Results 1 to 6 of 6

Thread: [SOLVED] Zimbra logwatch.

  1. #1
    nishith's Avatar
    nishith is offline Special Member
    Join Date
    Jun 2008
    Location
    india
    Posts
    123
    Rep Power
    7

    Default [SOLVED] Zimbra logwatch.

    I m using zcs 5.0.5 suite. I am getting logwatch message on daily basis in my admin account. But,I don't know from where the message is comming......!!!!!!!!

    So, could anybody tell me where to find logwatch ? Is it installed with ZIMBRA or installed in my linux PC?

    Below is the logwatch message.


    ################### Logwatch 7.3.4 (02/17/07) ####################
    Processing Initiated: Sat Jun 7 04:53:05 2008
    Date Range Processed: yesterday
    ( 2008-Jun-06 )
    Period is day.
    Detail Level of Output: 0
    Type of Output: unformatted
    Logfiles for Host: webmail
    ################################################## ################

    --------------------- Named Begin ------------------------

    **Unmatched Entries**
    client 58.68.123.50 RFC 1918 response from Internet for 12.1.168.192.in-addr.arpa: 1 Time(s)
    client 58.68.123.50 RFC 1918 response from Internet for 84.1.168.192.in-addr.arpa: 1 Time(s)
    client 58.68.123.55 RFC 1918 response from Internet for 12.1.168.192.in-addr.arpa: 2 Time(s)

    ---------------------- Named End -------------------------


    --------------------- pam_unix Begin ------------------------

    kscreensaver:
    Authentication Failures:
    root(0,0) on display :0: 1 Time(s)

    sshd:
    Authentication Failures:
    unknown (58.40.157.78): 328 Time(s)
    unknown (218.30.71.75): 115 Time(s)
    root (58.40.157.78): 111 Time(s)
    root (218.30.71.75): 73 Time(s)
    root (210.51.15.70): 56 Time(s)
    unknown (210.51.15.70): 23 Time(s)
    apache (58.40.157.78): 3 Time(s)
    apache (218.30.71.75): 2 Time(s)
    backuppc (218.30.71.75): 2 Time(s)
    mysql (210.51.15.70): 2 Time(s)
    news (210.51.15.70): 2 Time(s)
    postgres (210.51.15.70): 2 Time(s)
    postgres (58.40.157.78): 2 Time(s)
    tomcat (210.51.15.70): 2 Time(s)
    backuppc (58.40.157.78): 1 Time(s)
    ldap (58.40.157.78): 1 Time(s)
    mail (58.40.157.78): 1 Time(s)
    root (122.255.108.2): 1 Time(s)
    root (200.63.215.58): 1 Time(s)
    root (219.230.55.22): 1 Time(s)
    smmsp (58.40.157.78): 1 Time(s)
    squid (58.40.157.78): 1 Time(s)
    zimbra (58.40.157.78): 1 Time(s)
    Invalid Users:
    Unknown Account: 466 Time(s)

    su-l:
    Sessions Opened:
    (uid=0) -> zimbra: 5 Time(s)


    ---------------------- pam_unix End -------------------------


    --------------------- SSHD Begin ------------------------


    Failed logins from:
    58.40.157.78: 122 times
    122.255.108.2: 1 time
    200.63.215.58 (58.215.uio.satnet.net): 1 time
    210.51.15.70: 64 times
    218.30.71.75: 77 times
    219.230.55.22: 1 time

    Illegal users from:
    58.40.157.78: 328 times
    210.51.15.70: 23 times
    218.30.71.75: 115 times

    Users logging in through sshd:
    zimbra:
    58.68.123.55 (webmail.renovau.net): 3 times


    Received disconnect:
    11: Bye Bye : 726 Time(s)
    11: Closed due to user request. : 3 Time(s)

    **Unmatched Entries**
    reverse mapping checking getaddrinfo for 58.215.uio.satnet.net [200.63.215.58] failed - POSSIBLE BREAK-IN ATTEMPT! : 1 time(s)

    ---------------------- SSHD End -------------------------


    --------------------- Sudo (secure-log) Begin ------------------------


    ================================================== ============================

    zimbra => root
    --------------
    /opt/zimbra/bin/zmcertmgr - 1 Times.
    /opt/zimbra/libexec/zmmailboxdmgr - 3176 Times.
    /opt/zimbra/libexec/zmmtastatus - 1948 Times.
    /opt/zimbra/libexec/zmqstat - 2 Times.
    /opt/zimbra/postfix/sbin/postconf - 4 Times.

    ---------------------- Sudo (secure-log) End -------------------------


    --------------------- Disk Space Begin ------------------------

    Filesystem Size Used Avail Use% Mounted on
    /dev/sda1 29G 4.5G 23G 17% /
    /dev/sda5 20G 1.3G 18G 7% /opt
    /dev/sda3 20G 1.1G 18G 6% /var
    /dev/sda2 20G 173M 19G 1% /home


    ---------------------- Disk Space End -------------------------


    ###################### Logwatch End #########################


    It seems that i am facing serious attacked from outside world. How can I block them?

    Below is the second logwatch message.


    ################### Logwatch 7.3.4 (02/17/07) ####################
    Processing Initiated: Fri Jun 6 04:53:06 2008
    Date Range Processed: yesterday
    ( 2008-Jun-05 )
    Period is day.
    Detail Level of Output: 0
    Type of Output: unformatted
    Logfiles for Host: webmail
    ################################################## ################

    --------------------- Cron Begin ------------------------

    **Unmatched Entries**
    Jun 5 14:52:01 webmail crond[22898]: User not known to the underlying authentication module
    Jun 5 14:52:01 webmail crond[22898]: CRON (zimbra) ERROR: failed to open PAM security session: Success
    Jun 5 14:52:01 webmail crond[22898]: CRON (zimbra) ERROR: cannot set security context
    Jun 5 14:54:01 webmail crond[22908]: User not known to the underlying authentication module
    Jun 5 14:54:01 webmail crond[22908]: CRON (zimbra) ERROR: failed to open PAM security session: Success
    Jun 5 14:54:01 webmail crond[22908]: CRON (zimbra) ERROR: cannot set security context
    Jun 5 14:55:01 webmail crond[22910]: User not known to the underlying authentication module
    Jun 5 14:55:01 webmail crond[22910]: CRON (zimbra) ERROR: failed to open PAM security session: Success
    Jun 5 14:55:01 webmail crond[22910]: CRON (zimbra) ERROR: cannot set security context
    Jun 5 14:56:01 webmail crond[22913]: User not known to the underlying authentication module
    Jun 5 14:56:01 webmail crond[22913]: CRON (zimbra) ERROR: failed to open PAM security session: Success
    Jun 5 14:56:01 webmail crond[22913]: CRON (zimbra) ERROR: cannot set security context
    Jun 5 14:58:01 webmail crond[22917]: User not known to the underlying authentication module
    Jun 5 14:58:01 webmail crond[22917]: CRON (zimbra) ERROR: failed to open PAM security session: Success
    Jun 5 14:58:01 webmail crond[22917]: CRON (zimbra) ERROR: cannot set security context
    Jun 5 15:18:01 webmail crond[1338]: User not known to the underlying authentication module
    Jun 5 15:18:01 webmail crond[1338]: CRON (zimbra) ERROR: failed to open PAM security session: Success
    Jun 5 15:18:01 webmail crond[1338]: CRON (zimbra) ERROR: cannot set security context
    Jun 5 15:22:01 webmail crond[6759]: User not known to the underlying authentication module
    Jun 5 15:22:01 webmail crond[6759]: CRON (zimbra) ERROR: failed to open PAM security session: Success
    Jun 5 15:22:01 webmail crond[6759]: CRON (zimbra) ERROR: cannot set security context
    Jun 5 15:24:01 webmail crond[6771]: User not known to the underlying authentication module
    Jun 5 15:24:01 webmail crond[6771]: CRON (zimbra) ERROR: failed to open PAM security session: Success
    Jun 5 15:24:01 webmail crond[6771]: CRON (zimbra) ERROR: cannot set security context
    Jun 5 15:25:01 webmail crond[6773]: User not known to the underlying authentication module
    Jun 5 15:25:01 webmail crond[6773]: CRON (zimbra) ERROR: failed to open PAM security session: Success
