I am new to the whole server thing so I need help to decipher these /var/log/messages:
Jun 14 20:06:37 linux-j10q nagios: Auto-save of retention data completed successfully.
│Jun 14 20:10:22 linux-j10q sshd[6572]: Connection closed by 10.0.100.9 [preauth]
│Jun 14 20:15:22 linux-j10q sshd[6646]: Connection closed by 10.0.100.9 [preauth]
│Jun 14 20:20:22 linux-j10q sshd[6696]: Connection closed by 10.0.100.9 [preauth]
│Jun 14 20:25:22 linux-j10q sshd[6745]: Connection closed by 10.0.100.9 [preauth]
│Jun 14 20:30:22 linux-j10q sshd[6790]: Connection closed by 10.0.100.9 [preauth]
│Jun 14 20:35:22 linux-j10q sshd[6840]: Connection closed by 10.0.100.9 [preauth]
Does this indicate that someone besides myself is trying to ssh into by box?
Are there any other apps or logs that would give me more information?
Maybe this is just some random error??
This is my first server that is on 24/7 and only hands out things to the local network as far as I know and it is also behind a NAT router.
I really do not know what I doing though so anything could be happening behind my back…:shame:
That is why I need help with the log messages.
On 2013-06-15 03:26, jdmcdaniel3 wrote:
>
> This message thread is now open for comments and discussions.
On 2013-06-15 03:06, anika200 wrote:
> I am new to the whole server thing so I need help to decipher these
> /var/log/messages:
>
>
> Code:
> --------------------
>
> Jun 14 20:06:37 linux-j10q nagios: Auto-save of retention data completed successfully.
> │Jun 14 20:10:22 linux-j10q sshd[6572]: Connection closed by 10.0.100.9 [preauth]
> │Jun 14 20:15:22 linux-j10q sshd[6646]: Connection closed by 10.0.100.9 [preauth]
> │Jun 14 20:20:22 linux-j10q sshd[6696]: Connection closed by 10.0.100.9 [preauth]
> │Jun 14 20:25:22 linux-j10q sshd[6745]: Connection closed by 10.0.100.9 [preauth]
> │Jun 14 20:30:22 linux-j10q sshd[6790]: Connection closed by 10.0.100.9 [preauth]
> │Jun 14 20:35:22 linux-j10q sshd[6840]: Connection closed by 10.0.100.9 [preauth]
> --------------------
>
>
> Does this indicate that someone besides myself is trying to ssh into by
> box?
Who/what is in 10.0.100.9? It seems a cron-job, it acts every five
minutes on the second.
–
Cheers / Saludos,
Carlos E. R.
(from 12.3 x86_64 “Dartmouth” at Telcontar)
10.0.100.9 is the machine with the logs (this is what I am calling the server) It is the box in the other room which is serving as a backup, media server and dns for the other locally connected computers.
The “other app” I used was firefox (with a google search for the error message).
I just produced this message:
2013-06-14T22:22:12.849989-05:00 nwr2 sshd[11840]: Connection closed by 192.168.254.101 [preauth]
which looks like the same thing.
To produce that, I did an ssh to an alias name for my system. I chose that alias because there happens to not be an entry in “known_hosts” or “ssh_known_hosts” for that alias.
I got a message from ssh about host key not known, and did I want to continue. I said “no”. And that generated the message.
Maybe there are other things that generate this message, but I haven’t come across them. That is not the normal message for ssh breaking attempts.
It seems a cron-job, it acts every five
minutes on the second.
@robin_listas: You may be on to something there, recently I installed Nagios with a ssh monitoring plug-in. I probably have something configured wrong with that plug-in.
On 2013-06-15 14:56, anika200 wrote:
>> It seems a cron-job, it acts every five
>> > minutes on the second.
> @robin_listas: You may be on to something there, recently I installed
> Nagios with a ssh monitoring plug-in. I probably have something
> configured wrong with that plug-in.
Makes sense.
–
Cheers / Saludos,
Carlos E. R.
(from 12.3 x86_64 “Dartmouth” at Telcontar)
On 2013-06-15 14:56, anika200 wrote:
>> It seems a cron-job, it acts every five
>> > minutes on the second.
> @robin_listas: You may be on to something there, recently I installed
> Nagios with a ssh monitoring plug-in. I probably have something
> configured wrong with that plug-in.
Try to make the connection once, manually. You have to say yes to the
question about adding to the database or the automatics will never work.
–
Cheers / Saludos,
Carlos E. R.
(from 12.3 x86_64 “Dartmouth” at Telcontar)
On 2013-06-15 16:16, anika200 wrote:
> robin_listas;2564956 Wrote:
> Not sure what you mean there?
>
> This is a headless server (10.0.100.9), I work with it via ssh from
> another machine on the local network.
You said you have nagios traying to connect, and it fails because it has
never connected directly from shell, so that you can answer YES to the
question:
+++··············
On 2013-06-15 05:36, nrickert wrote:
> I got a message from ssh about host key not known, and did I want to
> continue. I said “no”. And that generated the message.
··············+±
If you say no, nagios will never connect automatically.
–
Cheers / Saludos,
Carlos E. R.
(from 12.3 x86_64 “Dartmouth” at Telcontar)
Thank you for the reply nrickert, It seems this will take me a few days to digest and figure out. Your comments and Carlos knocking me over the head have got me on the right track.