[SOLVED] Zimbra logwatch.

[nishith]

I m using zcs 5.0.5 suite. I am getting logwatch message on daily basis in my admin account. But,I don't know from where the message is comming......!!!!!!!!

So, could anybody tell me where to find logwatch ? Is it installed with ZIMBRA or installed in my linux PC?

Below is the logwatch message.


################### Logwatch 7.3.4 (02/17/07) ####################
Processing Initiated: Sat Jun 7 04:53:05 2008
Date Range Processed: yesterday
( 2008-Jun-06 )
Period is day.
Detail Level of Output: 0
Type of Output: unformatted
Logfiles for Host: webmail
################################################## ################

--------------------- Named Begin ------------------------

**Unmatched Entries**
client 58.68.123.50 RFC 1918 response from Internet for 12.1.168.192.in-addr.arpa: 1 Time(s)
client 58.68.123.50 RFC 1918 response from Internet for 84.1.168.192.in-addr.arpa: 1 Time(s)
client 58.68.123.55 RFC 1918 response from Internet for 12.1.168.192.in-addr.arpa: 2 Time(s)

---------------------- Named End -------------------------


--------------------- pam_unix Begin ------------------------

kscreensaver:
Authentication Failures:
root(0,0) on display :0: 1 Time(s)

sshd:
Authentication Failures:
unknown (58.40.157.78): 328 Time(s)
unknown (218.30.71.75): 115 Time(s)
root (58.40.157.78): 111 Time(s)
root (218.30.71.75): 73 Time(s)
root (210.51.15.70): 56 Time(s)
unknown (210.51.15.70): 23 Time(s)
apache (58.40.157.78): 3 Time(s)
apache (218.30.71.75): 2 Time(s)
backuppc (218.30.71.75): 2 Time(s)
mysql (210.51.15.70): 2 Time(s)
news (210.51.15.70): 2 Time(s)
postgres (210.51.15.70): 2 Time(s)
postgres (58.40.157.78): 2 Time(s)
tomcat (210.51.15.70): 2 Time(s)
backuppc (58.40.157.78): 1 Time(s)
ldap (58.40.157.78): 1 Time(s)
mail (58.40.157.78): 1 Time(s)
root (122.255.108.2): 1 Time(s)
root (200.63.215.58): 1 Time(s)
root (219.230.55.22): 1 Time(s)
smmsp (58.40.157.78): 1 Time(s)
squid (58.40.157.78): 1 Time(s)
zimbra (58.40.157.78): 1 Time(s)
Invalid Users:
Unknown Account: 466 Time(s)

su-l:
Sessions Opened:
(uid=0) -> zimbra: 5 Time(s)


---------------------- pam_unix End -------------------------


--------------------- SSHD Begin ------------------------


Failed logins from:
58.40.157.78: 122 times
122.255.108.2: 1 time
200.63.215.58 (58.215.uio.satnet.net): 1 time
210.51.15.70: 64 times
218.30.71.75: 77 times
219.230.55.22: 1 time

Illegal users from:
58.40.157.78: 328 times
210.51.15.70: 23 times
218.30.71.75: 115 times

Users logging in through sshd:
zimbra:
58.68.123.55 (webmail.renovau.net): 3 times


Received disconnect:
11: Bye Bye : 726 Time(s)
11: Closed due to user request. : 3 Time(s)

**Unmatched Entries**
reverse mapping checking getaddrinfo for 58.215.uio.satnet.net [200.63.215.58] failed - POSSIBLE BREAK-IN ATTEMPT! : 1 time(s)

---------------------- SSHD End -------------------------


--------------------- Sudo (secure-log) Begin ------------------------


================================================== ============================

zimbra => root
--------------
/opt/zimbra/bin/zmcertmgr - 1 Times.
/opt/zimbra/libexec/zmmailboxdmgr - 3176 Times.
/opt/zimbra/libexec/zmmtastatus - 1948 Times.
/opt/zimbra/libexec/zmqstat - 2 Times.
/opt/zimbra/postfix/sbin/postconf - 4 Times.

---------------------- Sudo (secure-log) End -------------------------


--------------------- Disk Space Begin ------------------------

Filesystem Size Used Avail Use% Mounted on
/dev/sda1 29G 4.5G 23G 17% /
/dev/sda5 20G 1.3G 18G 7% /opt
/dev/sda3 20G 1.1G 18G 6% /var
/dev/sda2 20G 173M 19G 1% /home


---------------------- Disk Space End -------------------------


###################### Logwatch End #########################


It seems that i am facing serious attacked from outside world. How can I block them?

