Différences

Ci-dessous, les différences entre deux révisions de la page.

--- raspberry:log [04-07-2013 21:12] – edmc73
+++ raspberry:log [04-03-2021 19:34] (Version actuelle) – edmc73
@@ Ligne 81: / Ligne 81: @@
   service samba restart
 ==== auth.log ====
+Extrait :
+<code>
+Jul  4 19:48:59 edmchome sshd[8201]: Failed password for root from 80.84.55.183 port 11919 ssh2
+Jul  4 19:48:59 edmchome sshd[8201]: Disconnecting: Too many authentication failures for root [preauth]
+Jul  4 19:48:59 edmchome sshd[8201]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=80.84.55.183  user=root
+Jul  4 19:48:59 edmchome sshd[8201]: PAM service(sshd) ignoring max retries; 6 > 3
+Jul  4 19:49:01 edmchome sshd[8205]: reverse mapping checking getaddrinfo for 183-55-84-80.rackcentre.redstation.net.uk [80.84.55.183] failed - POSSIBLE BREAK-IN ATTEMPT!
+Jul  4 19:49:02 edmchome sshd[8205]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=80.84.55.183  user=root
+Jul  4 19:49:03 edmchome sshd[8205]: Failed password for root from 80.84.55.183 port 12041 ssh2
+Jul  4 19:49:07 edmchome sshd[8205]: Failed password for root from 80.84.55.183 port 12041 ssh2
+Jul  4 19:49:09 edmchome sshd[8205]: Failed password for root from 80.84.55.183 port 12041 ssh2
+Jul  4 19:49:11 edmchome sshd[8205]: Failed password for root from 80.84.55.183 port 12041 ssh2
+Jul  4 19:49:13 edmchome sshd[8205]: Failed password for root from 80.84.55.183 port 12041 ssh2
+Jul  4 19:49:16 edmchome sshd[8205]: Failed password for root from 80.84.55.183 port 12041 ssh2
+Jul  4 19:49:16 edmchome sshd[8205]: Disconnecting: Too many authentication failures for root [preauth]
+Jul  4 19:49:16 edmchome sshd[8205]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=80.84.55.183  user=root
+Jul  4 19:49:16 edmchome sshd[8205]: PAM service(sshd) ignoring max retries; 6 > 3
+Jul  4 19:49:18 edmchome sshd[8209]: reverse mapping checking getaddrinfo for 183-55-84-80.rackcentre.redstation.net.uk [80.84.55.183] failed - POSSIBLE BREAK-IN ATTEMPT!
+Jul  4 19:49:19 edmchome sshd[8209]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=80.84.55.183  user=root
+Jul  4 19:49:20 edmchome sshd[8209]: Failed password for root from 80.84.55.183 port 12167 ssh2
+Jul  4 19:49:22 edmchome sshd[8209]: Failed password for root from 80.84.55.183 port 12167 ssh2
+Jul  4 19:49:25 edmchome sshd[8209]: Failed password for root from 80.84.55.183 port 12167 ssh2
+Jul  4 19:49:28 edmchome sshd[8209]: Failed password for root from 80.84.55.183 port 12167 ssh2
+Jul  4 19:49:31 edmchome sshd[8209]: Failed password for root from 80.84.55.183 port 12167 ssh2
+Jul  4 19:49:33 edmchome sshd[8209]: Failed password for root from 80.84.55.183 port 12167 ssh2
+Jul  4 19:49:33 edmchome sshd[8209]: Disconnecting: Too many authentication failures for root [preauth]
+Jul  4 19:49:33 edmchome sshd[8209]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=80.84.55.183  user=root
+Jul  4 19:49:33 edmchome sshd[8209]: PAM service(sshd) ignoring max retries; 6 > 3
+Jul  4 19:49:35 edmchome sshd[8213]: reverse mapping checking getaddrinfo for 183-55-84-80.rackcentre.redstation.net.uk [80.84.55.183] failed - POSSIBLE BREAK-IN ATTEMPT!
