Greetings. I'm running CentOS on multiple machines and a few third-party VPS's and have some odd logging issues today. It all started when tcpwrappers couldn't seem to recognize my PC's hostname as being a valid hostname for access. Fortunately I was able to get in with a direct IP. When trying to discover what's going on, I found some very odd entries in the secure log... (IP's changed to protect the identity of my PC and the machines) Mar 8 17:55:53 server123 sshd[3053]: Failed publickey for root from ::ffff:192.168.87.119 port 45686 ssh2 Mar 8 17:55:55 server123 sshd[3053]: Accepted password for root from ::ffff:192.168.87.119 port 45686 ssh2 Mar 8 09:55:55 server123 sshd[3052]: Accepted password for root from ::ffff:192.168.87.119 port 45686 ssh2 Mar 8 18:01:18 server123 sshd[4743]: Failed publickey for root from ::ffff:192.168.87.119 port 45692 ssh2 Mar 8 18:01:20 server123 sshd[4743]: Accepted password for root from ::ffff:192.168.87.119 port 45692 ssh2 Mar 8 10:01:20 server123 sshd[4742]: Accepted password for root from ::ffff:192.168.87.119 port 45692 ssh2 Mar 8 10:01:38 server123 sshd[4792]: reverse mapping checking getaddrinfo for s0106001111e058c2.myispdomain.net failed - POSSIBLE BREAKIN ATTEMPT! Mar 8 10:01:38 server123 sshd[4792]: Accepted password for root from ::ffff:10.10..161.102 port 57689 ssh2 Mar 8 10:01:38 server123 sshd[4793]: Accepted password for root from ::ffff:10.10..161.102 port 57689 ssh2 Mar 8 18:07:19 server123 sshd[6411]: Connection closed by ::ffff:10.10..161.102 Mar 8 18:09:02 server123 sshd[6699]: Accepted password for root from ::ffff:10.10..161.102 port 58017 ssh2 Mar 8 10:09:02 server123 sshd[6698]: Accepted password for root from ::ffff:10.10..161.102 port 58017 ssh2 This snippet is in order that it appears in the database. Notice the timestamp. It starts off thinking it's almost 6pm then reverts th the correct time of almost 10am, then to 6pm, then back to 10am and so on and so forth. Upon looking back even further, I can see that this has been happening as far back as the secure logs go... Early February. Checking through other machines, most seem to have this behavior, but some do not. The machines I've updated using "yum update" recently seem to be the ones with this odd behavior. Machines that are less up-to-date don't seem to have any weird logging and accept my SSH as expected. I've been watching the server time using date and it seems to always report what it should... -- Mike -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.centos.org/pipermail/centos/attachments/20070308/c5e86d68/attachment.html>
On Thu, Mar 08, 2007 at 11:09:49AM -0800, Mike wrote:> This snippet is in order that it appears in the database. Notice the > timestamp. It starts off thinking it's almost 6pm then reverts th the > correct time of almost 10am, then to 6pm, then back to 10am and so on and > so forth. Upon looking back even further, I can see that this has been > happening as far back as the secure logs go... Early February.Here is the root cause: <https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=231326> I'm not sure what in SSH or PAM is running in GMT, though. -- Matthew Miller mattdm at mattdm.org <http://mattdm.org/> Boston University Linux ------> <http://linux.bu.edu/>