Below is the second logwatch message.


################### Logwatch 7.3.4 (02/17/07) ####################
Processing Initiated: Fri Jun 6 04:53:06 2008
Date Range Processed: yesterday
( 2008-Jun-05 )
Period is day.
Detail Level of Output: 0
Type of Output: unformatted
Logfiles for Host: webmail
################################################## ################

--------------------- Cron Begin ------------------------

**Unmatched Entries**
Jun 5 14:52:01 webmail crond[22898]: User not known to the underlying authentication module
Jun 5 14:52:01 webmail crond[22898]: CRON (zimbra) ERROR: failed to open PAM security session: Success
Jun 5 14:52:01 webmail crond[22898]: CRON (zimbra) ERROR: cannot set security context
Jun 5 14:54:01 webmail crond[22908]: User not known to the underlying authentication module
Jun 5 14:54:01 webmail crond[22908]: CRON (zimbra) ERROR: failed to open PAM security session: Success
Jun 5 14:54:01 webmail crond[22908]: CRON (zimbra) ERROR: cannot set security context
Jun 5 14:55:01 webmail crond[22910]: User not known to the underlying authentication module
Jun 5 14:55:01 webmail crond[22910]: CRON (zimbra) ERROR: failed to open PAM security session: Success
Jun 5 14:55:01 webmail crond[22910]: CRON (zimbra) ERROR: cannot set security context
Jun 5 14:56:01 webmail crond[22913]: User not known to the underlying authentication module
Jun 5 14:56:01 webmail crond[22913]: CRON (zimbra) ERROR: failed to open PAM security session: Success
Jun 5 14:56:01 webmail crond[22913]: CRON (zimbra) ERROR: cannot set security context
Jun 5 14:58:01 webmail crond[22917]: User not known to the underlying authentication module
Jun 5 14:58:01 webmail crond[22917]: CRON (zimbra) ERROR: failed to open PAM security session: Success
Jun 5 14:58:01 webmail crond[22917]: CRON (zimbra) ERROR: cannot set security context
Jun 5 15:18:01 webmail crond[1338]: User not known to the underlying authentication module
Jun 5 15:18:01 webmail crond[1338]: CRON (zimbra) ERROR: failed to open PAM security session: Success
Jun 5 15:18:01 webmail crond[1338]: CRON (zimbra) ERROR: cannot set security context
Jun 5 15:22:01 webmail crond[6759]: User not known to the underlying authentication module
Jun 5 15:22:01 webmail crond[6759]: CRON (zimbra) ERROR: failed to open PAM security session: Success
Jun 5 15:22:01 webmail crond[6759]: CRON (zimbra) ERROR: cannot set security context
Jun 5 15:24:01 webmail crond[6771]: User not known to the underlying authentication module
Jun 5 15:24:01 webmail crond[6771]: CRON (zimbra) ERROR: failed to open PAM security session: Success
Jun 5 15:24:01 webmail crond[6771]: CRON (zimbra) ERROR: cannot set security context
Jun 5 15:25:01 webmail crond[6773]: User not known to the underlying authentication module
Jun 5 15:25:01 webmail crond[6773]: CRON (zimbra) ERROR: failed to open PAM security session: Success
Jun 5 15:25:01 webmail crond[6773]: CRON (zimbra) ERROR: cannot set security context
Jun 5 15:26:01 webmail crond[6776]: User not known to the underlying authentication module
Jun 5 15:26:01 webmail crond[6776]: CRON (zimbra) ERROR: failed to open PAM security session: Success
Jun 5 15:26:01 webmail crond[6776]: CRON (zimbra) ERROR: cannot set security context
Jun 5 15:28:01 webmail crond[6780]: User not known to the underlying authentication module
Jun 5 15:28:01 webmail crond[6780]: CRON (zimbra) ERROR: failed to open PAM security session: Success
Jun 5 15:28:01 webmail crond[6780]: CRON (zimbra) ERROR: cannot set security context
Jun 5 15:30:01 webmail crond[6875]: User not known to the underlying authentication module
Jun 5 15:30:01 webmail crond[6875]: CRON (zimbra) ERROR: failed to open PAM security session: Success
Jun 5 15:30:01 webmail crond[6875]: CRON (zimbra) ERROR: cannot set security context
Jun 5 15:30:01 webmail crond[6876]: User not known to the underlying authentication module
Jun 5 15:30:01 webmail crond[6876]: CRON (zimbra) ERROR: failed to open PAM security session: Success
Jun 5 15:30:01 webmail crond[6876]: CRON (zimbra) ERROR: cannot set security context
Jun 5 15:30:01 webmail crond[6877]: User not known to the underlying authentication module
Jun 5 15:30:01 webmail crond[6877]: CRON (zimbra) ERROR: failed to open PAM security session: Success
Jun 5 15:30:01 webmail crond[6878]: User not known to the underlying authentication module
Jun 5 15:30:01 webmail crond[6877]: CRON (zimbra) ERROR: cannot set security context
Jun 5 15:30:01 webmail crond[6878]: CRON (zimbra) ERROR: failed to open PAM security session: Success
Jun 5 15:30:01 webmail crond[6878]: CRON (zimbra) ERROR: cannot set security context
Jun 5 15:32:01 webmail crond[6889]: User not known to the underlying authentication module
Jun 5 15:32:01 webmail crond[6889]: CRON (zimbra) ERROR: failed to open PAM security session: Success