+Jul  4 19:49:35 edmchome sshd[8213]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=80.84.55.183  user=root
+Jul  4 19:49:37 edmchome sshd[8213]: Failed password for root from 80.84.55.183 port 12290 ssh2
+Jul  4 19:49:40 edmchome sshd[8213]: Failed password for root from 80.84.55.183 port 12290 ssh2
+Jul  4 19:49:43 edmchome sshd[8213]: Failed password for root from 80.84.55.183 port 12290 ssh2
+Jul  4 19:49:45 edmchome sshd[8213]: Failed password for root from 80.84.55.183 port 12290 ssh2
+Jul  4 19:49:47 edmchome sshd[8213]: Failed password for root from 80.84.55.183 port 12290 ssh2
+Jul  4 19:49:50 edmchome sshd[8213]: Failed password for root from 80.84.55.183 port 12290 ssh2
+Jul  4 19:49:50 edmchome sshd[8213]: Disconnecting: Too many authentication failures for root [preauth]
+Jul  4 19:49:50 edmchome sshd[8213]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=80.84.55.183  user=root
+Jul  4 19:49:50 edmchome sshd[8213]: PAM service(sshd) ignoring max retries; 6 > 3
+</code>
+A peine un port ssh ouvert sur la toile que déjà des milliers de tentative de connexions qui génère des logs à n'en plus finir.
+On va donc modifier le niveau de verbosité des logs de sshd
+>LogLevel
+>  Donne le niveau de verbosité utilisé lors de l'enregistrement des messages du démon sshd Les valeurs possibles sont : QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2 and DEBUG3.
+>  Par défaut INFO. DEBUG et DEBUG1 sont équivalents. DEBUG2 et DEBUG3 spécifient des niveaux plus élevés de sortie de débogage. L'enregistrement à l'aide d'un niveau DEBUG a tendance à empiéter sur la vie privée des utilisateurs et n'est pas recommandé.
+  vi /etc/ssh/sshd_config
+  LogLevel QUIET
+  service ssh reload
+Inconvénient, plus de trace en cas de piratage, assurez vous d'avoir un bon mot de passe.
+voir aussi dans /etc/rsyslog.conf
+Commenter la ligne suivante pour ne plus rien recevoir dans /var/log/auth.log
+  #auth,authpriv.*                        /var/log/auth.log
+et relancez le service des journaux
+  service rsyslog restart
+---
+Dans auth.log il y a aussi un paquet de ligne venant de cron
+<code>
+Jun 24 20:35:01 edmchome CRON[9024]: pam_unix(cron:session): session opened for user root by (uid=0)
+Jun 24 20:35:01 edmchome CRON[9024]: pam_unix(cron:session): session closed for user root
+Jun 24 20:36:01 edmchome CRON[9040]: pam_unix(cron:session): session opened for user root by (uid=0)
+Jun 24 20:36:01 edmchome CRON[9040]: pam_unix(cron:session): session closed for user root
+Jun 24 20:37:01 edmchome CRON[9056]: pam_unix(cron:session): session opened for user root by (uid=0)
+Jun 24 20:37:02 edmchome CRON[9056]: pam_unix(cron:session): session closed for user root
+Jun 24 20:38:01 edmchome CRON[9072]: pam_unix(cron:session): session opened for user root by (uid=0)
+Jun 24 20:38:01 edmchome CRON[9072]: pam_unix(cron:session): session closed for user root
+Jun 24 20:39:01 edmchome CRON[9088]: pam_unix(cron:session): session opened for user root by (uid=0)
+Jun 24 20:39:01 edmchome CRON[9088]: pam_unix(cron:session): session closed for user root
+Jun 24 20:40:01 edmchome CRON[9104]: pam_unix(cron:session): session opened for user root by (uid=0)
+Jun 24 20:40:02 edmchome CRON[9104]: pam_unix(cron:session): session closed for user root
+Jun 24 20:41:01 edmchome CRON[9120]: pam_unix(cron:session): session opened for user root by (uid=0)
+Jun 24 20:41:01 edmchome CRON[9120]: pam_unix(cron:session): session closed for user root
