra) ERROR: failed to open PAM security session: Success
Jun 5 15:50:01 webmail crond[7004]: CRON (zimbra) ERROR: cannot set security context
Jun 5 15:50:01 webmail crond[7005]: User not known to the underlying authentication module
Jun 5 15:50:01 webmail crond[7005]: CRON (zimbra) ERROR: failed to open PAM security session: Success
Jun 5 15:50:01 webmail crond[7005]: CRON (zimbra) ERROR: cannot set security context
Jun 5 15:50:01 webmail crond[7006]: User not known to the underlying authentication module
Jun 5 15:50:01 webmail crond[7006]: CRON (zimbra) ERROR: failed to open PAM security session: Success
Jun 5 15:50:01 webmail crond[7006]: CRON (zimbra) ERROR: cannot set security context
Jun 5 15:50:01 webmail crond[7007]: User not known to the underlying authentication module
Jun 5 15:50:01 webmail crond[7007]: CRON (zimbra) ERROR: failed to open PAM security session: Success
Jun 5 15:50:01 webmail crond[7007]: CRON (zimbra) ERROR: cannot set security context
Jun 5 15:52:01 webmail crond[7011]: User not known to the underlying authentication module

--------------------- pam_unix Begin ------------------------

crond:
Unknown Entries:
could not identify user (from getpwnam(zimbra)): 69 Time(s)

runuser:
Password Failures:
ldap: 1 Time(s)
Sessions Opened:
ldap by root(uid=0): 1 Time(s)

sshd:
Authentication Failures:
unknown (202.152.236.106): 111 Time(s)
root (202.152.236.106): 56 Time(s)
root (203.153.40.198): 31 Time(s)
unknown (203.153.40.198): 21 Time(s)
root (202.106.167.29): 18 Time(s)
apache (203.153.40.198): 1 Time(s)
games (202.152.236.106): 1 Time(s)
root (202.131.112.138): 1 Time(s)
root (58.68.36.186): 1 Time(s)
Invalid Users:
Unknown Account: 132 Time(s)

su-l:
Sessions Opened:
root(uid=0) -> zimbra: 151 Time(s)
(uid=0) -> zimbra: 3 Time(s)
root(uid=0) -> root: 1 Time(s)


---------------------- pam_unix End -------------------------


--------------------- Connections (secure-log) Begin ------------------------

New Users:
zimbra (501)
postfix (502)
zimbra (501)
postfix (502)
zimbra (501)
postfix (502)

Deleted Users:
zimbra
postfix
zimbra
postfix
zimbra
postfix

New Groups:
zimbra (501)
postfix (502)
zimbra (501)
postfix (502)
zimbra (501)
postfix (502)

Deleted Groups:
zimbra
postfix
zimbra
postfix
zimbra
postfix


Added User to group:
adm:
zimbra
postfix:
zimbra
tty:
zimbra

Removed From Group:
user zimbra from group adm
user zimbra from group tty
user zimbra from group postfix
user zimbra from group adm
user zimbra from group tty
user zimbra from group postfix
user zimbra from group adm
user zimbra from group tty
user zimbra from group postfix
user zimbra from group adm
user zimbra from group tty
user zimbra from group postfix
user zimbra from group adm
user zimbra from group tty
user zimbra from group postfix
user zimbra from group adm
user zimbra from group tty
user zimbra from group postfix


Changed users GID:
zimbra: 501 -> 501

Changed users default login shell:
User zimbra change shell from /bin/bash to /bin/bash: 1 Time(s)

---------------------- Connections (secure-log) End -------------------------


--------------------- SSHD Begin ------------------------


SSHD Killed: 1 Time(s)

SSHD Started: 1 Time(s)

Failed logins from:
58.68.36.186: 1 time
202.106.167.29: 18 times
202.131.112.138: 1 time
202.152.236.106 (ip-106-236-net.net2cyber.net): 57 times
203.153.40.198: 32 times

Illegal users from:
202.152.236.106 (ip-106-236-net.net2cyber.net): 111 times
203.153.40.198: 21 times

Users logging in through sshd:
root:
192.168.1.12: 4 times
202.131.112.138: 1 time
zimbra:
58.68.123.55 (webmail.renovau.net): 15 times


Received disconnect:
11: Bye Bye : 215 Time(s)
11: Closed due to user request. : 15 Time(s)

**Unmatched Entries**
reverse mapping checking getaddrinfo for ip-106-236-net.net2cyber.net [202.152.236.106] failed - POSSIBLE BREAK-IN ATTEMPT! : 168 time(s)

---------------------- SSHD End -------------------------


--------------------- Sudo (secure-log) Begin ------------------------


================================================== ============================

zimbra => root
--------------
/opt/zimbra/bin/zmcertmgr - 4 Times.
/opt/zimbra/libexec/zmmailboxdmgr - 1375 Times.
/opt/zimbra/libexec/zmmtastatus - 986 Times.
/opt/zimbra/libexec/zmqstat - 11 Times.
/opt/zimbra/libexec/zmslapd - 3 Times.
/opt/zimbra/nginx/sbin/nginx - 1 Times.
/opt/zimbra/postfix/sbin/postalias - 7 Times.
/opt/zimbra/postfix/sbin/postconf - 22 Times.
/opt/zimbra/postfix/sbin/postfix - 7 Times.

---------------------- Sudo (secure-log) End -------------------------



I can't understand why this message is comming......Is there any error in zcs installation? or is there any necessary modification after the installation that I didn't on it.
Last edited by nishith : 06-07-2008 at 12:32 AM.
Reply With Quote