Jun 5 15:32:01 webmail crond[6889]: CRON (zimbra) ERROR: cannot set security context
Jun 5 15:34:01 webmail crond[6902]: User not known to the underlying authentication module
Jun 5 15:34:01 webmail crond[6902]: CRON (zimbra) ERROR: failed to open PAM security session: Success
Jun 5 15:34:01 webmail crond[6902]: CRON (zimbra) ERROR: cannot set security context
Jun 5 15:35:02 webmail crond[6904]: User not known to the underlying authentication module
Jun 5 15:35:02 webmail crond[6904]: CRON (zimbra) ERROR: failed to open PAM security session: Success
Jun 5 15:35:02 webmail crond[6904]: CRON (zimbra) ERROR: cannot set security context
Jun 5 15:36:01 webmail crond[6907]: User not known to the underlying authentication module
Jun 5 15:36:01 webmail crond[6907]: CRON (zimbra) ERROR: failed to open PAM security session: Success
Jun 5 15:36:01 webmail crond[6907]: CRON (zimbra) ERROR: cannot set security context
Jun 5 15:38:01 webmail crond[6924]: User not known to the underlying authentication module
Jun 5 15:38:01 webmail crond[6924]: CRON (zimbra) ERROR: failed to open PAM security session: Success
Jun 5 15:38:01 webmail crond[6924]: CRON (zimbra) ERROR: cannot set security context
Jun 5 15:40:01 webmail crond[6928]: User not known to the underlying authentication module
Jun 5 15:40:01 webmail crond[6928]: CRON (zimbra) ERROR: failed to open PAM security session: Success
Jun 5 15:40:01 webmail crond[6928]: CRON (zimbra) ERROR: cannot set security context
Jun 5 15:40:01 webmail crond[6929]: User not known to the underlying authentication module
Jun 5 15:40:01 webmail crond[6929]: CRON (zimbra) ERROR: failed to open PAM security session: Success
Jun 5 15:40:01 webmail crond[6929]: CRON (zimbra) ERROR: cannot set security context
Jun 5 15:40:01 webmail crond[6930]: User not known to the underlying authentication module
Jun 5 15:40:01 webmail crond[6930]: CRON (zimbra) ERROR: failed to open PAM security session: Success
Jun 5 15:40:01 webmail crond[6931]: User not known to the underlying authentication module
Jun 5 15:40:01 webmail crond[6930]: CRON (zimbra) ERROR: cannot set security context
Jun 5 15:40:01 webmail crond[6931]: CRON (zimbra) ERROR: failed to open PAM security session: Success
Jun 5 15:40:01 webmail crond[6931]: CRON (zimbra) ERROR: cannot set security context
Jun 5 15:42:01 webmail crond[6978]: User not known to the underlying authentication module
Jun 5 15:42:01 webmail crond[6978]: CRON (zimbra) ERROR: failed to open PAM security session: Success
Jun 5 15:42:01 webmail crond[6978]: CRON (zimbra) ERROR: cannot set security context
Jun 5 15:44:01 webmail crond[6987]: User not known to the underlying authentication module
Jun 5 15:44:01 webmail crond[6987]: CRON (zimbra) ERROR: failed to open PAM security session: Success
Jun 5 15:44:01 webmail crond[6987]: CRON (zimbra) ERROR: cannot set security context
Jun 5 15:45:01 webmail crond[6989]: User not known to the underlying authentication module
Jun 5 15:45:01 webmail crond[6989]: CRON (zimbra) ERROR: failed to open PAM security session: Success
Jun 5 15:45:01 webmail crond[6989]: CRON (zimbra) ERROR: cannot set security context
Jun 5 15:46:01 webmail crond[6992]: User not known to the underlying authentication module
Jun 5 15:46:01 webmail crond[6992]: CRON (zimbra) ERROR: failed to open PAM security session: Success
Jun 5 15:46:01 webmail crond[6992]: CRON (zimbra) ERROR: cannot set security context
Jun 5 15:48:01 webmail crond[6997]: User not known to the underlying authentication module
Jun 5 15:48:01 webmail crond[6997]: CRON (zimbra) ERROR: failed to open PAM security session: Success
Jun 5 15:48:01 webmail crond[6997]: CRON (zimbra) ERROR: cannot set security context
Jun 5 15:50:01 webmail crond[7004]: User not known to the underlying authentication module
Jun 5 15:50:01 webmail crond[7004]: CRON (zimbra) ERROR: failed to open PAM security session: Success
Jun 5 15:50:01 webmail crond[7004]: CRON (zimbra) ERROR: cannot set security context
Jun 5 15:50:01 webmail crond[7005]: User not known to the underlying authentication module
Jun 5 15:50:01 webmail crond[7005]: CRON (zimbra) ERROR: failed to open PAM security session: Success
Jun 5 15:50:01 webmail crond[7005]: CRON (zimbra) ERROR: cannot set security context
Jun 5 15:50:01 webmail crond[7006]: User not known to the underlying authentication module
Jun 5 15:50:01 webmail crond[7006]: CRON (zimbra) ERROR: failed to open PAM security session: Success
Jun 5 15:50:01 webmail crond[7006]: CRON (zimbra) ERROR: cannot set security context
Jun 5 15:50:01 webmail crond[7007]: User not known to the underlying authentication module
Jun 5 15:50:01 webmail crond[7007]: CRON (zimbra) ERROR: failed to open PAM security session: Success
Jun 5 15:50:01 webmail crond[7007]: CRON (zimbra) ERROR: cannot set security context
Jun 5 15:52:01 webmail crond[7011]: User not known to the underlying authentication module