+Jun 24 20:42:01 edmchome CRON[9136]: pam_unix(cron:session): session opened for user root by (uid=0)
+Jun 24 20:42:02 edmchome CRON[9136]: pam_unix(cron:session): session closed for user root
+Jun 24 20:43:01 edmchome CRON[9152]: pam_unix(cron:session): session opened for user root by (uid=0)
+Jun 24 20:43:01 edmchome CRON[9152]: pam_unix(cron:session): session closed for user root
+Jun 24 20:44:01 edmchome CRON[9168]: pam_unix(cron:session): session opened for user root by (uid=0)
+Jun 24 20:44:01 edmchome CRON[9168]: pam_unix(cron:session): session closed for user root
+Jun 24 20:45:01 edmchome CRON[9184]: pam_unix(cron:session): session opened for user root by (uid=0)
+Jun 24 20:45:02 edmchome CRON[9184]: pam_unix(cron:session): session closed for user root
+Jun 24 20:46:01 edmchome CRON[9200]: pam_unix(cron:session): session opened for user root by (uid=0)
+Jun 24 20:46:01 edmchome CRON[9200]: pam_unix(cron:session): session closed for user root
+Jun 24 20:47:01 edmchome CRON[9216]: pam_unix(cron:session): session opened for user root by (uid=0)
+Jun 24 20:47:02 edmchome CRON[9216]: pam_unix(cron:session): session closed for user root
+Jun 24 20:48:01 edmchome CRON[9232]: pam_unix(cron:session): session opened for user root by (uid=0)
+Jun 24 20:48:01 edmchome CRON[9232]: pam_unix(cron:session): session closed for user root
+Jun 24 20:49:01 edmchome CRON[9248]: pam_unix(cron:session): session opened for user root by (uid=0)
+Jun 24 20:49:01 edmchome CRON[9248]: pam_unix(cron:session): session closed for user root
+Jun 24 20:50:01 edmchome CRON[9264]: pam_unix(cron:session): session opened for user root by (uid=0)
+Jun 24 20:50:02 edmchome CRON[9264]: pam_unix(cron:session): session closed for user root
+Jun 24 20:51:01 edmchome CRON[9280]: pam_unix(cron:session): session opened for user root by (uid=0)
+Jun 24 20:51:01 edmchome CRON[9280]: pam_unix(cron:session): session closed for user root
+Jun 24 20:52:01 edmchome CRON[9296]: pam_unix(cron:session): session opened for user root by (uid=0)
+Jun 24 20:52:02 edmchome CRON[9296]: pam_unix(cron:session): session closed for user root
+Jun 24 20:53:01 edmchome CRON[9312]: pam_unix(cron:session): session opened for user root by (uid=0)
+Jun 24 20:53:01 edmchome CRON[9312]: pam_unix(cron:session): session closed for user root
+Jun 24 20:54:01 edmchome CRON[9328]: pam_unix(cron:session): session opened for user root by (uid=0)
+Jun 24 20:54:01 edmchome CRON[9328]: pam_unix(cron:session): session closed for user root
+Jun 24 20:55:01 edmchome CRON[9344]: pam_unix(cron:session): session opened for user root by (uid=0)
+</code>
+=== 1ère méthode trouvé sur le net mais qui ne marche pas pour moi ===
+Pour éviter ça, modifiez **/etc/pam.d/common-session-noninteractive**
+  vi /etc/pam.d/common-session-noninteractive
+après la ligne
+  session required pam_unix.so
+ajoutez
+  session [success=1 default=ignore] pam_succeed_if.so service in cron quiet use_uid
+Redémarrez le service crond
+  service cron restart
+=== 2ème méthode qui marche pour moi :) ===
+Configurer le rsyslog pour exclure ce type d'entrée dans les logs. Editez le fichier **/etc/rsyslog.conf**
+  vi /etc/rsyslog.conf
+Modifiez la ligne
+  auth,authpriv.*                 /var/log/auth.log
+par
+  :msg, contains, "pam_unix(cron:session)" ~
+  auth,authpriv.*                 /var/log/auth.log
+et redémarrez le service des journaux
