[server-admins] [Fwd: Logwatch for www.crosswire.org (Linux)]

Jonathan Marsden jmarsden at fastmail.fm
Tue Aug 4 21:12:13 MST 2009 

Troy A. Griffitts wrote:

> I get these daily.  Is there any way we can clean some of this up?

>     WARNING: Your ClamAV installation is OUTDATED!
>     WARNING: Local version: 0.94.2 Recommended version: 0.95.2

You would need to install a newer version of ClamAV to get rid of this
one.  That would mean using a 3rd part repository, I think.  Probably
not worth it, but it depends on your overall approach to and trust of
third party repositories.

>     dovecot: imap-login: Maximum number of connections from user+IP exceeded (mail_max_userip_connections): user=<chrislit>, method=PLAIN, rip=67.169.160.212, lip=64.140.154.250, TLS: 3 Time(s)

Ask chrislit why he seems to be logging in to his email multiple times
simultaneously?  He may have a buggy IMAP client??  Not a big deal :)

>  2009-08-03 00:28:04 DNS list lookup defer (probably timeout) for 25.128.140.64.list.dsbl.org: assumed not in list: 1 Time(s)

There are *so* many of these this is definitely worth investigating.  I
think it may also relate to the exim/mailman "sender verify" timeout
issues.  Is list.dsbl.org a functioning DNS blacklist?

Nope.  Not any more.  It went away a long time ago!  Your email pumpkin
holder needs to stay a little more current with the state of the DNS
blacklist culture :)

http://www.dsbl.org says:

  DSBL is GONE and highly unlikely to return. Please remove it from your
  mail server configuration.

So... that's what should be done :)  Remove it from line 505 of
/etc/exim/exim.conf as soon as possible, and restart exim.  This could
be a *big* help with the bounce issues you have been seeing.

>     404 Not Found

There are a lot of these, but none with enough frequency per day that
there looks to be a real issue.  I'd probably remove from the report
anything that happened less than (say) ten times a day, so that any
popular ones (probable link errors within the crosswire web site) stand out.

>     500 Internal Server Error
>        /study/fulllibrary.jsp?show=CzeBKR: 1 Time(s)

and its friends... should be studied by whoever has the pumpkin for this
chunk of the web space.  The set of /passagestudy ones looks like
something or someone was trying to grab the whole bible sequentially??
If that is someone trying to write a script to abuse your site, you
should investigate.

>     502 Bad Gateway

Quite a few of these, although again none repeat a lot.  Most relate to
/bugs/* and so should be looked at by the JIRA pumpkin holder :)

>     503 Service Unavailable

Something is going on, you shouldn't be seeing all these 50x errors
daily, I don't think.  If this is a reasonable average sample report,
this should be looked at in more detail from the web server logs.

>  sshd:
>     Authentication Failures:
>        unknown (60.32.64.234): 6687 Time(s)

ATTACK DETECTED.  Some clueless script kiddie is trying to break in to
your system from this IP.  It *might* be a system that has been owned
and used to attack you with, but IMO more likely this is a kiddie.
Block them (with a packet filter and perhaps with /etc/hosts.deny also),
and if you are feeling like being a good net citizen, figure out who to
report the abuse to and email the appropriate authority.  In this
instance they seem to be in Japan, so this latter action might not get
you very far unless you speak Japanese :)

>        dglassey (cpc2-cmbg13-0-0-cust625.cmbg.cable.ntl.com): 1 Time(s)
>        dmsmith (adsl-69-218-243-198.dsl.dytnoh.ameritech.net): 1 Time(s)

Heh, we know who these "attackers" are ... probably they fumbled their
passwords.  Switching to using a public key pair would avoid this :)

>  Large Mailbox threshold: 40MB (41943040 bytes)
>   Warning: Large mailbox: dmsmith (77394602)
>   Warning: Large mailbox: chrislit (96799025)
>   Warning: Large mailbox: dtrotzjr (83405332)
>   Warning: Large mailbox: scribe (54950669)
>   Warning: Large mailbox: bdrake (94948222)

Either clean up your mailboxes, guys, or up the configured threshold :)

>  Failed logins from:
>     60.32.64.234: 730 times

Yup, this one needs blocking.

>  Illegal users from:
>     60.32.64.234: 6687 times

See what I mean :)  You might want to consider using fail2ban or a
similar tool to automatically detect and packet filter folks trying to
do dictionary attacks this blatantly.  The Internet has quite a few
unsavoury characters in it... and your server is using password based
SSH logins on the default SSH port, so it is vulnerable to this kind of
attack if any user ever chooses a poor password.

FYI, at work we take this kind of attack fairly seriously, and work to
get the issue reported to the ISP or university concerned quickly and
accurately.  At least when they are based in a country whose language we
can speak :)

On a security conscious server, you could deal with this from the
opposite direction, and run John the Ripper against your own password
database -- and "have words" with anyone whose pw you can crack in less
than a couple of days of CPU time!  You do have a lot of spare CPU
cores, so maybe you could devote one core to this, if you want?

>  reverse mapping checking getaddrinfo for 66-147-164-211.focaldata.net [66.147.164.211] failed - POSSIBLE BREAK-IN ATTEMPT! : 6 time(s)

That's a minor oddity... if we know who this is, they need to get their
reverse DNS fixed.  If we don't know who this is, we should keep an eye
out for future login attempts from this IP.

And that's it for today's logwatch analysis.  This kind of analysis is
what you, as sysadmin, "should" be doing with this report every single
day to keep your server healthy :) :)

Jonathan

More information about the server-admins mailing list