--------------------- pam_unix Begin ------------------------

crond:
Unknown Entries:
could not identify user (from getpwnam(zimbra)): 69 Time(s)

runuser:
Password Failures:
ldap: 1 Time(s)
Sessions Opened:
ldap by root(uid=0): 1 Time(s)

sshd:
Authentication Failures:
unknown (202.152.236.106): 111 Time(s)
root (202.152.236.106): 56 Time(s)
root (203.153.40.198): 31 Time(s)
unknown (203.153.40.198): 21 Time(s)
root (202.106.167.29): 18 Time(s)
apache (203.153.40.198): 1 Time(s)
games (202.152.236.106): 1 Time(s)
root (202.131.112.138): 1 Time(s)
root (58.68.36.186): 1 Time(s)
Invalid Users:
Unknown Account: 132 Time(s)

su-l:
Sessions Opened:
root(uid=0) -> zimbra: 151 Time(s)
(uid=0) -> zimbra: 3 Time(s)
root(uid=0) -> root: 1 Time(s)


---------------------- pam_unix End -------------------------


--------------------- Connections (secure-log) Begin ------------------------

New Users:
zimbra (501)
postfix (502)
zimbra (501)
postfix (502)
zimbra (501)
postfix (502)

Deleted Users:
zimbra
postfix
zimbra
postfix
zimbra
postfix

New Groups:
zimbra (501)
postfix (502)
zimbra (501)
postfix (502)
zimbra (501)
postfix (502)

Deleted Groups:
zimbra
postfix
zimbra
postfix
zimbra
postfix


Added User to group:
adm:
zimbra
postfix:
zimbra
tty:
zimbra

Removed From Group:
user zimbra from group adm
user zimbra from group tty
user zimbra from group postfix
user zimbra from group adm
user zimbra from group tty
user zimbra from group postfix
user zimbra from group adm
user zimbra from group tty
user zimbra from group postfix
user zimbra from group adm
user zimbra from group tty
user zimbra from group postfix
user zimbra from group adm
user zimbra from group tty
user zimbra from group postfix
user zimbra from group adm
user zimbra from group tty
user zimbra from group postfix