+  service rsyslog restart
 ==== messages ====
 ==== syslog ====
+Extrait:
+<code>
+Jul  4 06:26:19 edmchome dhclient: DHCPREQUEST on eth0 to 192.168.0.254 port 67
+Jul  4 06:26:31 edmchome dhclient: DHCPREQUEST on eth0 to 192.168.0.254 port 67
+Jul  4 06:26:43 edmchome dhclient: DHCPREQUEST on eth0 to 192.168.0.254 port 67
+Jul  4 06:26:59 edmchome dhclient: DHCPREQUEST on eth0 to 192.168.0.254 port 67
+Jul  4 06:27:18 edmchome dhclient: DHCPREQUEST on eth0 to 192.168.0.254 port 67
+Jul  4 06:27:33 edmchome dhclient: DHCPREQUEST on eth0 to 192.168.0.254 port 67
+Jul  4 06:27:49 edmchome dhclient: DHCPREQUEST on eth0 to 192.168.0.254 port 67
+Jul  4 06:28:05 edmchome dhclient: DHCPREQUEST on eth0 to 192.168.0.254 port 67
+Jul  4 06:28:15 edmchome dhclient: DHCPREQUEST on eth0 to 192.168.0.254 port 67
+Jul  4 06:28:34 edmchome dhclient: DHCPREQUEST on eth0 to 192.168.0.254 port 67
+Jul  4 06:28:46 edmchome dhclient: DHCPREQUEST on eth0 to 192.168.0.254 port 67
+Jul  4 06:28:57 edmchome dhclient: DHCPREQUEST on eth0 to 192.168.0.254 port 67
+Jul  4 06:29:11 edmchome dhclient: DHCPREQUEST on eth0 to 192.168.0.254 port 67
+Jul  4 06:29:21 edmchome dhclient: DHCPREQUEST on eth0 to 192.168.0.254 port 67
+Jul  4 06:29:31 edmchome dhclient: DHCPREQUEST on eth0 to 192.168.0.254 port 67
+Jul  4 06:29:50 edmchome dhclient: DHCPREQUEST on eth0 to 192.168.0.254 port 67
+Jul  4 06:30:00 edmchome dhclient: DHCPREQUEST on eth0 to 192.168.0.254 port 67
+Jul  4 06:30:10 edmchome dhclient: DHCPREQUEST on eth0 to 192.168.0.254 port 67
+Jul  4 06:30:25 edmchome dhclient: DHCPREQUEST on eth0 to 192.168.0.254 port 67
+Jul  4 06:30:32 edmchome dhclient: DHCPREQUEST on eth0 to 192.168.0.254 port 67
+Jul  4 06:30:46 edmchome dhclient: DHCPREQUEST on eth0 to 192.168.0.254 port 67
+Jul  4 06:30:56 edmchome dhclient: DHCPREQUEST on eth0 to 192.168.0.254 port 67
+Jul  4 06:31:11 edmchome dhclient: DHCPREQUEST on eth0 to 192.168.0.254 port 67
+Jul  4 06:31:20 edmchome dhclient: DHCPREQUEST on eth0 to 192.168.0.254 port 67
+Jul  4 06:31:31 edmchome dhclient: DHCPREQUEST on eth0 to 192.168.0.254 port 67
+Jul  4 06:31:45 edmchome dhclient: DHCPREQUEST on eth0 to 192.168.0.254 port 67
+Jul  4 06:31:55 edmchome dhclient: DHCPREQUEST on eth0 to 192.168.0.254 port 67
+Jul  4 06:32:09 edmchome dhclient: DHCPREQUEST on eth0 to 192.168.0.254 port 67
+Jul  4 06:32:18 edmchome dhclient: DHCPREQUEST on eth0 to 192.168.0.254 port 67
+Jul  4 06:32:26 edmchome dhclient: DHCPREQUEST on eth0 to 192.168.0.254 port 67
+Jul  4 06:32:35 edmchome dhclient: DHCPREQUEST on eth0 to 192.168.0.254 port 67
+Jul  4 06:32:55 edmchome dhclient: DHCPREQUEST on eth0 to 192.168.0.254 port 67
+Jul  4 06:33:11 edmchome dhclient: DHCPREQUEST on eth0 to 192.168.0.254 port 67
+Jul  4 06:33:30 edmchome dhclient: DHCPREQUEST on eth0 to 192.168.0.254 port 67
+Jul  4 06:33:44 edmchome dhclient: DHCPREQUEST on eth0 to 192.168.0.254 port 67
+Jul  4 06:33:54 edmchome dhclient: DHCPREQUEST on eth0 to 192.168.0.254 port 67
+Jul  4 06:34:08 edmchome dhclient: DHCPREQUEST on eth0 to 192.168.0.254 port 67
+Jul  4 06:34:20 edmchome dhclient: DHCPREQUEST on eth0 to 192.168.0.254 port 67
+Jul  4 06:34:30 edmchome dhclient: DHCPREQUEST on eth0 to 192.168.0.254 port 67
+Jul  4 06:34:39 edmchome dhclient: DHCPREQUEST on eth0 to 192.168.0.254 port 67
+</code>
+Rien trouvé de concret sur le net à part configurer son réseau en ip static ce dont je n'ai pas envie de faire.
