Ticket Options
Question Details
TICKET ARCHIVE -> Logs
slipknot - Jul 27, 2005 - 8:52 pm
Hi,
The /var/log/asl.log on my remote mac is getting clogged up with the following entries:
[Time 2005.07.26 21:08:02 UTC] [Facility authpriv] [Sender com.apple.SecurityServer] [PID -1] [Message authinternal failed to authenticate user ***.] [Level 3] [UID -2] [GID -2] [Host remote.mac]
The same entry is appearing every 5 minutes or so - not regular times but all day long. I think I've managed to work out that I've not been hacked (Host remote.mac) and that it's launchd (PID -1) that's causing the problem but that's as far as I've got. What is it? Is level 3 bad? What's causing it - I have a couple of similiar entries on my local macs but nothing like the amount I'm getting on the remote mac but then that's always on. How do I chase down the process that's generating this log?
Look forward to hearing from you,
Gavin
The /var/log/asl.log on my remote mac is getting clogged up with the following entries:
[Time 2005.07.26 21:08:02 UTC] [Facility authpriv] [Sender com.apple.SecurityServer] [PID -1] [Message authinternal failed to authenticate user ***.] [Level 3] [UID -2] [GID -2] [Host remote.mac]
The same entry is appearing every 5 minutes or so - not regular times but all day long. I think I've managed to work out that I've not been hacked (Host remote.mac) and that it's launchd (PID -1) that's causing the problem but that's as far as I've got. What is it? Is level 3 bad? What's causing it - I have a couple of similiar entries on my local macs but nothing like the amount I'm getting on the remote mac but then that's always on. How do I chase down the process that's generating this log?
Look forward to hearing from you,
Gavin
philippe99 - Jul 28, 2005 - 7:24 am
Gavin
Welcome to macosx.com
Something like your mac try to iSync with a .Mac account
Do you have a .mac account..or do you had in the past ?
In the SystemPreferences/.Mac pane, do you ind som synchronising tasks enabled ?
And by the way, Gavin, which OS do your run ?
Regards
Philippe
Welcome to macosx.com
Something like your mac try to iSync with a .Mac account
Do you have a .mac account..or do you had in the past ?
In the SystemPreferences/.Mac pane, do you ind som synchronising tasks enabled ?
And by the way, Gavin, which OS do your run ?
Regards
Philippe
slipknot - Jul 28, 2005 - 8:37 am
Phillipe,
Thanks for the reply. I've checked the SystemPreferences/.Mac pane -although I'm doing everything from the comand line because I haven't got VNC setup (don't want it really - trying to get my head round the command line). Nothing in th plist to indicate that the remote mac is polling an iMac account and I'd be surprised if any synchronising tasks were enabled. The remote mac was set up by my hosting provider and they wouldn't have enabled any .Mac accounts.
I'm also getting the following in the secure.log
Jul 20 19:01:29 remote.mac com.apple.SecurityServer: authinternal failed to authenticate user gavin.
These logs have been going on for weeks all with different user names:
Jul 20 01:31:32 remote.mac com.apple.SecurityServer: authinternal failed to authenticate user operator.
Jul 20 01:31:37 remote.mac com.apple.SecurityServer: authinternal failed to authenticate user games.
Jul 20 01:31:42 remote.mac com.apple.SecurityServer: authinternal failed to authenticate user gopher.
Jul 20 01:31:46 remote.mac com.apple.SecurityServer: authinternal failed to authenticate user ftp.
Jul 20 01:31:51 remote.mac com.apple.SecurityServer: authinternal failed to authenticate user nobody.
Jul 20 01:31:56 remote.mac com.apple.SecurityServer: authinternal failed to authenticate user rpm.
Jul 20 01:32:01 remote.mac com.apple.SecurityServer: authinternal failed to authenticate user vcsa.
Jul 20 01:32:06 remote.mac com.apple.SecurityServer: authinternal failed to authenticate user nscd.
But for the last week the logs are only reporting attempts under my user name of gavin. It look like an attempted hack - anyway of logging the incoming IP ? I'm using RSA public key encryption on SSH2 with password login disabled so I'm fairly safe but I don't understand why the logs are reporting a "authinternal" failure. That suggests that the attack is coming from a script on the remote mac. Accounting and trafiic log look fine so not sure what to make of it. Any clues?