Changed users GID:
zimbra: 501 -> 501

Changed users default login shell:
User zimbra change shell from /bin/bash to /bin/bash: 1 Time(s)

---------------------- Connections (secure-log) End -------------------------


--------------------- SSHD Begin ------------------------


SSHD Killed: 1 Time(s)

SSHD Started: 1 Time(s)

Failed logins from:
58.68.36.186: 1 time
202.106.167.29: 18 times
202.131.112.138: 1 time
202.152.236.106 (ip-106-236-net.net2cyber.net): 57 times
203.153.40.198: 32 times

Illegal users from:
202.152.236.106 (ip-106-236-net.net2cyber.net): 111 times
203.153.40.198: 21 times

Users logging in through sshd:
root:
192.168.1.12: 4 times
202.131.112.138: 1 time
zimbra:
58.68.123.55 (webmail.renovau.net): 15 times


Received disconnect:
11: Bye Bye : 215 Time(s)
11: Closed due to user request. : 15 Time(s)

**Unmatched Entries**
reverse mapping checking getaddrinfo for ip-106-236-net.net2cyber.net [202.152.236.106] failed - POSSIBLE BREAK-IN ATTEMPT! : 168 time(s)

---------------------- SSHD End -------------------------


--------------------- Sudo (secure-log) Begin ------------------------


================================================== ============================

zimbra => root
--------------
/opt/zimbra/bin/zmcertmgr - 4 Times.
/opt/zimbra/libexec/zmmailboxdmgr - 1375 Times.
/opt/zimbra/libexec/zmmtastatus - 986 Times.
/opt/zimbra/libexec/zmqstat - 11 Times.
/opt/zimbra/libexec/zmslapd - 3 Times.
/opt/zimbra/nginx/sbin/nginx - 1 Times.
/opt/zimbra/postfix/sbin/postalias - 7 Times.
/opt/zimbra/postfix/sbin/postconf - 22 Times.
/opt/zimbra/postfix/sbin/postfix - 7 Times.

---------------------- Sudo (secure-log) End -------------------------



I can't understand why this message is comming......Is there any error in zcs installation? or is there any necessary modification after the installation that I didn't on it.

[nishith]

I am using zcs 5.0.5 version installed before 2 days. It is totally fresh installation.

Right Now,I am getting messages from logwatch@webmail.renovau.net to my root account that is :- root@webmail.renovau.net

The point is,I have installed zimbra on fedora core 7 & fedora Core 7 is having logwatch installed.But,I didn't modify "logwatch.conf" file.Then,from where I am getting logwatch messages?

My mail server name is webmail.renovau.net & "logwatch" mail account name is "logwatch@webmail.renovau.net". That means,this mail id is generate by zimbra.

By checking zimbra admin console, I didn't find logwatch account.

So,please tell me where to find logwatch user account & Is it compulsory to modify & backup logwatch files?


Thanks,
Nishith.

[phoenix]

It's nothing to do with Zimbra: logwatch - Linux Command - Unix Command

[nishith]

Nothing to do with zimbra? It means, the logwatch service is readymade & configured while installation of ZCS?

1) Can we customize logwatch for zimbra?
2) Suppose,I want to remove fedora installed logwatch,will it make any changes to
zimbra logwatch?
3) As per my above post,did you find any errors regarding logwatch & crontab?

Waiting,
Nishith.

[phoenix]

Nothing to do with zimbra? It means, the logwatch service is readymade & configured while installation of ZCS?

That means exactly what I said, it's nothing to do with Zimbra. It's installed by your operating system and we do nothing to it.

From the link above:

DESCRIPTION
LogWatch is a customizable, pluggable log-monitoring system. It will go through your logs for a given period of time and make a report in the areas that you wish with the detail that you wish. Easy to use - works right out of the package on almost all systems.

If you want to make changes to logwatch, ask on the Fedora Forums.

[Mistoffeles]

There is nothing wrong with your computer at all. This stuff is all entirely normal. If you want to block some of those IPs, you can do so in your netstat/iptables configuration (aka. software firewall built into the Linux kernel), or in whatever hardware firewall you happen to use, but this isn't really necessary.

- Misty