    Jun 5 15:25:01 webmail crond[6773]: CRON (zimbra) ERROR: cannot set security context
    Jun 5 15:26:01 webmail crond[6776]: User not known to the underlying authentication module
    Jun 5 15:26:01 webmail crond[6776]: CRON (zimbra) ERROR: failed to open PAM security session: Success
    Jun 5 15:26:01 webmail crond[6776]: CRON (zimbra) ERROR: cannot set security context
    Jun 5 15:28:01 webmail crond[6780]: User not known to the underlying authentication module
    Jun 5 15:28:01 webmail crond[6780]: CRON (zimbra) ERROR: failed to open PAM security session: Success
    Jun 5 15:28:01 webmail crond[6780]: CRON (zimbra) ERROR: cannot set security context
    Jun 5 15:30:01 webmail crond[6875]: User not known to the underlying authentication module
    Jun 5 15:30:01 webmail crond[6875]: CRON (zimbra) ERROR: failed to open PAM security session: Success
    Jun 5 15:30:01 webmail crond[6875]: CRON (zimbra) ERROR: cannot set security context
    Jun 5 15:30:01 webmail crond[6876]: User not known to the underlying authentication module
    Jun 5 15:30:01 webmail crond[6876]: CRON (zimbra) ERROR: failed to open PAM security session: Success
    Jun 5 15:30:01 webmail crond[6876]: CRON (zimbra) ERROR: cannot set security context
    Jun 5 15:30:01 webmail crond[6877]: User not known to the underlying authentication module
    Jun 5 15:30:01 webmail crond[6877]: CRON (zimbra) ERROR: failed to open PAM security session: Success
    Jun 5 15:30:01 webmail crond[6878]: User not known to the underlying authentication module
    Jun 5 15:30:01 webmail crond[6877]: CRON (zimbra) ERROR: cannot set security context
    Jun 5 15:30:01 webmail crond[6878]: CRON (zimbra) ERROR: failed to open PAM security session: Success
    Jun 5 15:30:01 webmail crond[6878]: CRON (zimbra) ERROR: cannot set security context
    Jun 5 15:32:01 webmail crond[6889]: User not known to the underlying authentication module
    Jun 5 15:32:01 webmail crond[6889]: CRON (zimbra) ERROR: failed to open PAM security session: Success
    Jun 5 15:32:01 webmail crond[6889]: CRON (zimbra) ERROR: cannot set security context
    Jun 5 15:34:01 webmail crond[6902]: User not known to the underlying authentication module
    Jun 5 15:34:01 webmail crond[6902]: CRON (zimbra) ERROR: failed to open PAM security session: Success
    Jun 5 15:34:01 webmail crond[6902]: CRON (zimbra) ERROR: cannot set security context
    Jun 5 15:35:02 webmail crond[6904]: User not known to the underlying authentication module
    Jun 5 15:35:02 webmail crond[6904]: CRON (zimbra) ERROR: failed to open PAM security session: Success
    Jun 5 15:35:02 webmail crond[6904]: CRON (zimbra) ERROR: cannot set security context
    Jun 5 15:36:01 webmail crond[6907]: User not known to the underlying authentication module
    Jun 5 15:36:01 webmail crond[6907]: CRON (zimbra) ERROR: failed to open PAM security session: Success
    Jun 5 15:36:01 webmail crond[6907]: CRON (zimbra) ERROR: cannot set security context
    Jun 5 15:38:01 webmail crond[6924]: User not known to the underlying authentication module
    Jun 5 15:38:01 webmail crond[6924]: CRON (zimbra) ERROR: failed to open PAM security session: Success
    Jun 5 15:38:01 webmail crond[6924]: CRON (zimbra) ERROR: cannot set security context
    Jun 5 15:40:01 webmail crond[6928]: User not known to the underlying authentication module
    Jun 5 15:40:01 webmail crond[6928]: CRON (zimbra) ERROR: failed to open PAM security session: Success
    Jun 5 15:40:01 webmail crond[6928]: CRON (zimbra) ERROR: cannot set security context
