PDA

Visualizza la versione completa : [Server] Riavvio improvviso


magnus
21-10-2010, 17:14
Ciao ragazzi,
ho un grosso problema: un mio server si riavvia inaspettatamente.

Cosa potrei verificare nei log di sistema?

Il SO Ubuntu 7.10

Consigli?

hfish
21-10-2010, 22:57
si pu cominciare con

/var/log/auth -- dmesg -- syslog --user

magnus
22-10-2010, 09:39
Ho trovato nel syslog questo:

Oct 21 12:35:17 servermio /usr/sbin/cron[5407]: (CRON) INFO (Running @reboot jobs)
Oct 21 13:35:26 servermio /usr/sbin/cron[5380]: (CRON) INFO (Running @reboot jobs)
Oct 21 14:36:15 servermio /usr/sbin/cron[5381]: (CRON) INFO (Running @reboot jobs)
Oct 21 15:36:20 servermio /usr/sbin/cron[5374]: (CRON) INFO (Running @reboot jobs)
Oct 21 16:37:17 servermio /usr/sbin/cron[5398]: (CRON) INFO (Running @reboot jobs)
Oct 21 17:37:39 servermio /usr/sbin/cron[5432]: (CRON) INFO (Running @reboot jobs)
Oct 21 18:37:36 servermio /usr/sbin/cron[5379]: (CRON) INFO (Running @reboot jobs)
Oct 21 19:38:16 servermio /usr/sbin/cron[5443]: (CRON) INFO (Running @reboot jobs)
Oct 21 21:39:05 servermio /usr/sbin/cron[5393]: (CRON) INFO (Running @reboot jobs)
Oct 21 22:39:46 servermio /usr/sbin/cron[5104]: (CRON) INFO (Running @reboot jobs)
Oct 21 23:39:53 servermio /usr/sbin/cron[5113]: (CRON) INFO (Running @reboot jobs)
Oct 22 00:40:15 servermio /usr/sbin/cron[5093]: (CRON) INFO (Running @reboot jobs)
Oct 22 01:40:40 servermio /usr/sbin/cron[5092]: (CRON) INFO (Running @reboot jobs)
Oct 22 02:41:04 servermio /usr/sbin/cron[5048]: (CRON) INFO (Running @reboot jobs)
Oct 22 03:41:37 servermio /usr/sbin/cron[5051]: (CRON) INFO (Running @reboot jobs)
Oct 22 04:41:57 servermio /usr/sbin/cron[5054]: (CRON) INFO (Running @reboot jobs)
Oct 22 05:42:24 servermio /usr/sbin/cron[5052]: (CRON) INFO (Running @reboot jobs)
Oct 22 06:42:56 servermio /usr/sbin/cron[5059]: (CRON) INFO (Running @reboot jobs)
Oct 22 07:43:18 servermio /usr/sbin/cron[5043]: (CRON) INFO (Running @reboot jobs)
Oct 22 08:58:38 servermio /usr/sbin/cron[5097]: (CRON) INFO (Running @reboot jobs)

Come mai?

possibile che si riavvii cos precisamente ogni ora?

hfish
22-10-2010, 09:40
hai dei job in cron che richiedono il riavvio?

magnus
22-10-2010, 09:46
Non mi pare proprio.
Come potrei inibire il comando reboot?

magnus
22-10-2010, 09:58
Nei log auth leggo:

