Outils pour utilisateurs

Outils du site

Piste:
raspberry:log (lu 53997 fois)

Différences

Ci-dessous, les différences entre deux révisions de la page.

Lien vers cette vue comparative

Les deux révisions précédentes Révision précédente
Prochaine révision 		Révision précédente
raspberry:log [04-07-2013 23:12]
edmc73 		raspberry:log [04-03-2021 20:34] (Version actuelle)
edmc73
Ligne 81: Ligne 81:
   service samba restart   service samba restart
 ==== auth.log ==== ==== auth.log ====
 +Extrait :
 +<code>
 +Jul  4 19:48:59 edmchome sshd[8201]: Failed password for root from 80.84.55.183 port 11919 ssh2
 +Jul  4 19:48:59 edmchome sshd[8201]: Disconnecting: Too many authentication failures for root [preauth]
 +Jul  4 19:48:59 edmchome sshd[8201]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=80.84.55.183  user=root
 +Jul  4 19:48:59 edmchome sshd[8201]: PAM service(sshd) ignoring max retries; 6 > 3
 +Jul  4 19:49:01 edmchome sshd[8205]: reverse mapping checking getaddrinfo for 183-55-84-80.rackcentre.redstation.net.uk [80.84.55.183] failed - POSSIBLE BREAK-IN ATTEMPT!
 +Jul  4 19:49:02 edmchome sshd[8205]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=80.84.55.183  user=root
 +Jul  4 19:49:03 edmchome sshd[8205]: Failed password for root from 80.84.55.183 port 12041 ssh2
 +Jul  4 19:49:07 edmchome sshd[8205]: Failed password for root from 80.84.55.183 port 12041 ssh2
 +Jul  4 19:49:09 edmchome sshd[8205]: Failed password for root from 80.84.55.183 port 12041 ssh2
 +Jul  4 19:49:11 edmchome sshd[8205]: Failed password for root from 80.84.55.183 port 12041 ssh2
 +Jul  4 19:49:13 edmchome sshd[8205]: Failed password for root from 80.84.55.183 port 12041 ssh2
 +Jul  4 19:49:16 edmchome sshd[8205]: Failed password for root from 80.84.55.183 port 12041 ssh2
 +Jul  4 19:49:16 edmchome sshd[8205]: Disconnecting: Too many authentication failures for root [preauth]
 +Jul  4 19:49:16 edmchome sshd[8205]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=80.84.55.183  user=root
 +Jul  4 19:49:16 edmchome sshd[8205]: PAM service(sshd) ignoring max retries; 6 > 3
 +Jul  4 19:49:18 edmchome sshd[8209]: reverse mapping checking getaddrinfo for 183-55-84-80.rackcentre.redstation.net.uk [80.84.55.183] failed - POSSIBLE BREAK-IN ATTEMPT!
 +Jul  4 19:49:19 edmchome sshd[8209]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=80.84.55.183  user=root
 +Jul  4 19:49:20 edmchome sshd[8209]: Failed password for root from 80.84.55.183 port 12167 ssh2
 +Jul  4 19:49:22 edmchome sshd[8209]: Failed password for root from 80.84.55.183 port 12167 ssh2
 +Jul  4 19:49:25 edmchome sshd[8209]: Failed password for root from 80.84.55.183 port 12167 ssh2
 +Jul  4 19:49:28 edmchome sshd[8209]: Failed password for root from 80.84.55.183 port 12167 ssh2
 +Jul  4 19:49:31 edmchome sshd[8209]: Failed password for root from 80.84.55.183 port 12167 ssh2
 +Jul  4 19:49:33 edmchome sshd[8209]: Failed password for root from 80.84.55.183 port 12167 ssh2
 +Jul  4 19:49:33 edmchome sshd[8209]: Disconnecting: Too many authentication failures for root [preauth]
 +Jul  4 19:49:33 edmchome sshd[8209]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=80.84.55.183  user=root
 +Jul  4 19:49:33 edmchome sshd[8209]: PAM service(sshd) ignoring max retries; 6 > 3
 +Jul  4 19:49:35 edmchome sshd[8213]: reverse mapping checking getaddrinfo for 183-55-84-80.rackcentre.redstation.net.uk [80.84.55.183] failed - POSSIBLE BREAK-IN ATTEMPT!
 +Jul  4 19:49:35 edmchome sshd[8213]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=80.84.55.183  user=root
 +Jul  4 19:49:37 edmchome sshd[8213]: Failed password for root from 80.84.55.183 port 12290 ssh2
 +Jul  4 19:49:40 edmchome sshd[8213]: Failed password for root from 80.84.55.183 port 12290 ssh2
 +Jul  4 19:49:43 edmchome sshd[8213]: Failed password for root from 80.84.55.183 port 12290 ssh2
 +Jul  4 19:49:45 edmchome sshd[8213]: Failed password for root from 80.84.55.183 port 12290 ssh2
 +Jul  4 19:49:47 edmchome sshd[8213]: Failed password for root from 80.84.55.183 port 12290 ssh2
 +Jul  4 19:49:50 edmchome sshd[8213]: Failed password for root from 80.84.55.183 port 12290 ssh2
 +Jul  4 19:49:50 edmchome sshd[8213]: Disconnecting: Too many authentication failures for root [preauth]
 +Jul  4 19:49:50 edmchome sshd[8213]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=80.84.55.183  user=root
 +Jul  4 19:49:50 edmchome sshd[8213]: PAM service(sshd) ignoring max retries; 6 > 3
 +</code>
  
