logwatch explanation

Question

Could anyone please explain what the various parts of the following LogWatch mean:

--------------------- IMAP Begin ------------------------ 

[IMAPd] Logout stats:
====================
User | Logouts | Downloaded |  Mbox Size
<email>  <number> <number> <blank>
cpanel@localhost 287 0 <blank>

There are perhaps 4-5 entries (this isn't a very busy server) here. And what does the "logout" mean? And why would cpanel be so high in comparison?

Unmatched Entries

Disconnected, ip=[::ffff:XX.XX.XXX.XXX], time=0: 10 Time(s)

Disconnected, ip=[::ffff:XX.XX.XXX.XXX], time=0, starttls=1: 8

What does this mean ? (IP address removed)

I then have:

 --------------------- pam_unix Begin ------------------------ 

 sshd:
    Authentication Failures:
       unknown (pega-tynset.eidsiva.net): 875 Time(s)
       root (training-plesk.cwie.net): 658 Time(s)

is this someone attempting to gain access to our server? Is this something to be concerned about - over 1500 attempts seems worrying?

thanks for any further info, I appreciate there's a lot - are there any decent resources for understanding what this means? "LogWatch" doesn't really turn up much on google

thanks again

MadHatter · Answer 1 · 2010-11-16T09:57:00.550

I can't immediately speak for the IMAP entries, but the sshd logs are very characteristic of someone (well, some program) trying to gain access by brute-force password guessing. In my opinion, you should do something about that, or they will eventually guess someone's bad password, and even until then dealing with each of these attempts uses server resources. Different people find different solutions.

I went out and about to find out what people do, and made my own decision, which involved using iptables to rate-limit sshd connections; you can read about that in my technote. Others have gone for suggestions I wrote about but decided not to implement, or technologies like fail2ban.

A default install of denyhosts will slow down that type of cracking attempt as well. — Kzqai, May 20 '11 at 16:01

score 2 · Accepted Answer · answered Nov 16 '10 at 09:46

You have several questions in the same message, you might get better results splitting them up.

However, I will try to answer the sshd question and the unmatched one.

I get several thousands of failed sshd attempts per day, sometimes more. I ignore them because I use secure passwords, do not have "guest" accounts which have weak passwords, and do not allow users to choose weak passwords.

There are many probes for security every day, if not every hour. If you worry about them all, you'll go insane. The real question to ask is how secure your system is against these probes. If you have come of the common user accounts without passwords, with weak passwords, or with guest logins (without passwords or with common ones) then you should fix that. If not, well, ignore them.

The unmatched entries are from something that is accepting IPv4 addresses and displaying IPv6 "mapped addresses" -- my imapd does this. It may just be that. Can you look manually and match up PIDs?

score 1 · Answer 3 · answered Nov 16 '10 at 22:18

1

Use Blockhosts phyton skript to block (Drop TCP packages) unathorized users.

answered Nov 16 '10 at 22:18

garphi

11
1

logwatch explanation

3 Answers3