ct 22 09:54:05 servermio sshd[7118]: pam_unix(ssh:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=218.29.86.86 user=root
Oct 22 09:54:08 servermio sshd[7118]: Failed password for invalid user root from 218.29.86.86 port 38716 ssh2
Oct 22 09:54:11 servermio sshd[7124]: reverse mapping checking getaddrinfo for hn.kd.ny.adsl [218.29.86.86] failed - POSSIBLE BREAK-IN ATTEMPT!
Oct 22 09:54:11 servermio sshd[7124]: User root from 218.29.86.86 not allowed because not listed in AllowUsers
Oct 22 09:54:11 servermio sshd[7124]: pam_unix(ssh:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=218.29.86.86 user=root
Oct 22 09:54:13 servermio sshd[7124]: Failed password for invalid user root from 218.29.86.86 port 40148 ssh2
Oct 22 09:54:16 servermio sshd[7127]: reverse mapping checking getaddrinfo for hn.kd.ny.adsl [218.29.86.86] failed - POSSIBLE BREAK-IN ATTEMPT!
Oct 22 09:54:16 servermio sshd[7127]: User root from 218.29.86.86 not allowed because not listed in AllowUsers
Oct 22 09:54:16 servermio sshd[7127]: pam_unix(ssh:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=218.29.86.86 user=root
Oct 22 09:54:18 servermio sshd[7127]: Failed password for invalid user root from 218.29.86.86 port 41469 ssh2
Oct 22 09:54:20 servermio proftpd: pam_unix(proftpd:session): session closed for user coopspett_php
Oct 22 09:54:21 servermio sshd[7129]: reverse mapping checking getaddrinfo for hn.kd.ny.adsl [218.29.86.86] failed - POSSIBLE BREAK-IN ATTEMPT!
Oct 22 09:54:21 servermio sshd[7129]: User root from 218.29.86.86 not allowed because not listed in AllowUsers
Oct 22 09:54:21 servermio sshd[7129]: pam_unix(ssh:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=218.29.86.86 user=root
Oct 22 09:54:23 servermio sshd[7129]: Failed password for invalid user root from 218.29.86.86 port 42854 ssh2
Oct 22 09:54:27 servermio sshd[7133]: reverse mapping checking getaddrinfo for hn.kd.ny.adsl [218.29.86.86] failed - POSSIBLE BREAK-IN ATTEMPT!
Oct 22 09:54:27 servermio sshd[7133]: User root from 218.29.86.86 not allowed because not listed in AllowUsers
Oct 22 09:54:27 servermio sshd[7133]: pam_unix(ssh:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=218.29.86.86 user=root
Oct 22 09:54:29 servermio sshd[7133]: Failed password for invalid user root from 218.29.86.86 port 44313 ssh2
Oct 22 09:54:32 servermio sshd[7136]: reverse mapping checking getaddrinfo for hn.kd.ny.adsl [218.29.86.86] failed - POSSIBLE BREAK-IN ATTEMPT!
Oct 22 09:54:32 servermio sshd[7136]: User root from 218.29.86.86 not allowed because not listed in AllowUsers
Oct 22 09:54:32 servermio sshd[7136]: pam_unix(ssh:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=218.29.86.86 user=root
Oct 22 09:54:34 servermio sshd[7136]: Failed password for invalid user root from 218.29.86.86 port 45608 ssh2
Oct 22 09:54:37 servermio sshd[7139]: reverse mapping checking getaddrinfo for hn.kd.ny.adsl [218.29.86.86] failed - POSSIBLE BREAK-IN ATTEMPT!
Oct 22 09:54:37 servermio sshd[7139]: Invalid user kftd from 218.29.86.86
Oct 22 09:54:37 servermio sshd[7139]: pam_unix(ssh:auth): check pass; user unknown
Oct 22 09:54:37 servermio sshd[7139]: pam_unix(ssh:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=218.29.86.86
Oct 22 09:54:38 servermio sshd[7139]: Failed password for invalid user kftd from 218.29.86.86 port 46791 ssh2
Oct 22 09:54:40 servermio proftpd: pam_unix(proftpd:session): session opened for user coopspett_php by (uid=0)
Oct 22 09:54:42 servermio sshd[7161]: reverse mapping checking getaddrinfo for hn.kd.ny.adsl [218.29.86.86] failed - POSSIBLE BREAK-IN ATTEMPT!
Oct 22 09:54:42 servermio sshd[7161]: User root from 218.29.86.86 not allowed because not listed in AllowUsers
Oct 22 09:54:42 servermio sshd[7161]: pam_unix(ssh:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=218.29.86.86 user=root
Oct 22 09:54:44 servermio sshd[7161]: Failed password for invalid user root from 218.29.86.86 port 48058 ssh2
Oct 22 09:54:47 servermio sshd[7163]: reverse mapping checking getaddrinfo for hn.kd.ny.adsl [218.29.86.86] failed - POSSIBLE BREAK-IN ATTEMPT!
Oct 22 09:54:47 servermio sshd[7163]: User root from 218.29.86.86 not allowed because not listed in AllowUsers
Oct 22 09:54:47 servermio sshd[7163]: pam_unix(ssh:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=218.29.86.86 user=root
Oct 22 09:54:48 servermio sshd[4540]: Received signal 15; terminating.
Oct 22 09:54:49 servermio sshd[7163]: Failed password for invalid user root from 218.29.86.86 port 49315 ssh2
Oct 22 09:55:01 servermio CRON[7204]: pam_unix(cron:session): session opened for user root by (uid=0)
Oct 22 09:55:01 servermio CRON[7204]: pam_unix(cron:session): session closed for user root

Cosa significa?

Per adesso ho comunque bannato l'ip 218.29.86.86

magnus
22-10-2010, 10:04
Oddio! Ogni ora leggo nel syslog:

Oct 22 07:42:54 servermio syslogd 1.4.1#21ubuntu3: restart.

Perch?!?!?!

hfish
22-10-2010, 10:07
c' un'opzione di ssh che vieta esplicitamente il login da root... necessario loggarsi prima come utente e poi fare su
in questo modo sono necessarie 2 password e un nome utente, quindi il livello di sicurezza sale

prova da utente e da root a dare crontab -l
sempre da utente e da root guarda un po' history cosa dice

se hai anche il minimo dubbio sul fatto che la macchina possa essere stata compromessa non scherzare e reinstalla cambiando tutte le password

magnus
22-10-2010, 10:09
Originariamente inviato da hfish
c' un'opzione di ssh che vieta esplicitamente il login da root... necessario loggarsi prima come utente e poi fare su
in questo modo sono necessarie 2 password e un nome utente, quindi il livello di sicurezza sale

prova da utente e da root a dare crontab -l
sempre da utente e da root guarda un po' history cosa dice

se hai anche il minimo dubbio sul fatto che la macchina possa essere stata compromessa non scherzare e reinstalla cambiando tutte le password

Ho stoppato ssh per adesso. Tanto non mi serve.

magnus
22-10-2010, 10:09
Ma non c' modo di risalire a chi ha causato questo?

Oct 22 07:42:54 servermio syslogd 1.4.1#21ubuntu3: restart.

Loading