+Ma solution un peu brut mais qui marche est de faire un
+  killall dhclient
+----
+Extrait
+<code>
+Jul  5 09:17:01 edmchome /USR/SBIN/CRON[9951]: (root) CMD (   cd / && run-parts --report /etc/cron.hourly > /dev/null)
+Jul  5 10:17:01 edmchome /USR/SBIN/CRON[9996]: (root) CMD (   cd / && run-parts --report /etc/cron.hourly > /dev/null)
+Jul  5 11:17:01 edmchome /USR/SBIN/CRON[10117]: (root) CMD (   cd / && run-parts --report /etc/cron.hourly > /dev/null)
+Jul  5 12:17:01 edmchome /USR/SBIN/CRON[10163]: (root) CMD (   cd / && run-parts --report /etc/cron.hourly > /dev/null)
+Jul  5 13:17:01 edmchome /USR/SBIN/CRON[10592]: (root) CMD (   cd / && run-parts --report /etc/cron.hourly > /dev/null)
+Jul  5 14:17:01 edmchome /USR/SBIN/CRON[13626]: (root) CMD (   cd / && run-parts --report /etc/cron.hourly > /dev/null)
+Jul  5 15:17:01 edmchome /USR/SBIN/CRON[16127]: (root) CMD (   cd / && run-parts --report /etc/cron.hourly > /dev/null)
+Jul  5 16:17:01 edmchome /USR/SBIN/CRON[16790]: (root) CMD (   cd / && run-parts --report /etc/cron.hourly > /dev/null)
+Jul  5 17:17:01 edmchome /USR/SBIN/CRON[16832]: (root) CMD (   cd / && run-parts --report /etc/cron.hourly > /dev/null)
+Jul  5 18:17:01 edmchome /USR/SBIN/CRON[16876]: (root) CMD (   cd / && run-parts --report /etc/cron.hourly > /dev/null)
+Jul  5 19:17:01 edmchome /USR/SBIN/CRON[16920]: (root) CMD (   cd / && run-parts --report /etc/cron.hourly > /dev/null)
+Jul  5 20:17:01 edmchome /USR/SBIN/CRON[16961]: (root) CMD (   cd / && run-parts --report /etc/cron.hourly > /dev/null)
+Jul  5 21:17:01 edmchome /USR/SBIN/CRON[17163]: (root) CMD (   cd / && run-parts --report /etc/cron.hourly > /dev/null)
+</code>
+> Solution trouvé ici http://serverfault.com/questions/432718/avoiding-log-noise-from-cron-jobs-with-syslog-ng-rather-than-syslog
+Editer le fichier **/etc/default/cron** puis dé-commentez la dernière ligne en spécifiant
+  EXTRA_OPTS='-L 4'
+Ce qui permet de logguer tout de même les erreurs, sinon remplacez 4 par 0
+Un petit redémarrage du service au cas ou
+  service cron restart
 ==== user.log ====
@@ Ligne 163: / Ligne 369: @@
 ==== dbus-daemon ====
+===== Stopper tous les logs =====
+Solution radicale pour éviter l'écriture des logs
+  sudo systemctl stop rsyslog
+  sudo systemctl disable rsyslog
+ou
+Edit the file /etc/rsyslog.conf and just after the section starting
+  ###############
+  #### RULES ####
+  ###############
+add the following line.
+  *.*     ~
+If you want to be more fine-grained you will need to read the file comments.
+Do not forget to restart rsyslog daemon:
+  sudo service rsyslog restart

Outils pour utilisateurs

Outils du site

Différences

Outils de la page