While logwatch.pl is still not being run from root's crontab, my manual
running this morning starts with a log report I've not before seen:
--------------------- Selinux Audit Begin ------------------------
**Unmatched Entries** (Only first 10 out of 713 are printed)
type=1326 audit(1405757401.043:10184): auid=4294967295 uid=33 gid=33
ses=4294967295 pid=16637 comm="sshd" sig=31 syscall=102 compat=0
ip=0xb73dd922 code=0x0
type=1326 audit(1405757404.968:10185): auid=4294967295 uid=33 gid=33
ses=4294967295 pid=16639 comm="sshd" sig=31 syscall=102 compat=0
ip=0xb7383922 code=0x0
This looks to be reports of attempts to crack the network via sshd, yet
these attempts are also found in the sshd section:
--------------------- SSHD Begin ------------------------
Disconnecting after too many authentication failures for user:
admin : 103 Time(s)
root : 610 Time(s)
Failed logins from:
61.174.50.235 (235.50.174.61.dial.wz.zj.dynamic.163data.com.cn): 153
times
61.174.51.196 (196.51.174.61.dial.wz.zj.dynamic.163data.com.cn): 297
times
61.174.51.204 (204.51.174.61.dial.wz.zj.dynamic.163data.com.cn): 40
times
What is the selinux audit telling me and how do I recognize when I need to
respond to something in there?
Rich
_______________________________________________
PLUG mailing list
[email protected]
http://lists.pdxlinux.org/mailman/listinfo/plug