    Jun 5 15:40:01 webmail crond[6929]: User not known to the underlying authentication module
    Jun 5 15:40:01 webmail crond[6929]: CRON (zimbra) ERROR: failed to open PAM security session: Success
    Jun 5 15:40:01 webmail crond[6929]: CRON (zimbra) ERROR: cannot set security context
    Jun 5 15:40:01 webmail crond[6930]: User not known to the underlying authentication module
    Jun 5 15:40:01 webmail crond[6930]: CRON (zimbra) ERROR: failed to open PAM security session: Success
    Jun 5 15:40:01 webmail crond[6931]: User not known to the underlying authentication module
    Jun 5 15:40:01 webmail crond[6930]: CRON (zimbra) ERROR: cannot set security context
    Jun 5 15:40:01 webmail crond[6931]: CRON (zimbra) ERROR: failed to open PAM security session: Success
    Jun 5 15:40:01 webmail crond[6931]: CRON (zimbra) ERROR: cannot set security context
    Jun 5 15:42:01 webmail crond[6978]: User not known to the underlying authentication module
    Jun 5 15:42:01 webmail crond[6978]: CRON (zimbra) ERROR: failed to open PAM security session: Success
    Jun 5 15:42:01 webmail crond[6978]: CRON (zimbra) ERROR: cannot set security context
    Jun 5 15:44:01 webmail crond[6987]: User not known to the underlying authentication module
    Jun 5 15:44:01 webmail crond[6987]: CRON (zimbra) ERROR: failed to open PAM security session: Success
    Jun 5 15:44:01 webmail crond[6987]: CRON (zimbra) ERROR: cannot set security context
    Jun 5 15:45:01 webmail crond[6989]: User not known to the underlying authentication module
    Jun 5 15:45:01 webmail crond[6989]: CRON (zimbra) ERROR: failed to open PAM security session: Success
    Jun 5 15:45:01 webmail crond[6989]: CRON (zimbra) ERROR: cannot set security context
    Jun 5 15:46:01 webmail crond[6992]: User not known to the underlying authentication module
    Jun 5 15:46:01 webmail crond[6992]: CRON (zimbra) ERROR: failed to open PAM security session: Success
    Jun 5 15:46:01 webmail crond[6992]: CRON (zimbra) ERROR: cannot set security context
    Jun 5 15:48:01 webmail crond[6997]: User not known to the underlying authentication module
    Jun 5 15:48:01 webmail crond[6997]: CRON (zimbra) ERROR: failed to open PAM security session: Success
    Jun 5 15:48:01 webmail crond[6997]: CRON (zimbra) ERROR: cannot set security context
    Jun 5 15:50:01 webmail crond[7004]: User not known to the underlying authentication module
    Jun 5 15:50:01 webmail crond[7004]: CRON (zimbra) ERROR: failed to open PAM security session: Success
    Jun 5 15:50:01 webmail crond[7004]: CRON (zimbra) ERROR: cannot set security context
    Jun 5 15:50:01 webmail crond[7005]: User not known to the underlying authentication module
    Jun 5 15:50:01 webmail crond[7005]: CRON (zimbra) ERROR: failed to open PAM security session: Success
    Jun 5 15:50:01 webmail crond[7005]: CRON (zimbra) ERROR: cannot set security context
    Jun 5 15:50:01 webmail crond[7006]: User not known to the underlying authentication module
    Jun 5 15:50:01 webmail crond[7006]: CRON (zimbra) ERROR: failed to open PAM security session: Success
    Jun 5 15:50:01 webmail crond[7006]: CRON (zimbra) ERROR: cannot set security context
    Jun 5 15:50:01 webmail crond[7007]: User not known to the underlying authentication module
    Jun 5 15:50:01 webmail crond[7007]: CRON (zimbra) ERROR: failed to open PAM security session: Success
    Jun 5 15:50:01 webmail crond[7007]: CRON (zimbra) ERROR: cannot set security context
    Jun 5 15:52:01 webmail crond[7011]: User not known to the underlying authentication module


    --------------------- pam_unix Begin ------------------------

    crond:
    Unknown Entries:
    could not identify user (from getpwnam(zimbra)): 69 Time(s)

    runuser:
    Password Failures:
    ldap: 1 Time(s)
    Sessions Opened:
    ldap by root(uid=0): 1 Time(s)

    sshd:
    Authentication Failures:
    unknown (202.152.236.106): 111 Time(s)
    root (202.152.236.106): 56 Time(s)
    root (203.153.40.198): 31 Time(s)
    unknown (203.153.40.198): 21 Time(s)
    root (202.106.167.29): 18 Time(s)
    apache (203.153.40.198): 1 Time(s)
    games (202.152.236.106): 1 Time(s)
    root (202.131.112.138): 1 Time(s)
    root (58.68.36.186): 1 Time(s)
    Invalid Users:
    Unknown Account: 132 Time(s)

    su-l:
    Sessions Opened:
    root(uid=0) -> zimbra: 151 Time(s)
    (uid=0) -> zimbra: 3 Time(s)
    root(uid=0) -> root: 1 Time(s)


    ---------------------- pam_unix End -------------------------


    --------------------- Connections (secure-log) Begin ------------------------

    New Users:
    zimbra (501)
    postfix (502)
    zimbra (501)
    postfix (502)
    zimbra (501)
    postfix (502)

    Deleted Users:
    zimbra
    postfix
    zimbra
    postfix
    zimbra
    postfix

    New Groups:
    zimbra (501)
    postfix (502)
    zimbra (501)
    postfix (502)
    zimbra (501)
    postfix (502)

    Deleted Groups:
    zimbra
    postfix
    zimbra
    postfix
    zimbra
    postfix


    Added User to group:
    adm:
    zimbra
    postfix:
    zimbra
    tty:
    zimbra

    Removed From Group:
    user zimbra from group adm
    user zimbra from group tty
    user zimbra from group postfix
    user zimbra from group adm
    user zimbra from group tty
    user zimbra from group postfix
    user zimbra from group adm
    user zimbra from group tty
    user zimbra from group postfix
    user zimbra from group adm
    user zimbra from group tty
    user zimbra from group postfix
    user zimbra from group adm
    user zimbra from group tty
    user zimbra from group postfix
    user zimbra from group adm
    user zimbra from group tty
    user zimbra from group postfix


    Changed users GID:
    zimbra: 501 -> 501

    Changed users default login shell:
    User zimbra change shell from /bin/bash to /bin/bash: 1 Time(s)

    ---------------------- Connections (secure-log) End -------------------------


    --------------------- SSHD Begin ------------------------


    SSHD Killed: 1 Time(s)

    SSHD Started: 1 Time(s)

    Failed logins from:
    58.68.36.186: 1 time
    202.106.167.29: 18 times
    202.131.112.138: 1 time
    202.152.236.106 (ip-106-236-net.net2cyber.net): 57 times
    203.153.40.198: 32 times

    Illegal users from:
    202.152.236.106 (ip-106-236-net.net2cyber.net): 111 times
    203.153.40.198: 21 times

    Users logging in through sshd:
    root:
    192.168.1.12: 4 times
    202.131.112.138: 1 time
    zimbra:
    58.68.123.55 (webmail.renovau.net): 15 times


    Received disconnect:
    11: Bye Bye : 215 Time(s)
    11: Closed due to user request. : 15 Time(s)

    **Unmatched Entries**
    reverse mapping checking getaddrinfo for ip-106-236-net.net2cyber.net [202.152.236.106] failed - POSSIBLE BREAK-IN ATTEMPT! : 168 time(s)

    ---------------------- SSHD End -------------------------


    --------------------- Sudo (secure-log) Begin ------------------------


    ================================================== ============================

    zimbra => root
    --------------
    /opt/zimbra/bin/zmcertmgr - 4 Times.
    /opt/zimbra/libexec/zmmailboxdmgr - 1375 Times.
    /opt/zimbra/libexec/zmmtastatus - 986 Times.
    /opt/zimbra/libexec/zmqstat - 11 Times.
    /opt/zimbra/libexec/zmslapd - 3 Times.
    /opt/zimbra/nginx/sbin/nginx - 1 Times.
    /opt/zimbra/postfix/sbin/postalias - 7 Times.
    /opt/zimbra/postfix/sbin/postconf - 22 Times.
    /opt/zimbra/postfix/sbin/postfix - 7 Times.