Gavin
Thanks for the reply. I've checked the SystemPreferences/.Mac pane -although I'm doing everything from the comand line because I haven't got VNC setup (don't want it really - trying to get my head round the command line). Nothing in th plist to indicate that the remote mac is polling an iMac account and I'd be surprised if any synchronising tasks were enabled. The remote mac was set up by my hosting provider and they wouldn't have enabled any .Mac accounts.
I'm also getting the following in the secure.log
Jul 20 19:01:29 remote.mac com.apple.SecurityServer: authinternal failed to authenticate user gavin.
These logs have been going on for weeks all with different user names:
Jul 20 01:31:32 remote.mac com.apple.SecurityServer: authinternal failed to authenticate user operator.
Jul 20 01:31:37 remote.mac com.apple.SecurityServer: authinternal failed to authenticate user games.
Jul 20 01:31:42 remote.mac com.apple.SecurityServer: authinternal failed to authenticate user gopher.
Jul 20 01:31:46 remote.mac com.apple.SecurityServer: authinternal failed to authenticate user ftp.
Jul 20 01:31:51 remote.mac com.apple.SecurityServer: authinternal failed to authenticate user nobody.
Jul 20 01:31:56 remote.mac com.apple.SecurityServer: authinternal failed to authenticate user rpm.
Jul 20 01:32:01 remote.mac com.apple.SecurityServer: authinternal failed to authenticate user vcsa.
Jul 20 01:32:06 remote.mac com.apple.SecurityServer: authinternal failed to authenticate user nscd.
But for the last week the logs are only reporting attempts under my user name of gavin. It look like an attempted hack - anyway of logging the incoming IP ? I'm using RSA public key encryption on SSH2 with password login disabled so I'm fairly safe but I don't understand why the logs are reporting a "authinternal" failure. That suggests that the attack is coming from a script on the remote mac. Accounting and trafiic log look fine so not sure what to make of it. Any clues?
Gavin
philippe99 - Jul 28, 2005 - 8:51 am
Gavin, I know too litlle on remote Mac configuration or issues and I erroneously think that can be bound to a access to an external .Mac account
So, I prefere to repool the question for more specilize d thech guys to handle.
Hope someone finds a solution
Regards
Philippe
So, I prefere to repool the question for more specilize d thech guys to handle.
Hope someone finds a solution
Regards
Philippe
slipknot - Jul 28, 2005 - 9:15 am
Phillipe,
No probs. I'm sinking in deep water too but thanks for you efforts. Much appreciated.
All the best,
Gavin
No probs. I'm sinking in deep water too but thanks for you efforts. Much appreciated.
All the best,
Gavin
bobw - Jul 28, 2005 - 11:38 am
Hi Gavin
See if these are any help;
http://yost.com/computers/probecheck/
http://macintouch.com/security-mon.html
--------
Bobw - Macosx.com Tech Support
See if these are any help;
http://yost.com/computers/probecheck/
http://macintouch.com/security-mon.html
--------
Bobw - Macosx.com Tech Support
slipknot - Jul 29, 2005 - 10:26 am
Bob,
Thanks for the reply. Yeah helpful sites. Looks like somebody is trying to brute force my password. Should be OK 'cos only access is through RSA key. Need to try and understand how to filter these requests out at the firewall though before they even hit the mac git anymore magic urls?
Thanks very much,
Gavin
Thanks for the reply. Yeah helpful sites. Looks like somebody is trying to brute force my password. Should be OK 'cos only access is through RSA key. Need to try and understand how to filter these requests out at the firewall though before they even hit the mac git anymore magic urls?
Thanks very much,
Gavin
bobw - Jul 29, 2005 - 10:40 am
Gavin
That's all I could find, sorry.
--------
Bobw - Macosx.com Tech Support
That's all I could find, sorry.
--------
Bobw - Macosx.com Tech Support
slipknot - Jul 29, 2005 - 10:43 am
Bob,
You called at just the right time I was just reading this if you're interested:
http://www.novajo.ca/firewall.html
Cheers,
Gavin
You called at just the right time I was just reading this if you're interested:
http://www.novajo.ca/firewall.html
Cheers,
Gavin
bobw - Jul 29, 2005 - 10:45 am
Gavin
Thansk for the link. Haven't seen that one before.
--------
Bobw - Macosx.com Tech Support
Thansk for the link. Haven't seen that one before.
--------
Bobw - Macosx.com Tech Support
IF THIS IS YOUR QUESTION AND YOU WISH TO RESPOND, LOGIN HERE FIRST.