 +A peine un port ssh ouvert sur la toile que déjà des milliers de tentative de connexions qui génère des logs à n'en plus finir.
 +
 +On va donc modifier le niveau de verbosité des logs de sshd
 +>LogLevel
 +>  Donne le niveau de verbosité utilisé lors de l'enregistrement des messages du démon sshd Les valeurs possibles sont : QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2 and DEBUG3. 
 +>  Par défaut INFO. DEBUG et DEBUG1 sont équivalents. DEBUG2 et DEBUG3 spécifient des niveaux plus élevés de sortie de débogage. L'enregistrement à l'aide d'un niveau DEBUG a tendance à empiéter sur la vie privée des utilisateurs et n'est pas recommandé.
 +
 +  vi /etc/ssh/sshd_config
 +  LogLevel QUIET
 +  
 +  service ssh reload
 +
 +Inconvénient, plus de trace en cas de piratage, assurez vous d'avoir un bon mot de passe.
 +
 +voir aussi dans /etc/rsyslog.conf
 +
 +Commenter la ligne suivante pour ne plus rien recevoir dans /var/log/auth.log
 +  #auth,authpriv.*                        /var/log/auth.log
 +et relancez le service des journaux
 +  service rsyslog restart
 +
 +
 +---
 +
 +Dans auth.log il y a aussi un paquet de ligne venant de cron
 +<code>
 +Jun 24 20:35:01 edmchome CRON[9024]: pam_unix(cron:session): session opened for user root by (uid=0)
 +Jun 24 20:35:01 edmchome CRON[9024]: pam_unix(cron:session): session closed for user root
 +Jun 24 20:36:01 edmchome CRON[9040]: pam_unix(cron:session): session opened for user root by (uid=0)
 +Jun 24 20:36:01 edmchome CRON[9040]: pam_unix(cron:session): session closed for user root
 +Jun 24 20:37:01 edmchome CRON[9056]: pam_unix(cron:session): session opened for user root by (uid=0)
 +Jun 24 20:37:02 edmchome CRON[9056]: pam_unix(cron:session): session closed for user root
 +Jun 24 20:38:01 edmchome CRON[9072]: pam_unix(cron:session): session opened for user root by (uid=0)
 +Jun 24 20:38:01 edmchome CRON[9072]: pam_unix(cron:session): session closed for user root
 +Jun 24 20:39:01 edmchome CRON[9088]: pam_unix(cron:session): session opened for user root by (uid=0)
 +Jun 24 20:39:01 edmchome CRON[9088]: pam_unix(cron:session): session closed for user root
 +Jun 24 20:40:01 edmchome CRON[9104]: pam_unix(cron:session): session opened for user root by (uid=0)
 +Jun 24 20:40:02 edmchome CRON[9104]: pam_unix(cron:session): session closed for user root
 +Jun 24 20:41:01 edmchome CRON[9120]: pam_unix(cron:session): session opened for user root by (uid=0)
 +Jun 24 20:41:01 edmchome CRON[9120]: pam_unix(cron:session): session closed for user root
 +Jun 24 20:42:01 edmchome CRON[9136]: pam_unix(cron:session): session opened for user root by (uid=0)
 +Jun 24 20:42:02 edmchome CRON[9136]: pam_unix(cron:session): session closed for user root
 +Jun 24 20:43:01 edmchome CRON[9152]: pam_unix(cron:session): session opened for user root by (uid=0)
 +Jun 24 20:43:01 edmchome CRON[9152]: pam_unix(cron:session): session closed for user root
 +Jun 24 20:44:01 edmchome CRON[9168]: pam_unix(cron:session): session opened for user root by (uid=0)
 +Jun 24 20:44:01 edmchome CRON[9168]: pam_unix(cron:session): session closed for user root
 +Jun 24 20:45:01 edmchome CRON[9184]: pam_unix(cron:session): session opened for user root by (uid=0)
 +Jun 24 20:45:02 edmchome CRON[9184]: pam_unix(cron:session): session closed for user root
 +Jun 24 20:46:01 edmchome CRON[9200]: pam_unix(cron:session): session opened for user root by (uid=0)
 +Jun 24 20:46:01 edmchome CRON[9200]: pam_unix(cron:session): session closed for user root
 +Jun 24 20:47:01 edmchome CRON[9216]: pam_unix(cron:session): session opened for user root by (uid=0)
 +Jun 24 20:47:02 edmchome CRON[9216]: pam_unix(cron:session): session closed for user root
 +Jun 24 20:48:01 edmchome CRON[9232]: pam_unix(cron:session): session opened for user root by (uid=0)
 +Jun 24 20:48:01 edmchome CRON[9232]: pam_unix(cron:session): session closed for user root
 +Jun 24 20:49:01 edmchome CRON[9248]: pam_unix(cron:session): session opened for user root by (uid=0)
 +Jun 24 20:49:01 edmchome CRON[9248]: pam_unix(cron:session): session closed for user root
 +Jun 24 20:50:01 edmchome CRON[9264]: pam_unix(cron:session): session opened for user root by (uid=0)
 +Jun 24 20:50:02 edmchome CRON[9264]: pam_unix(cron:session): session closed for user root
 +Jun 24 20:51:01 edmchome CRON[9280]: pam_unix(cron:session): session opened for user root by (uid=0)
 +Jun 24 20:51:01 edmchome CRON[9280]: pam_unix(cron:session): session closed for user root
 +Jun 24 20:52:01 edmchome CRON[9296]: pam_unix(cron:session): session opened for user root by (uid=0)
 +Jun 24 20:52:02 edmchome CRON[9296]: pam_unix(cron:session): session closed for user root
 +Jun 24 20:53:01 edmchome CRON[9312]: pam_unix(cron:session): session opened for user root by (uid=0)
 +Jun 24 20:53:01 edmchome CRON[9312]: pam_unix(cron:session): session closed for user root
 +Jun 24 20:54:01 edmchome CRON[9328]: pam_unix(cron:session): session opened for user root by (uid=0)
 +Jun 24 20:54:01 edmchome CRON[9328]: pam_unix(cron:session): session closed for user root
 +Jun 24 20:55:01 edmchome CRON[9344]: pam_unix(cron:session): session opened for user root by (uid=0)
 +</code>
 +
 +=== 1ère méthode trouvé sur le net mais qui ne marche pas pour moi ===
 +Pour éviter ça, modifiez **/etc/pam.d/common-session-noninteractive**
 +  vi /etc/pam.d/common-session-noninteractive
 +
 +après la ligne
 +  session required pam_unix.so
 +ajoutez
 +  session [success=1 default=ignore] pam_succeed_if.so service in cron quiet use_uid
 +
 +Redémarrez le service crond
 +  service cron restart
 +
 +=== 2ème méthode qui marche pour moi :) ===
 +Configurer le rsyslog pour exclure ce type d'entrée dans les logs. Editez le fichier **/etc/rsyslog.conf**
 +  vi /etc/rsyslog.conf
 +Modifiez la ligne
 +  auth,authpriv.*                 /var/log/auth.log
 +par
 +  :msg, contains, "pam_unix(cron:session)" ~
 +  auth,authpriv.*                 /var/log/auth.log
 +et redémarrez le service des journaux
 +  service rsyslog restart
 ==== messages ==== ==== messages ====
  
