blabub
22.04.07, 12:01
Heute bekam ich um 06.25 eine eMail von meinem Rootserver, dass fail2ban alle Dienste stoppte und kurz darauf wieder startete.
So weit noch in Ordnung, aber auth.log gibt mir gerade nen Raetsel auf.
Apr 22 06:25:02 morrigan su[30940]: Successful su for amavis by root
Apr 22 06:25:02 morrigan su[30940]: + ??? root:amavis
Apr 22 06:25:02 morrigan su[30940]: (pam_unix) session opened for user amavis by (uid=0)
Apr 22 06:25:02 morrigan CRON[30936]: (pam_unix) session closed for user root
Apr 22 06:25:02 morrigan su[30940]: (pam_unix) session closed for user amavis
Apr 22 06:25:03 morrigan su[30983]: Successful su for nobody by root
Apr 22 06:25:03 morrigan su[30983]: + ??? root:nobody
Apr 22 06:25:04 morrigan su[30983]: (pam_unix) session opened for user nobody by (uid=0)
Apr 22 06:25:05 morrigan su[30983]: (pam_unix) session closed for user nobody
Apr 22 06:25:05 morrigan su[30987]: Successful su for nobody by root
Apr 22 06:25:05 morrigan su[30987]: + ??? root:nobody
Apr 22 06:25:06 morrigan su[30987]: (pam_unix) session opened for user nobody by (uid=0)
Apr 22 06:25:07 morrigan su[30987]: (pam_unix) session closed for user nobody
Apr 22 06:25:08 morrigan su[30989]: Successful su for nobody by root
Apr 22 06:25:09 morrigan su[30989]: + ??? root:nobody
Apr 22 06:25:09 morrigan su[30989]: (pam_unix) session opened for user nobody by (uid=0)
Apr 22 06:25:30 morrigan su[30989]: (pam_unix) session closed for user nobody
Das nobody macht mich stutzig, es muss sich eigentlich um fail2ban handeln, aber ich moechte hier nochmals nachfragen.
Hab den Fehler auf einen Einbruch geprueft, seit 06.25 passierte sonst nichts darauf. Keine Files veraendert, keine neuen Benutzer.
Hat jemand eine Ahnung woher diese Zeilen stammen koennten?
So weit noch in Ordnung, aber auth.log gibt mir gerade nen Raetsel auf.
Apr 22 06:25:02 morrigan su[30940]: Successful su for amavis by root
Apr 22 06:25:02 morrigan su[30940]: + ??? root:amavis
Apr 22 06:25:02 morrigan su[30940]: (pam_unix) session opened for user amavis by (uid=0)
Apr 22 06:25:02 morrigan CRON[30936]: (pam_unix) session closed for user root
Apr 22 06:25:02 morrigan su[30940]: (pam_unix) session closed for user amavis
Apr 22 06:25:03 morrigan su[30983]: Successful su for nobody by root
Apr 22 06:25:03 morrigan su[30983]: + ??? root:nobody
Apr 22 06:25:04 morrigan su[30983]: (pam_unix) session opened for user nobody by (uid=0)
Apr 22 06:25:05 morrigan su[30983]: (pam_unix) session closed for user nobody
Apr 22 06:25:05 morrigan su[30987]: Successful su for nobody by root
Apr 22 06:25:05 morrigan su[30987]: + ??? root:nobody
Apr 22 06:25:06 morrigan su[30987]: (pam_unix) session opened for user nobody by (uid=0)
Apr 22 06:25:07 morrigan su[30987]: (pam_unix) session closed for user nobody
Apr 22 06:25:08 morrigan su[30989]: Successful su for nobody by root
Apr 22 06:25:09 morrigan su[30989]: + ??? root:nobody
Apr 22 06:25:09 morrigan su[30989]: (pam_unix) session opened for user nobody by (uid=0)
Apr 22 06:25:30 morrigan su[30989]: (pam_unix) session closed for user nobody
Das nobody macht mich stutzig, es muss sich eigentlich um fail2ban handeln, aber ich moechte hier nochmals nachfragen.
Hab den Fehler auf einen Einbruch geprueft, seit 06.25 passierte sonst nichts darauf. Keine Files veraendert, keine neuen Benutzer.
Hat jemand eine Ahnung woher diese Zeilen stammen koennten?