    ---------------------- Sudo (secure-log) End -------------------------



    I can't understand why this message is comming......Is there any error in zcs installation? or is there any necessary modification after the installation that I didn't on it.
    Last edited by nishith; 06-06-2008 at 11:32 PM.

  2. #2
    nishith's Avatar
    nishith is offline Special Member
    Join Date
    Jun 2008
    Location
    india
    Posts
    123
    Rep Power
    7

    Default Getting logwatch messages in zcs & where to find logwatch user account in zimbra?

    I am using zcs 5.0.5 version installed before 2 days. It is totally fresh installation.

    Right Now,I am getting messages from logwatch@webmail.renovau.net to my root account that is :- root@webmail.renovau.net

    The point is,I have installed zimbra on fedora core 7 & fedora Core 7 is having logwatch installed.But,I didn't modify "logwatch.conf" file.Then,from where I am getting logwatch messages?

    My mail server name is webmail.renovau.net & "logwatch" mail account name is "logwatch@webmail.renovau.net". That means,this mail id is generate by zimbra.

    By checking zimbra admin console, I didn't find logwatch account.

    So,please tell me where to find logwatch user account & Is it compulsory to modify & backup logwatch files?


    Thanks,
    Nishith.

  3. #3
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,447
    Rep Power
    56

    Default

    It's nothing to do with Zimbra: logwatch - Linux Command - Unix Command
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  4. #4
    nishith's Avatar
    nishith is offline Special Member
    Join Date
    Jun 2008
    Location
    india
    Posts
    123
    Rep Power
    7

    Default

    Nothing to do with zimbra? It means, the logwatch service is readymade & configured while installation of ZCS?

    1) Can we customize logwatch for zimbra?
    2) Suppose,I want to remove fedora installed logwatch,will it make any changes to
    zimbra logwatch?
    3) As per my above post,did you find any errors regarding logwatch & crontab?

    Waiting,
    Nishith.

  5. #5
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,447
    Rep Power
    56

    Default

    Quote Originally Posted by nishith View Post
    Nothing to do with zimbra? It means, the logwatch service is readymade & configured while installation of ZCS?
    That means exactly what I said, it's nothing to do with Zimbra. It's installed by your operating system and we do nothing to it.

    From the link above:
    DESCRIPTION
    LogWatch is a customizable, pluggable log-monitoring system. It will go through your logs for a given period of time and make a report in the areas that you wish with the detail that you wish. Easy to use - works right out of the package on almost all systems.
    If you want to make changes to logwatch, ask on the Fedora Forums.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  6. #6
    Mistoffeles is offline Senior Member
    Join Date
    Oct 2007
    Posts
    70
    Rep Power
    7

    Default

    There is nothing wrong with your computer at all. This stuff is all entirely normal. If you want to block some of those IPs, you can do so in your netstat/iptables configuration (aka. software firewall built into the Linux kernel), or in whatever hardware firewall you happen to use, but this isn't really necessary.

    - Misty

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. slapd message error
    By smoke in forum Administrators
    Replies: 7
    Last Post: 04-27-2008, 03:23 PM
  2. admin consol blank after 5.0.3 upgarde
    By maumar in forum Administrators
    Replies: 6
    Last Post: 03-21-2008, 05:16 AM
  3. Replies: 12
    Last Post: 02-25-2008, 07:28 PM
  4. Replies: 31
    Last Post: 12-15-2007, 09:05 PM
  5. Fedora Core 3, Clean Install - Not working!
    By pcjackson in forum Installation
    Replies: 17
    Last Post: 03-05-2006, 07:38 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •