Root: 1 failure since last login

Felipe Figueiredo philsf79 at gmail.com
Wed Oct 10 19:46:09 UTC 2007 

On Wednesday 10 October 2007 16:30:09 Dotan Cohen wrote:
> On 10/10/2007, Nils Kassube <kassube at gmx.net> wrote:
> > Dotan Cohen wrote:
> > > Thanks. There's a lot of root logins. Is that as scary as I think it
> > > is? This machine does have sshs running, but it's behind a router with
> > > no NAT forwarding.
> >
> > It looks quite normal. Those entries are mostly cron jobs. And the failure
> > was obviously a typo when you tried to login. Compare the time stamps -
> > there are only a few seconds from the failure to successful login:
> >
> > > Oct 10 20:25:17 ubuntu-laptop login[4662]: (pam_unix) authentication
> > > failure; logname= uid=0 euid=0 tty=tty4 ruser= rhost=  user=root
> > > Oct 10 20:25:19 ubuntu-laptop login[4662]: FAILED LOGIN (1) on 'tty4'
> > > FOR `root', Authentication failure
> > > Oct 10 20:25:28 ubuntu-laptop login[4662]: (pam_unix) session opened
> > > for user root by (uid=0)
> > > Oct 10 20:25:28 ubuntu-laptop login[16205]: ROOT LOGIN  on 'tty4'
> >
> >
> > Nils
> >
> 
> Yes, it would seem so. So, I suppose that the auth.log shows nothing
> related to my current problem. When one logs into root and gets the
> message "1 failure since last login", what would be a good next step
> to take?

Are you looking this log directly (say, with less), or are you using the 
graphical tool in System/Administration?

Note that log files are rotated, and if you saw the failure message when 
logging in, it doesn't give you information on when it happened. If the only 
failure is the one you pasted, you're ok. If not, it may be in an older file 
(like auth.log.1.gz, or older), or even rotated.

To check this, you can use the commands last and lastb

If you want to keep a healthy level of paranoia (g), check out the acct 
package. Also, if it's a sensible machine, and not physically safe, you 
should use tripwire, aide or some other IDS. Check out the harden-environment 
package (and other harden-*, according to your needs).

regards
FF
-- 
- Porque quebra a linha de leitura.
- Por que não é bom escrever o reply em cima do email?

More information about the ubuntu-users mailing list