 ==== syslog ==== ==== syslog ====
 +Extrait:
 +<code>
 +Jul  4 06:26:19 edmchome dhclient: DHCPREQUEST on eth0 to 192.168.0.254 port 67
 +Jul  4 06:26:31 edmchome dhclient: DHCPREQUEST on eth0 to 192.168.0.254 port 67
 +Jul  4 06:26:43 edmchome dhclient: DHCPREQUEST on eth0 to 192.168.0.254 port 67
 +Jul  4 06:26:59 edmchome dhclient: DHCPREQUEST on eth0 to 192.168.0.254 port 67
 +Jul  4 06:27:18 edmchome dhclient: DHCPREQUEST on eth0 to 192.168.0.254 port 67
 +Jul  4 06:27:33 edmchome dhclient: DHCPREQUEST on eth0 to 192.168.0.254 port 67
 +Jul  4 06:27:49 edmchome dhclient: DHCPREQUEST on eth0 to 192.168.0.254 port 67
 +Jul  4 06:28:05 edmchome dhclient: DHCPREQUEST on eth0 to 192.168.0.254 port 67
 +Jul  4 06:28:15 edmchome dhclient: DHCPREQUEST on eth0 to 192.168.0.254 port 67
 +Jul  4 06:28:34 edmchome dhclient: DHCPREQUEST on eth0 to 192.168.0.254 port 67
 +Jul  4 06:28:46 edmchome dhclient: DHCPREQUEST on eth0 to 192.168.0.254 port 67
 +Jul  4 06:28:57 edmchome dhclient: DHCPREQUEST on eth0 to 192.168.0.254 port 67
 +Jul  4 06:29:11 edmchome dhclient: DHCPREQUEST on eth0 to 192.168.0.254 port 67
 +Jul  4 06:29:21 edmchome dhclient: DHCPREQUEST on eth0 to 192.168.0.254 port 67
 +Jul  4 06:29:31 edmchome dhclient: DHCPREQUEST on eth0 to 192.168.0.254 port 67
 +Jul  4 06:29:50 edmchome dhclient: DHCPREQUEST on eth0 to 192.168.0.254 port 67
 +Jul  4 06:30:00 edmchome dhclient: DHCPREQUEST on eth0 to 192.168.0.254 port 67
 +Jul  4 06:30:10 edmchome dhclient: DHCPREQUEST on eth0 to 192.168.0.254 port 67
 +Jul  4 06:30:25 edmchome dhclient: DHCPREQUEST on eth0 to 192.168.0.254 port 67
 +Jul  4 06:30:32 edmchome dhclient: DHCPREQUEST on eth0 to 192.168.0.254 port 67
 +Jul  4 06:30:46 edmchome dhclient: DHCPREQUEST on eth0 to 192.168.0.254 port 67
 +Jul  4 06:30:56 edmchome dhclient: DHCPREQUEST on eth0 to 192.168.0.254 port 67
 +Jul  4 06:31:11 edmchome dhclient: DHCPREQUEST on eth0 to 192.168.0.254 port 67
 +Jul  4 06:31:20 edmchome dhclient: DHCPREQUEST on eth0 to 192.168.0.254 port 67
 +Jul  4 06:31:31 edmchome dhclient: DHCPREQUEST on eth0 to 192.168.0.254 port 67
 +Jul  4 06:31:45 edmchome dhclient: DHCPREQUEST on eth0 to 192.168.0.254 port 67
 +Jul  4 06:31:55 edmchome dhclient: DHCPREQUEST on eth0 to 192.168.0.254 port 67
 +Jul  4 06:32:09 edmchome dhclient: DHCPREQUEST on eth0 to 192.168.0.254 port 67
 +Jul  4 06:32:18 edmchome dhclient: DHCPREQUEST on eth0 to 192.168.0.254 port 67
 +Jul  4 06:32:26 edmchome dhclient: DHCPREQUEST on eth0 to 192.168.0.254 port 67
 +Jul  4 06:32:35 edmchome dhclient: DHCPREQUEST on eth0 to 192.168.0.254 port 67
 +Jul  4 06:32:55 edmchome dhclient: DHCPREQUEST on eth0 to 192.168.0.254 port 67
 +Jul  4 06:33:11 edmchome dhclient: DHCPREQUEST on eth0 to 192.168.0.254 port 67
 +Jul  4 06:33:30 edmchome dhclient: DHCPREQUEST on eth0 to 192.168.0.254 port 67
 +Jul  4 06:33:44 edmchome dhclient: DHCPREQUEST on eth0 to 192.168.0.254 port 67
 +Jul  4 06:33:54 edmchome dhclient: DHCPREQUEST on eth0 to 192.168.0.254 port 67
 +Jul  4 06:34:08 edmchome dhclient: DHCPREQUEST on eth0 to 192.168.0.254 port 67
 +Jul  4 06:34:20 edmchome dhclient: DHCPREQUEST on eth0 to 192.168.0.254 port 67
 +Jul  4 06:34:30 edmchome dhclient: DHCPREQUEST on eth0 to 192.168.0.254 port 67
 +Jul  4 06:34:39 edmchome dhclient: DHCPREQUEST on eth0 to 192.168.0.254 port 67
 +</code>
 +
 +Rien trouvé de concret sur le net à part configurer son réseau en ip static ce dont je n'ai pas envie de faire.
 +
 +Ma solution un peu brut mais qui marche est de faire un 
 +  killall dhclient
 +
 +----
 +   
 +Extrait
 +<code>
 +Jul  5 09:17:01 edmchome /USR/SBIN/CRON[9951]: (root) CMD (   cd / && run-parts --report /etc/cron.hourly > /dev/null)
 +Jul  5 10:17:01 edmchome /USR/SBIN/CRON[9996]: (root) CMD (   cd / && run-parts --report /etc/cron.hourly > /dev/null)
 +Jul  5 11:17:01 edmchome /USR/SBIN/CRON[10117]: (root) CMD (   cd / && run-parts --report /etc/cron.hourly > /dev/null)
 +Jul  5 12:17:01 edmchome /USR/SBIN/CRON[10163]: (root) CMD (   cd / && run-parts --report /etc/cron.hourly > /dev/null)
 +Jul  5 13:17:01 edmchome /USR/SBIN/CRON[10592]: (root) CMD (   cd / && run-parts --report /etc/cron.hourly > /dev/null)
 +Jul  5 14:17:01 edmchome /USR/SBIN/CRON[13626]: (root) CMD (   cd / && run-parts --report /etc/cron.hourly > /dev/null)
 +Jul  5 15:17:01 edmchome /USR/SBIN/CRON[16127]: (root) CMD (   cd / && run-parts --report /etc/cron.hourly > /dev/null)
 +Jul  5 16:17:01 edmchome /USR/SBIN/CRON[16790]: (root) CMD (   cd / && run-parts --report /etc/cron.hourly > /dev/null)
 +Jul  5 17:17:01 edmchome /USR/SBIN/CRON[16832]: (root) CMD (   cd / && run-parts --report /etc/cron.hourly > /dev/null)
 +Jul  5 18:17:01 edmchome /USR/SBIN/CRON[16876]: (root) CMD (   cd / && run-parts --report /etc/cron.hourly > /dev/null)
 +Jul  5 19:17:01 edmchome /USR/SBIN/CRON[16920]: (root) CMD (   cd / && run-parts --report /etc/cron.hourly > /dev/null)
 +Jul  5 20:17:01 edmchome /USR/SBIN/CRON[16961]: (root) CMD (   cd / && run-parts --report /etc/cron.hourly > /dev/null)
 +Jul  5 21:17:01 edmchome /USR/SBIN/CRON[17163]: (root) CMD (   cd / && run-parts --report /etc/cron.hourly > /dev/null)
 +</code>
 +
 +> Solution trouvé ici http://serverfault.com/questions/432718/avoiding-log-noise-from-cron-jobs-with-syslog-ng-rather-than-syslog
 +
 +Editer le fichier **/etc/default/cron** puis dé-commentez la dernière ligne en spécifiant
 +  EXTRA_OPTS='-L 4'
 +Ce qui permet de logguer tout de même les erreurs, sinon remplacez 4 par 0
  
 +Un petit redémarrage du service au cas ou
 +  service cron restart
 ==== user.log ==== ==== user.log ====
  
Ligne 163: Ligne 369:
 ==== dbus-daemon ==== ==== dbus-daemon ====
  
 +===== Stopper tous les logs =====
 +
 +Solution radicale pour éviter l'écriture des logs
 +
 +  sudo systemctl stop rsyslog
 +  sudo systemctl disable rsyslog
 +
 +ou
 +
 +Edit the file /etc/rsyslog.conf and just after the section starting
 +
 +  ###############
 +  #### RULES ####
 +  ###############
 +
 +add the following line.
 +
 +  *.*     ~
 +
 +If you want to be more fine-grained you will need to read the file comments.
 +
 +Do not forget to restart rsyslog daemon:
  
 +  sudo service rsyslog restart
  
  
  
raspberry/log.1372972338.txt.gz · Dernière modification: 04-07-2013 23:12 de edmc73

Outils de la page

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki