Results 1 to 6 of 6

Thread: [SOLVED] Zimbra logwatch.

Threaded View

  1. #1
    Join Date
    Jun 2008
    Location
    india
    Posts
    125
    Rep Power
    7

    Default [SOLVED] Zimbra logwatch.

    I m using zcs 5.0.5 suite. I am getting logwatch message on daily basis in my admin account. But,I don't know from where the message is comming......!!!!!!!!

    So, could anybody tell me where to find logwatch ? Is it installed with ZIMBRA or installed in my linux PC?

    Below is the logwatch message.


    ################### Logwatch 7.3.4 (02/17/07) ####################
    Processing Initiated: Sat Jun 7 04:53:05 2008
    Date Range Processed: yesterday
    ( 2008-Jun-06 )
    Period is day.
    Detail Level of Output: 0
    Type of Output: unformatted
    Logfiles for Host: webmail
    ################################################## ################

    --------------------- Named Begin ------------------------

    **Unmatched Entries**
    client 58.68.123.50 RFC 1918 response from Internet for 12.1.168.192.in-addr.arpa: 1 Time(s)
    client 58.68.123.50 RFC 1918 response from Internet for 84.1.168.192.in-addr.arpa: 1 Time(s)
    client 58.68.123.55 RFC 1918 response from Internet for 12.1.168.192.in-addr.arpa: 2 Time(s)

    ---------------------- Named End -------------------------


    --------------------- pam_unix Begin ------------------------

    kscreensaver:
    Authentication Failures:
    root(0,0) on display :0: 1 Time(s)

    sshd:
    Authentication Failures:
    unknown (58.40.157.78): 328 Time(s)
    unknown (218.30.71.75): 115 Time(s)
    root (58.40.157.78): 111 Time(s)
    root (218.30.71.75): 73 Time(s)
    root (210.51.15.70): 56 Time(s)
    unknown (210.51.15.70): 23 Time(s)
    apache (58.40.157.78): 3 Time(s)
    apache (218.30.71.75): 2 Time(s)
    backuppc (218.30.71.75): 2 Time(s)
    mysql (210.51.15.70): 2 Time(s)
    news (210.51.15.70): 2 Time(s)
    postgres (210.51.15.70): 2 Time(s)
    postgres (58.40.157.78): 2 Time(s)
    tomcat (210.51.15.70): 2 Time(s)
    backuppc (58.40.157.78): 1 Time(s)
    ldap (58.40.157.78): 1 Time(s)
    mail (58.40.157.78): 1 Time(s)
    root (122.255.108.2): 1 Time(s)
    root (200.63.215.58): 1 Time(s)
    root (219.230.55.22): 1 Time(s)
    smmsp (58.40.157.78): 1 Time(s)
    squid (58.40.157.78): 1 Time(s)
    zimbra (58.40.157.78): 1 Time(s)
    Invalid Users:
    Unknown Account: 466 Time(s)

    su-l:
    Sessions Opened:
    (uid=0) -> zimbra: 5 Time(s)


    ---------------------- pam_unix End -------------------------


    --------------------- SSHD Begin ------------------------


    Failed logins from:
    58.40.157.78: 122 times
    122.255.108.2: 1 time
    200.63.215.58 (58.215.uio.satnet.net): 1 time
    210.51.15.70: 64 times
    218.30.71.75: 77 times
    219.230.55.22: 1 time

    Illegal users from:
    58.40.157.78: 328 times
    210.51.15.70: 23 times
    218.30.71.75: 115 times

    Users logging in through sshd:
    zimbra:
    58.68.123.55 (webmail.renovau.net): 3 times


    Received disconnect:
    11: Bye Bye : 726 Time(s)
    11: Closed due to user request. : 3 Time(s)

    **Unmatched Entries**
    reverse mapping checking getaddrinfo for 58.215.uio.satnet.net [200.63.215.58] failed - POSSIBLE BREAK-IN ATTEMPT! : 1 time(s)

    ---------------------- SSHD End -------------------------


    --------------------- Sudo (secure-log) Begin ------------------------


    ================================================== ============================

    zimbra => root
    --------------
    /opt/zimbra/bin/zmcertmgr - 1 Times.
    /opt/zimbra/libexec/zmmailboxdmgr - 3176 Times.
    /opt/zimbra/libexec/zmmtastatus - 1948 Times.
    /opt/zimbra/libexec/zmqstat - 2 Times.
    /opt/zimbra/postfix/sbin/postconf - 4 Times.

    ---------------------- Sudo (secure-log) End -------------------------


    --------------------- Disk Space Begin ------------------------

    Filesystem Size Used Avail Use% Mounted on
    /dev/sda1 29G 4.5G 23G 17% /
    /dev/sda5 20G 1.3G 18G 7% /opt
    /dev/sda3 20G 1.1G 18G 6% /var
    /dev/sda2 20G 173M 19G 1% /home


    ---------------------- Disk Space End -------------------------


    ###################### Logwatch End #########################


    It seems that i am facing serious attacked from outside world. How can I block them?

    Below is the second logwatch message.


    ################### Logwatch 7.3.4 (02/17/07) ####################
    Processing Initiated: Fri Jun 6 04:53:06 2008
    Date Range Processed: yesterday
    ( 2008-Jun-05 )
    Period is day.
    Detail Level of Output: 0
    Type of Output: unformatted
    Logfiles for Host: webmail
    ################################################## ################

    --------------------- Cron Begin ------------------------

    **Unmatched Entries**
    Jun 5 14:52:01 webmail crond[22898]: User not known to the underlying authentication module
    Jun 5 14:52:01 webmail crond[22898]: CRON (zimbra) ERROR: failed to open PAM security session: Success
    Jun 5 14:52:01 webmail crond[22898]: CRON (zimbra) ERROR: cannot set security context
    Jun 5 14:54:01 webmail crond[22908]: User not known to the underlying authentication module
    Jun 5 14:54:01 webmail crond[22908]: CRON (zimbra) ERROR: failed to open PAM security session: Success
    Jun 5 14:54:01 webmail crond[22908]: CRON (zimbra) ERROR: cannot set security context
    Jun 5 14:55:01 webmail crond[22910]: User not known to the underlying authentication module
    Jun 5 14:55:01 webmail crond[22910]: CRON (zimbra) ERROR: failed to open PAM security session: Success
    Jun 5 14:55:01 webmail crond[22910]: CRON (zimbra) ERROR: cannot set security context
    Jun 5 14:56:01 webmail crond[22913]: User not known to the underlying authentication module
    Jun 5 14:56:01 webmail crond[22913]: CRON (zimbra) ERROR: failed to open PAM security session: Success
    Jun 5 14:56:01 webmail crond[22913]: CRON (zimbra) ERROR: cannot set security context
    Jun 5 14:58:01 webmail crond[22917]: User not known to the underlying authentication module
    Jun 5 14:58:01 webmail crond[22917]: CRON (zimbra) ERROR: failed to open PAM security session: Success
    Jun 5 14:58:01 webmail crond[22917]: CRON (zimbra) ERROR: cannot set security context
    Jun 5 15:18:01 webmail crond[1338]: User not known to the underlying authentication module
    Jun 5 15:18:01 webmail crond[1338]: CRON (zimbra) ERROR: failed to open PAM security session: Success
    Jun 5 15:18:01 webmail crond[1338]: CRON (zimbra) ERROR: cannot set security context
    Jun 5 15:22:01 webmail crond[6759]: User not known to the underlying authentication module
    Jun 5 15:22:01 webmail crond[6759]: CRON (zimbra) ERROR: failed to open PAM security session: Success
    Jun 5 15:22:01 webmail crond[6759]: CRON (zimbra) ERROR: cannot set security context
    Jun 5 15:24:01 webmail crond[6771]: User not known to the underlying authentication module
    Jun 5 15:24:01 webmail crond[6771]: CRON (zimbra) ERROR: failed to open PAM security session: Success
    Jun 5 15:24:01 webmail crond[6771]: CRON (zimbra) ERROR: cannot set security context
    Jun 5 15:25:01 webmail crond[6773]: User not known to the underlying authentication module
    Jun 5 15:25:01 webmail crond[6773]: CRON (zimbra) ERROR: failed to open PAM security session: Success
    Jun 5 15:25:01 webmail crond[6773]: CRON (zimbra) ERROR: cannot set security context
    Jun 5 15:26:01 webmail crond[6776]: User not known to the underlying authentication module
    Jun 5 15:26:01 webmail crond[6776]: CRON (zimbra) ERROR: failed to open PAM security session: Success
    Jun 5 15:26:01 webmail crond[6776]: CRON (zimbra) ERROR: cannot set security context
    Jun 5 15:28:01 webmail crond[6780]: User not known to the underlying authentication module
    Jun 5 15:28:01 webmail crond[6780]: CRON (zimbra) ERROR: failed to open PAM security session: Success
    Jun 5 15:28:01 webmail crond[6780]: CRON (zimbra) ERROR: cannot set security context
    Jun 5 15:30:01 webmail crond[6875]: User not known to the underlying authentication module
    Jun 5 15:30:01 webmail crond[6875]: CRON (zimbra) ERROR: failed to open PAM security session: Success
    Jun 5 15:30:01 webmail crond[6875]: CRON (zimbra) ERROR: cannot set security context
    Jun 5 15:30:01 webmail crond[6876]: User not known to the underlying authentication module
    Jun 5 15:30:01 webmail crond[6876]: CRON (zimbra) ERROR: failed to open PAM security session: Success
    Jun 5 15:30:01 webmail crond[6876]: CRON (zimbra) ERROR: cannot set security context
    Jun 5 15:30:01 webmail crond[6877]: User not known to the underlying authentication module
    Jun 5 15:30:01 webmail crond[6877]: CRON (zimbra) ERROR: failed to open PAM security session: Success
    Jun 5 15:30:01 webmail crond[6878]: User not known to the underlying authentication module
    Jun 5 15:30:01 webmail crond[6877]: CRON (zimbra) ERROR: cannot set security context
    Jun 5 15:30:01 webmail crond[6878]: CRON (zimbra) ERROR: failed to open PAM security session: Success
    Jun 5 15:30:01 webmail crond[6878]: CRON (zimbra) ERROR: cannot set security context
    Jun 5 15:32:01 webmail crond[6889]: User not known to the underlying authentication module
    Jun 5 15:32:01 webmail crond[6889]: CRON (zimbra) ERROR: failed to open PAM security session: Success
    Jun 5 15:32:01 webmail crond[6889]: CRON (zimbra) ERROR: cannot set security context
    Jun 5 15:34:01 webmail crond[6902]: User not known to the underlying authentication module
    Jun 5 15:34:01 webmail crond[6902]: CRON (zimbra) ERROR: failed to open PAM security session: Success
    Jun 5 15:34:01 webmail crond[6902]: CRON (zimbra) ERROR: cannot set security context
    Jun 5 15:35:02 webmail crond[6904]: User not known to the underlying authentication module
    Jun 5 15:35:02 webmail crond[6904]: CRON (zimbra) ERROR: failed to open PAM security session: Success
    Jun 5 15:35:02 webmail crond[6904]: CRON (zimbra) ERROR: cannot set security context
    Jun 5 15:36:01 webmail crond[6907]: User not known to the underlying authentication module
    Jun 5 15:36:01 webmail crond[6907]: CRON (zimbra) ERROR: failed to open PAM security session: Success
    Jun 5 15:36:01 webmail crond[6907]: CRON (zimbra) ERROR: cannot set security context
    Jun 5 15:38:01 webmail crond[6924]: User not known to the underlying authentication module
    Jun 5 15:38:01 webmail crond[6924]: CRON (zimbra) ERROR: failed to open PAM security session: Success
    Jun 5 15:38:01 webmail crond[6924]: CRON (zimbra) ERROR: cannot set security context
    Jun 5 15:40:01 webmail crond[6928]: User not known to the underlying authentication module
    Jun 5 15:40:01 webmail crond[6928]: CRON (zimbra) ERROR: failed to open PAM security session: Success
    Jun 5 15:40:01 webmail crond[6928]: CRON (zimbra) ERROR: cannot set security context
    Jun 5 15:40:01 webmail crond[6929]: User not known to the underlying authentication module
    Jun 5 15:40:01 webmail crond[6929]: CRON (zimbra) ERROR: failed to open PAM security session: Success
    Jun 5 15:40:01 webmail crond[6929]: CRON (zimbra) ERROR: cannot set security context
    Jun 5 15:40:01 webmail crond[6930]: User not known to the underlying authentication module
    Jun 5 15:40:01 webmail crond[6930]: CRON (zimbra) ERROR: failed to open PAM security session: Success
    Jun 5 15:40:01 webmail crond[6931]: User not known to the underlying authentication module
    Jun 5 15:40:01 webmail crond[6930]: CRON (zimbra) ERROR: cannot set security context
    Jun 5 15:40:01 webmail crond[6931]: CRON (zimbra) ERROR: failed to open PAM security session: Success
    Jun 5 15:40:01 webmail crond[6931]: CRON (zimbra) ERROR: cannot set security context
    Jun 5 15:42:01 webmail crond[6978]: User not known to the underlying authentication module
    Jun 5 15:42:01 webmail crond[6978]: CRON (zimbra) ERROR: failed to open PAM security session: Success
    Jun 5 15:42:01 webmail crond[6978]: CRON (zimbra) ERROR: cannot set security context
    Jun 5 15:44:01 webmail crond[6987]: User not known to the underlying authentication module
    Jun 5 15:44:01 webmail crond[6987]: CRON (zimbra) ERROR: failed to open PAM security session: Success
    Jun 5 15:44:01 webmail crond[6987]: CRON (zimbra) ERROR: cannot set security context
    Jun 5 15:45:01 webmail crond[6989]: User not known to the underlying authentication module
    Jun 5 15:45:01 webmail crond[6989]: CRON (zimbra) ERROR: failed to open PAM security session: Success
    Jun 5 15:45:01 webmail crond[6989]: CRON (zimbra) ERROR: cannot set security context
    Jun 5 15:46:01 webmail crond[6992]: User not known to the underlying authentication module
    Jun 5 15:46:01 webmail crond[6992]: CRON (zimbra) ERROR: failed to open PAM security session: Success
    Jun 5 15:46:01 webmail crond[6992]: CRON (zimbra) ERROR: cannot set security context
    Jun 5 15:48:01 webmail crond[6997]: User not known to the underlying authentication module
    Jun 5 15:48:01 webmail crond[6997]: CRON (zimbra) ERROR: failed to open PAM security session: Success
    Jun 5 15:48:01 webmail crond[6997]: CRON (zimbra) ERROR: cannot set security context
    Jun 5 15:50:01 webmail crond[7004]: User not known to the underlying authentication module
    Jun 5 15:50:01 webmail crond[7004]: CRON (zimbra) ERROR: failed to open PAM security session: Success
    Jun 5 15:50:01 webmail crond[7004]: CRON (zimbra) ERROR: cannot set security context
    Jun 5 15:50:01 webmail crond[7005]: User not known to the underlying authentication module
    Jun 5 15:50:01 webmail crond[7005]: CRON (zimbra) ERROR: failed to open PAM security session: Success
    Jun 5 15:50:01 webmail crond[7005]: CRON (zimbra) ERROR: cannot set security context
    Jun 5 15:50:01 webmail crond[7006]: User not known to the underlying authentication module
    Jun 5 15:50:01 webmail crond[7006]: CRON (zimbra) ERROR: failed to open PAM security session: Success
    Jun 5 15:50:01 webmail crond[7006]: CRON (zimbra) ERROR: cannot set security context
    Jun 5 15:50:01 webmail crond[7007]: User not known to the underlying authentication module
    Jun 5 15:50:01 webmail crond[7007]: CRON (zimbra) ERROR: failed to open PAM security session: Success
    Jun 5 15:50:01 webmail crond[7007]: CRON (zimbra) ERROR: cannot set security context
    Jun 5 15:52:01 webmail crond[7011]: User not known to the underlying authentication module


    --------------------- pam_unix Begin ------------------------

    crond:
    Unknown Entries:
    could not identify user (from getpwnam(zimbra)): 69 Time(s)

    runuser:
    Password Failures:
    ldap: 1 Time(s)
    Sessions Opened:
    ldap by root(uid=0): 1 Time(s)

    sshd:
    Authentication Failures:
    unknown (202.152.236.106): 111 Time(s)
    root (202.152.236.106): 56 Time(s)
    root (203.153.40.198): 31 Time(s)
    unknown (203.153.40.198): 21 Time(s)
    root (202.106.167.29): 18 Time(s)
    apache (203.153.40.198): 1 Time(s)
    games (202.152.236.106): 1 Time(s)
    root (202.131.112.138): 1 Time(s)
    root (58.68.36.186): 1 Time(s)
    Invalid Users:
    Unknown Account: 132 Time(s)

    su-l:
    Sessions Opened:
    root(uid=0) -> zimbra: 151 Time(s)
    (uid=0) -> zimbra: 3 Time(s)
    root(uid=0) -> root: 1 Time(s)


    ---------------------- pam_unix End -------------------------


    --------------------- Connections (secure-log) Begin ------------------------

    New Users:
    zimbra (501)
    postfix (502)
    zimbra (501)
    postfix (502)
    zimbra (501)
    postfix (502)

    Deleted Users:
    zimbra
    postfix
    zimbra
    postfix
    zimbra
    postfix

    New Groups:
    zimbra (501)
    postfix (502)
    zimbra (501)
    postfix (502)
    zimbra (501)
    postfix (502)

    Deleted Groups:
    zimbra
    postfix
    zimbra
    postfix
    zimbra
    postfix


    Added User to group:
    adm:
    zimbra
    postfix:
    zimbra
    tty:
    zimbra

    Removed From Group:
    user zimbra from group adm
    user zimbra from group tty
    user zimbra from group postfix
    user zimbra from group adm
    user zimbra from group tty
    user zimbra from group postfix
    user zimbra from group adm
    user zimbra from group tty
    user zimbra from group postfix
    user zimbra from group adm
    user zimbra from group tty
    user zimbra from group postfix
    user zimbra from group adm
    user zimbra from group tty
    user zimbra from group postfix
    user zimbra from group adm
    user zimbra from group tty
    user zimbra from group postfix


    Changed users GID:
    zimbra: 501 -> 501

    Changed users default login shell:
    User zimbra change shell from /bin/bash to /bin/bash: 1 Time(s)

    ---------------------- Connections (secure-log) End -------------------------


    --------------------- SSHD Begin ------------------------


    SSHD Killed: 1 Time(s)

    SSHD Started: 1 Time(s)

    Failed logins from:
    58.68.36.186: 1 time
    202.106.167.29: 18 times
    202.131.112.138: 1 time
    202.152.236.106 (ip-106-236-net.net2cyber.net): 57 times
    203.153.40.198: 32 times

    Illegal users from:
    202.152.236.106 (ip-106-236-net.net2cyber.net): 111 times
    203.153.40.198: 21 times

    Users logging in through sshd:
    root:
    192.168.1.12: 4 times
    202.131.112.138: 1 time
    zimbra:
    58.68.123.55 (webmail.renovau.net): 15 times


    Received disconnect:
    11: Bye Bye : 215 Time(s)
    11: Closed due to user request. : 15 Time(s)

    **Unmatched Entries**
    reverse mapping checking getaddrinfo for ip-106-236-net.net2cyber.net [202.152.236.106] failed - POSSIBLE BREAK-IN ATTEMPT! : 168 time(s)

    ---------------------- SSHD End -------------------------


    --------------------- Sudo (secure-log) Begin ------------------------


    ================================================== ============================

    zimbra => root
    --------------
    /opt/zimbra/bin/zmcertmgr - 4 Times.
    /opt/zimbra/libexec/zmmailboxdmgr - 1375 Times.
    /opt/zimbra/libexec/zmmtastatus - 986 Times.
    /opt/zimbra/libexec/zmqstat - 11 Times.
    /opt/zimbra/libexec/zmslapd - 3 Times.
    /opt/zimbra/nginx/sbin/nginx - 1 Times.
    /opt/zimbra/postfix/sbin/postalias - 7 Times.
    /opt/zimbra/postfix/sbin/postconf - 22 Times.
    /opt/zimbra/postfix/sbin/postfix - 7 Times.

    ---------------------- Sudo (secure-log) End -------------------------



    I can't understand why this message is comming......Is there any error in zcs installation? or is there any necessary modification after the installation that I didn't on it.
    Last edited by nishith; 06-06-2008 at 11:32 PM.

Similar Threads

  1. slapd message error
    By smoke in forum Administrators
    Replies: 7
    Last Post: 04-27-2008, 03:23 PM
  2. admin consol blank after 5.0.3 upgarde
    By maumar in forum Administrators
    Replies: 6
    Last Post: 03-21-2008, 05:16 AM
  3. Replies: 12
    Last Post: 02-25-2008, 06:28 PM
  4. Replies: 31
    Last Post: 12-15-2007, 08:05 PM
  5. Fedora Core 3, Clean Install - Not working!
    By pcjackson in forum Installation
    Replies: 17
    Last Post: 03-05-2006, 06:38 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •