I've been tasked with developing a default Logwatch configuration for a few dozen servers that will email their findings to a ticketing system. I was hoping to find insight here from users who are using Logwatch similarly. If you have Logwatch emailing a ticket system, I'd love to hear about your custom configs...
View 4 Repliesi cant seem to download logwatch anymore
is there any site keeping archive of logwatch available for download?
or is there any alternative to logwatch?
We are starting a new hosting infrastructure.
Starting with:
1 - Linux Plesk server
1 - Windows Plesk server
Each of the above should be a primary DNS server so that customers can use Plesk to manage their DNS settings.
The 'easy button' seems to be to add another IP to each server above and let each also be the secondary.
My understanding is secondary DNS should definitely be on a separate server.
With that said, I was thinking we should have a 3rd server that could be the secondary for either of the above.
The KEY is AUTOMATION. I want it so if someone adds a domain to either of the Plesk servers, the secondary DNS is AUTOMATICALLY added as a secondary to the 3rd server.
I found this tool:
[url]
I think it might work, but we can't be the only HSP using Plesk wanting to keep DNS split across two servers.
What would the best approach be? Seeking something clean and reliable.
Nowadays My SQL5 installation in Windows seemed a breeze do not even need to edit the my.cnf files etc. But is there anything we can do to optimize MySQL inside a Windows 2003 environment?
View 0 Replies View RelatedA couple of years ago I was brought on as co owner and admin of a website. Since then we have grown and moved from shared hosting, to a VPS, to a Dedicated Server. Now we are preparing our new website and have a new server configuration chosen.
Currently we run our backups to BQ Internet, who have been fantastic. However the new website will have a lot of videos, currently we have about 14,000 photos at extremely high res (6mb). We have opted for two 500gb HDDs mirrored / raid to ensure we have space for these files and they are backed up.
Now my concern is bandwidth and backing up large amounts of data offsite, would it be beneficial in our case to get a second server locally in the same DC where bandwidth between servers is unmetered?
Is this what most people do? Is it a "safe" option?
What other measures can we take to ensure the integrity of our data, should the server be compromised? Do you on a 3 month or quarterly basis receive backups of your data to your own premesis, or do you just trust it all with your host ?
I'm a bit of a sceptic, so at the moment I have a 150gb per month plan and do a once a month backup locally to my home external HDD, archaic way of thinking yeah?
Does anyone have any links to best practice papers or whitepapers on datacenter PHYSICAL construction? I am most interested in rack layout, switch positioning and cable runs etc.
View 6 Replies View RelatedLast year I tested out 1&1 for registering two domains. What a mistake.
DNS propagation takes forever. Namecheap and godaddy propagate within minutes.
My experience with billing has been unnerving.
I moved my domains away from 1&1 before the year was up. I was still billed for the renewal. I phoned 1&1 and received an email that my account was canceled & credited.
Low and behold today I received a notice from NCO Financial Systems, a collection agency that 1&1 uses, stating I owe $6.99 plus $18.95 in fees.
Going back over my records (I save everything) I see that the Credit memo I received (as an email attachment) was for only one of the domains. Yes they had billed me for the two domains even though they had been transfered away.
Thus the $6.99 allegedly still owed them.
Today I phoned customer service and explained the situation. The rep seen the invoice (on my account) for the two domains and only the one credit memo yet could not figure out what to do. I explained the situation to him three times clearly and he would take no action. I asked for a supervisor and none could be found. I will have to call back or have them call me.
He said they would not be able to credit my account for the NCO fees of $18.95 for the $6.99 they BILLED ME IN ERROR!
I am waiting to call back to speak with a supervisor.
In my eleven years of hosting this the lamest company I have dealt with. Even dreamhost had better customer service.
develop and deploy a security strategy to make my single dedi and two VPSes (all with similar hardware configuration and running Linux Centos 5.2+ w/DirectAdmin CP and Xen virtualization), as secure ass possible, both internally and externally.
I hope you'll freely share your best practices, recognizing that is the kind of thread multiple members will read for a long time to find out WHO the WHT experts are and what they recommended this newb do. While I hope you'll read the whole post because I may raise issues either you've never thought about or legitimate security issues you've tried to make others aware of but to no avail, I don't expect everyone to respond to every word of this long post. Please feel free to provide solutions-oriented comments and/or constructive direction, based on your area of expertise, only to the specific issues you want to address.
A little background is helpful:
I'm not a reseller nor will I be running anything that needs DDOS-like protection. I'll be running some virtual OS instances, trying out VoIP software and installing and running a virtual Linux desktop from my dedi and creating a mirror for the VPS for my websites, blogs, and email. One VPS will be the slave server to the dedi. I will be running my own DNS, mail and virtual servers on both VPS and the dedi as well. I'll also be backing up data on one of the VPS. All of these activities, I know, present security issues I need to confront.
I'm looking for primarily open source solutions to protect my small server network since first, it fits my budget and, second, I find most proprietary software restrictive and easier to exploit with backdoors, etc. I'd prefer an open source alternative that's of the same high quality and security as a proprietary service. But, if you think a proprietary product or service far outstrips anything open source and you've deployed it for clients or used it for your own servers, let me know. (I prefer to hear actual, first person, end-user accounts/suggestions.)
I'm a quick study--in fact, warp speed--so can learn what I need to do if I have good direction, (which is why I came here to ask). But, since I'm not yet an expert, please expect clarification questions.
So, here's what I want to know:
1) I will be logging in via secure, encrypted SSH to run commands and manage software but what's the best secure file and data transfer method/software to use? Can I make SSH more secure? Should I run a VPN from one of the boxes? Is using a secure web interface safe for managing or monitoring my server?
2) What's the best firewall for a dedi and will that firewall work for a VPS?
3) Same question for anti-malware (antispyware/antivirus/antispam) software. I see Kasperky and Dr. Web a lot as well as Spamassassin (which is open source) but what are some other options? Aren't server hackers expecting most servers to have the same protection software and doesn't that make them easier to hack?
4) What are some of the ways my servers can be exploited? For example, can others use my email servers to send spam or other servers to commit illegal acts? (I want to avoid getting my server taken down or my IPs blacklisted for someone else's activities). How do I prevent such exploitation?
5) What's the best and safest way to backup and/or sync my servers? What kinds of encryption should I use for the data on my servers? My internal servers like mail, file and virtual servers and appliances?
6) Other than software, what are some of the best methods for protecting my servers from DNS attacks, spam, viruses, hacking, etc.? Should I write specific commands into certain files or run them on a bash shell?
7) Are their GOOD websites or blogs that cover this subject? I can't afford to buy a library of books and wouldn't have time to read them. Also, by the time I do, the information would be outdated. I need to keep up. Finally, I learn best by doing and need to hit the ground running; information needs to be somewhat noob friendly and definitely actionable.
Also, what about implementing general server privacy practices? For example, I invest in truly private domain name registration (read: privacyprotect.org) and, in addition, private DNS for my website and blog domain names. I will be employing other (legal) techniques that prevent to much info from being revealed in my email headers without getting my email sent to spam. In some case, I use encrypted email.
If I'm taking those steps, so, doesn't make sense to implement a strategy that prevents as many people as possible from physically locating my servers in the first place--to force them to spend significant time (and money if they're serious) trying to figure out where my IP addresses goes by using some kind of stealth DNS?
The analogy that comes to mind is using a correctly configured, encrypted and anonymous VPN, SSH tunnel or proxy server to mask the IP address that leads to your home ISP and, ultimately, to your house. Not to protect yourself from law enforcement because if you're doing illegal stuff online, you SHOULD be caught. But to protect myself from nefarious individuals, nosy neighbors, stalkers or ISPs logging your every internet move. Is there a way to do this with my dedi and VPSes, prevent unnecessary location thus targeting, logging, sniffing, etc?
What other things should I be thinking about? Tell me what I'm missing but please don't just share potential nightmare scenarios without telling me HOW to avoid them.
Again, the advice that's most helpful to me focuses on constructive, actionable solutions; what I CAN do, use, implement, deploy, etc. to develop and execute a strong security strategy for my servers. Again, if you share a negative scenario, please share a positive, effective solution. Tell me how I CAN effectively implement best security practices, even as a noob (since we ALL start as noobs, right?),
I already know this won't be easy but I'm up for the challenge and like the control I'll have managing my own servers. So, I'm also not looking to pay anyone else to manage my digital assets (including my DNS) or for average end-user (retail) solutions designed for truly non-technical folks but ineffective for power users. Been there, done that, lost a lot of data, especially lately.
Finally, though I won't totally cheap out, I don't have thousands of dollars to invest in enterprise level services I don't need for just one dedi and two small VPSes. To me, in terms of scale, this is not unlike securing my home network of a couple of laptops and a desktop workstation from drive by hacking and other threats. In addition to open source software, if I can do something myself, I'd rather, than paying someone else.
If I can rebuild my Windows desktop from bare metal (more than once, in fact) and install a home network and secure both as well as any service can, I can do this.
Buyer? Seller? How can to do fair practise?
I often sees that when a buyer want to buy something or hire someone, they will be asked to deposited certain amount prior to the work started. I know that this is one way of insurance against scammers and fraud and I have no problem with that.
BUT, what about the buyers? What if they committed to hire a company, given a timeline and when the time comes, the work is still long way to finish or worst, getting a full refund just because the provider decided that they can't deliver the results as promised.
Let's say a buyer hire a company to do custom work. I am pretty much sure that he will not hire another developer as a backup in case the work he's currently outsourced failed. BUT, what if the developer decide to backed out from the deal? What will happened to the buyer's time? He will have to start searching for someone else and start over again. So, by the time he got the job done, he already wasted huge amount of time.
So, I think it would be fair to both parties that a provider should place a TOS stating what will they do if they decided to back off from an ongoing deal.
Yes, this rant came from disatisfaction of my recent fallen deal. I am now way behind my schedule. This is me sharing what I felt right now and no pun intended.
Last September, I subscribed to a VPS from buyavps.com to test how WHM and some of our accounts behave if we upgrade from PHP 4 to PHP 5. This was concluded towards early November, but I left the VPS subscription active, thinking later on we might have other cases where I would rather test a server-wide software upgrade in a VPS first.
A couple of months later, in January of this year, I indeed had such a case where I wanted to test something again. After a couple of unsuccessful tries, I opened a support ticket about accessing my VPS, thinking maybe I wrote down a wrong password or whatever.
Imagine my surprise when support told me my VPS account does not exist and asked me whether I have been actually paying for one, then asked me for a transaction ID. This although I had an active subscription at that time, paying monthly for the service.
Actually the subscription just billed again right while support sat on the ticket, writing me this response. After that shock, I went and cancelled the subscription, but I already lost another month's payment. I demanded the money back for a period I was charged for at a time when there was clearly no service any more, plus the period before at the end of which there clearly was no service any more either. Support said they'll forward my ticket to billing, and that was the last I heard.
Still having faith in the company, since it was to my knowledge Tina's company (she was the reason I went with buyavps.com in the first place), I decided to wait for a few weeks for the refund.
After that came months where I forgot about this issue, recently noticing only the e-mails again. Still having faith in Tina, I sent her a PM here on WHT so that she could look into this issue. To which she answered that she sold her part in buyavps.com to another company months ago.
At that point, I sent off another support ticket to buyavps.com, where several people asked the same questions all over again, just to say in the end I am not entitled to any kind of refund. At which I got pissed and told them they stole my money and do I really have to come to a public place to tell the story?
Well here I am - knowing the industry I am not very surprised at how they took my money and provided no service for it. For this, they deserve to be named here and serve as a warning for potential new customers of buyavps.com.
However, I am extremely disappointed in how you can't trust even prominent people of this industry with good reputation any more. I signed up to this service because I trusted the person who ran the company, all payments went to her Paypal account, and at the time this whole fiasco happened she was still (part-)owner of the company. Shrugging it all off is not what I expected.
p.s. I have a number of e-mails for proof and further details if desired, just wanted to keep the size of this post within limits.
I have my web server hacked several times and I am beating my head against the wall trying to find the problem(s).
Way back when my sites have been defaced and CHMODing my *.html files to 744 seemed to have done the trick
Now someone has put a phishing site somehow, which by the way I'm not able to remove still, I can't help but to think that I may have more CHMODing to do, I have recursevly set my site to 755, shoud this do the trick? I know I need to chmod .htaccess and alike files to 644, but what about...imagesCGI/PHP?cssetc?
What other steps can I take to secure this thing?
it's a shared host, limited access, but I do have SHELL.
I am posting here my experience with Theplanet and also looking to gain insights into unethical practices by hosting providers who are turning into practices of utility and credicard companies. I have been a loyal customer of Serverbeach for 4 years, I have been a loyal customer of Theplanet for more than a year .. I outsource my server administration to admins who setup , configure and manage my servers. Recently Theplanet disconnected our server as our credit card on file expired which I beleive is the right thing to do .. What ticks me off is the fact that they are charging a reconnect fee - FOR WHAT - to click a button? Just Ridiculous. THese dedicated companies are following the path of utility companies and credit card companies which slap various fees on their customers and milking customers .. sure a reconnect fee is understood if the account is not in good standing and such incidents are common on the account . What surprises me is this is the first time in 1+ year and they refuse to waive the fee , it is not the question of fee but the ethics and practices is what I am concerned about. NOw a reconnect fee , what next ? a server restart fee ? which direction are these hosting companies moving towards?
Well I explained the situation and that email is not always the best communication a phone call could have helped. Who would not agree that that single email might have stuck in a junk folder? THey had my full contact information if only they are genuine , they would call and understand what is the issue , have at risk management practices in place so their sales rep could contact me right after 3 days of non payment. But NO they rather wanted me to contact them as they take it for granted that I have been their customer for more than a year and It is not easy for me to move out to a different provider I would not have any option but to pay considering the time and effort involved in migrating to other hosting provider.
ThePlanet - Sorry but on the ethics issue I would not mind spending 100 x the reconnect fee to move to other provider who understands customers.
I am reaching out to all the individuals who sign up with these companies and respond to this post any such experiences.. HIdden fees charged by these companies ? Have you noticed how credit card companies change their billing cycles and you received the bill only to know you missed the payment due date .. ..
That said please let me know which is the best dedicated server company which I can sign up with which does not enforce hidden fees such as these and is ethical and understands and listens to customers.
On of our clients use an MS Exchange 2003 SBS server, with exchange for their internal email. We provide them with a domain, ADSL (which uses dynamic DNS) and POP3 email. They don't have an spam filter program on the exchange server itself due to costs, so I have setup each user on the Exim server, which runs ASSPX for anti-virus / spam filter / etc.
Then I setup the SBS 2003 server to pull the email via POP3, but this doesn't seem to work too well, cause the exchange server doesn't always download the POP3 email, and then the users often sit without email until I go there to manually download the mail again.
I have tried changing the MX record to point to their DynDNS address, and it works well, but then they get a lot of spam. And the cost of a server-side spam solution is just too expensive, and they also pay for the bandwidth uses when spam comes in. So, I moved their MX record back to the Linux server. But now I sit with the problem of the POP3 connector failing from time to time.
So, I would like to know, is there a way to "push" (not forward) mail from the Linux server, after it has arrived and spam been blocked, to another domain, but with the same email address? i.e. the domain in question is attorneys.co.za and I've setup attorneys.dyndns.net as the dynamic domain, but the exchange serves email for attorneys.co.za Forwarding email doesn't work, since there's no such user as bob@attorneys.dyndns.net, but rather bob@attorneys.co.za.
i am getting these in Logwatch 7.3.2
--------------------- Named Begin ------------------------
**Unmatched Entries**
client 193.220.62.4 error sending response: host unreachable: 1 Time(s)
client 200.4.59.195 error sending response: host unreachable: 3 Time(s)
client 201.143.242.67 error sending response: host unreachable: 1 Time(s)
client 208.254.9.236 error sending response: host unreachable: 1 Time(s)
client 213.85.189.1 error sending response: host unreachable: 8 Time(s)
client 222.113.142.168 error sending response: host unreachable: 1 Time(s)
client 61.109.163.138 error sending response: host unreachable: 1 Time(s)
client 61.4.218.51 error sending response: host unreachable: 1 Time(s)
client 62.179.104.208 error sending response: host unreachable: 1 Time(s)
client 67.210.12.107 error sending response: host unreachable: 1 Time(s)
client 78.4.45.16 error sending response: host unreachable: 4 Time(s)
client 80.237.128.135 error sending response: host unreachable: 1 Time(s)
client 85.106.233.213 error sending response: host unreachable: 1 Time(s)
client 91.121.143.168 error sending response: host unreachable: 1 Time(s)
---------------------- Named End -------------------------
i have apf firewall installed
I am thinking of installing Logwatch on my cPanel/WHM VPS
Does it take a lot of resources to run?
Does it run once a day only or is it running all the time?
I recentlt receive this log from server:
--------------------- httpd Begin ------------------------
0.00 MB transfered in 20 responses (1xx 0, 2xx 6, 3xx 0, 4xx 14, 5xx
0)
14 Content pages (0.00 MB),
6 Other (0.00 MB)
A total of 1 unidentified 'other' records logged
GET /w00tw00t.at.ISC.SANS.DFind HTTP/1.1 with response code(s) 6
400 responses
--------------------- Named Begin ------------------------
**Unmatched Entries**
client 209.200.168.66 bad zone transfer request: './IN':
non-authoritative zone (NOTAUTH): 1 Time(s)
notify question section contains no SOA: 1 Time(s)
Does that mean someone was trying break into the server or something?
Quote:
Requests with error response codes
400 Bad Request
200: 1 Time(s)
400: 1 Time(s)
401 Unauthorized
/: 2 Time(s)
404 Not Found
/user/soapCaller.bs: 2 Time(s)
I am a bit confused about this. Is logwatch telling me a 400 request also served a 200?
Just got logwatch installed but config file appears to be blank?
wget ftp://ftp.kaybee.org/pub/redhat/RPMS...6-1.noarch.rpm
rpm -Uvh logwatch-7.3.6-1.noarch.rpm
rm -rf logwatch-7.3.6-1.noarch.rpm
pico -w /etc/logwatch/conf/logwatch.conf
This is what the config file shows:
# Local configuration options go here (defaults are in /usr/share/logwatch/defa$
I then look at that file and it's empty too.
Isnt there suppose to be config lines a file that I can alter to set my email address and stuff?
##################################################################
--------------------- Selinux Audit Begin ------------------------
Number of audit daemon stops: 4
**Unmatched Entries**
Error sending failure mode request (Connection refused)
Unable to set audit pid, exiting
Cannot daemonize (Success)
Error sending failure mode request (Connection refused)
Error sending failure mode request (Connection refused)
Unable to set audit pid, exiting
Cannot daemonize (Success)
Error sending failure mode request (Connection refused)
---------------------- Selinux Audit End -------------------------
--------------------- Cron Begin ------------------------
Commands Run:
User *system*:
personal crontab reloaded: 2 Time(s)
User agadirnet:
personal crontab listed: 1 Time(s)
User dafatir:
personal crontab listed: 1 Time(s)
User drweb:
/opt/drweb/update.pl: 37 Time(s)
User kari:
personal crontab listed: 1 Time(s)
User karicom:
personal crontab listed: 1 Time(s)
User kastala:
personal crontab listed: 1 Time(s)
User mailman:
/usr/lib/mailman/cron/checkdbs: 1 Time(s)
/usr/lib/mailman/cron/disabled: 1 Time(s)
/usr/lib/mailman/cron/gate_news: 223 Time(s)
/usr/lib/mailman/cron/nightly_gzip: 1 Time(s)
User root:
/opt/php51/bin/php5
/usr/local/sitebuilder/utils/clear_trial_sites.php > /dev/null 2>&1: 19
Time(s)
/opt/php51/bin/php5 /usr/local/sitebuilder/utils/sip1.php >
/dev/null 2>&1: 1 Time(s)
/opt/php51/bin/php5 /usr/local/sitebuilder/utils/sip2.php >
/dev/null 2>&1: 1 Time(s)
/opt/php51/bin/php5 /usr/local/sitebuilder/utils/update_key.php >
/dev/null 2>&1: 1 Time(s)
/usr/local/psa/admin/sbin/backupmng >/dev/null 2>&1: 74 Time(s)
/usr/local/psa/libexec/modules/watchdog/cp/clean-events: 1
Time(s)
/usr/local/psa/libexec/modules/watchdog/cp/clean-sysstats: 1
Time(s)
/usr/local/psa/libexec/modules/watchdog/cp/pack-sysstats day: 1
Time(s)
/usr/local/rtm/bin/rtm 40 >/dev/null 2>/dev/null: 1116 Time(s)
/usr/local/sbin/bfd -q: 112 Time(s)
/usr/sbin/ntpdate -b -s 213.186.33.99: 1 Time(s)
run-parts /etc/cron.daily: 1 Time(s)
run-parts /etc/cron.hourly: 18 Time(s)
CRON Restarted 2 Time(s)
---------------------- Cron End -------------------------
--------------------- httpd Begin ------------------------
0.07 MB transferred in 211 responses (1xx 0, 2xx 26, 3xx 173, 4xx 12,
5xx 0)
148 Images (0.00 MB),
62 Content pages (0.07 MB),
1 Other (0.00 MB)
Requests with error response codes
400 Bad Request
/vb/Juice/images/editor/bold.gif: 1 Time(s)
/w00tw00t.at.ISC.SANS.DFind: 1 Time(s)
404 Not Found
/admin/phpmyadmin/main.php: 1 Time(s)
[url]
---------------------- httpd End -------------------------
--------------------- Kernel Begin ------------------------
2 Time(s): PrefPort:A RlmtMode:Check Link State
2 Time(s): Virtual Wire compatibility mode.
2 Time(s): autonegotiation: yes
2 Time(s): duplex mode: full
2 Time(s): flowctrl: none
2 Time(s): ide0: BM-DMA at 0xfc00-0xfc07, BIOS settings: hda:pio,
hdb:pio
2 Time(s): ide1: BM-DMA at 0xfc08-0xfc0f, BIOS settings: hdc:pio,
hdd:pio
2 Time(s): irq moderation: disabled
2 Time(s): rx-checksum: disabled
2 Time(s): scatter-gather: disabled
2 Time(s): speed: 100
2 Time(s): tx-checksum: disabled
1 Time(s): pIII_sse : 4821.000 MB/sec
1 Time(s): pIII_sse : 4822.000 MB/sec
2 Time(s): IO window: e000-efff
2 Time(s): MEM window: fbf00000-fbffffff
2 Time(s): PREFETCH window: 20000000-200fffff
2 Time(s): Type: Direct-Access ANSI SCSI
revision: 05
2 Time(s): Vendor: ATA Model: Hitachi HDS72168 Rev: P21O
2 Time(s): BIOS-e820: 0000000000000000 - 000000000009fc00 (usable)
2 Time(s): BIOS-e820: 000000000009fc00 - 00000000000a0000 (reserved)
2 Time(s): BIOS-e820: 00000000000e6000 - 0000000000100000 (reserved)
2 Time(s): BIOS-e820: 0000000000100000 - 000000001f7b0000 (usable)
2 Time(s): BIOS-e820: 000000001f7b0000 - 000000001f7c0000 (ACPI data)
2 Time(s): BIOS-e820: 000000001f7c0000 - 000000001f7f0000 (ACPI NVS)
2 Time(s): BIOS-e820: 000000001f7f0000 - 000000001f800000 (reserved)
2 Time(s): BIOS-e820: 00000000ffb80000 - 0000000100000000 (reserved)
2 Time(s): sda: sda1 sda2 sda3
2 Time(s): ..TIMER: vector=0x31 apic1=0 pin1=2 apic2=0 pin2=0
2 Time(s): 0MB HIGHMEM available.
2 Time(s): 3ware 9000 Storage Controller device driver for Linux
v2.26.02.007.
2 Time(s): 3ware Storage Controller device driver for Linux
v1.26.02.001.
2 Time(s): 503MB LOWMEM available.
2 Time(s): ATA: abnormal status 0x7F on port 0xD407
2 Time(s): Adding 522104k swap on /dev/sda3. Priority:-1 extents:1
across:522104k
2 Time(s): Allocating PCI resources starting at 20000000 (gap:
1f800000:e0380000)
2 Time(s): BIOS-provided physical RAM map:
2 Time(s): Brought up 1 CPUs
2 Time(s): Built 1 zonelists. Total pages: 128944
2 Time(s): CPU0: Intel P4/Xeon Extended MCE MSRs (24) available
2 Time(s): CPU0: Intel(R) Pentium(R) 4 CPU 3.00GHz stepping 09
2 Time(s): CPU: L2 cache: 1024K
2 Time(s): CPU: Physical Processor ID: 0
2 Time(s): CPU: Trace cache: 12K uops, L1 D cache: 16K
1 Time(s): Calibrating delay using timer specific routine.. 5989.49
BogoMIPS (lpj=11978986)
1 Time(s): Calibrating delay using timer specific routine.. 5989.50
BogoMIPS (lpj=11979013)
2 Time(s): Checking 'hlt' instruction... OK.
2 Time(s): Checking if this processor honours the WP bit even in
supervisor mode... Ok.
2 Time(s): Compat vDSO mapped to ffffe000.
2 Time(s): Console: colour VGA+ 80x25
2 Time(s): Copyright (c) 1999-2005 LSI Logic Corporation
2 Time(s): Copyright (c) 1999-2006 Intel Corporation.
2 Time(s): DMI 2.3 present.
2 Time(s): Dentry cache hash table entries: 65536 (order: 6, 262144
bytes)
1 Time(s): Detected 2992.767 MHz processor.
1 Time(s): Detected 2992.772 MHz processor.
2 Time(s): Dquot-cache hash table entries: 1024 (order 0, 4096 bytes)
2 Time(s): ENABLING IO-APIC IRQs
2 Time(s): EXT3 FS on sda1, internal journal
2 Time(s): EXT3 FS on sda2, internal journal
2 Time(s): EXT3-fs: INFO: recovery required on readonly filesystem.
4 Time(s): EXT3-fs: mounted filesystem with ordered data mode.
2 Time(s): EXT3-fs: recovery complete.
1 Time(s): EXT3-fs: sda1: 4 orphan inodes deleted
1 Time(s): EXT3-fs: sda1: orphan cleanup on readonly fs
2 Time(s): EXT3-fs: write access will be enabled during recovery.
2 Time(s): Enabling APIC mode: Flat. Using 1 I/O APICs
2 Time(s): Enabling fast FPU save and restore... done.
2 Time(s): Enabling unmasked SIMD FPU exception support... done.
2 Time(s): ExtINT not setup in hardware but reported by MP table
2 Time(s): Freeing SMP alternatives: 20k freed
2 Time(s): Freeing unused kernel memory: 220k freed
2 Time(s): Fusion MPT SAS Host driver 3.04.01
2 Time(s): Fusion MPT SPI Host driver 3.04.01
2 Time(s): Fusion MPT base driver 3.04.01
2 Time(s): Fusion MPT misc device (ioctl) driver 3.04.01
2 Time(s): I/O APIC #2 Version 32 at 0xFEC00000.
2 Time(s): ICH5: IDE controller at PCI slot 0000:00:1f.1
2 Time(s): ICH5: chipset revision 2
2 Time(s): ICH5: not 100% native mode: will probe irqs later
2 Time(s): IP route cache hash table entries: 4096 (order: 2, 16384
bytes)
2 Time(s): IPv4 over IPv4 tunneling driver
2 Time(s): Initializing CPU#0
2 Time(s): Initializing Cryptographic API
2 Time(s): Inode-cache hash table entries: 32768 (order: 5, 131072
bytes)
2 Time(s): Intel MultiProcessor Specification v1.4
2 Time(s): Intel machine check architecture supported.
2 Time(s): Intel machine check reporting enabled on CPU#0.
2 Time(s): Intel(R) PRO/1000 Network Driver - version 7.1.9-k4-NAPI
2 Time(s): Kernel command line: auto BOOT_IMAGE=linux ro root=801 nousb
2 Time(s): Linux agpgart interface v0.101 (c) Dave Jones
2 Time(s): Linux version 2.6.18.1-xxxx-grs-ipv4-32
(root@kernel-32.ovh.net) (version gcc 3.3.5 (Debian 1:3.3.5-13)) #2 SMP
Fri Nov 3 23:04:19 CET 2006
2 Time(s): Memory: 506412k/515776k available (2860k kernel code, 8896k
reserved, 1080k data, 220k init, 0k highmem)
2 Time(s): Mount-cache hash table entries: 512
2 Time(s): NET: Registered protocol family 1
2 Time(s): NET: Registered protocol family 16
2 Time(s): NET: Registered protocol family 17
2 Time(s): NET: Registered protocol family 2
2 Time(s): Netfilter messages via NETLINK v0.30.
2 Time(s): OEM ID: ASUSTeK Product ID: APIC at: 0xFEE00000
2 Time(s): PCI quirk: region 0480-04bf claimed by ICH4 GPIO
2 Time(s): PCI quirk: region 0800-087f claimed by ICH4 ACPI/GPIO/TCO
2 Time(s): PCI->APIC IRQ transform: 0000:00:02.0[A] -> IRQ 16
2 Time(s): PCI->APIC IRQ transform: 0000:00:1f.1[A] -> IRQ 18
2 Time(s): PCI->APIC IRQ transform: 0000:00:1f.2[A] -> IRQ 18
2 Time(s): PCI->APIC IRQ transform: 0000:01:0d.0[A] -> IRQ 23
2 Time(s): PCI: Bridge: 0000:00:1e.0
2 Time(s): PCI: Enabling device 0000:00:1f.1 (0005 -> 0007)
2 Time(s): PCI: Ignore bogus resource 6 [0:0] of 0000:00:02.0
2 Time(s): PCI: Ignoring BAR0-3 of IDE controller 0000:00:1f.1
2 Time(s): PCI: PCI BIOS revision 2.10 entry at 0xf0031, last bus=1
2 Time(s): PCI: Probing PCI hardware
2 Time(s): PCI: Transparent bridge - 0000:00:1e.0
2 Time(s): PCI: Using IRQ router PIIX/ICH [8086/24d0] at 0000:00:1f.0
2 Time(s): PCI: Using configuration type 1
2 Time(s): PID hash table entries: 2048 (order: 11, 8192 bytes)
2 Time(s): Processor #0 15:4 APIC version 20
2 Time(s): Processors: 1
2 Time(s): Real Time Clock Driver v1.12ac
4 Time(s): SCSI device sda: 160836480 512-byte hdwr sectors (82348 MB)
4 Time(s): SCSI device sda: drive cache: write back
2 Time(s): SCSI subsystem initialized
2 Time(s): SGI XFS with large block numbers, no debug enabled
2 Time(s): SMP alternatives: switching to UP code
2 Time(s): Serial: 8250/16550 driver $Revision: 1.90 $ 4 ports, IRQ
sharing disabled
2 Time(s): Setting up standard PCI resources
2 Time(s): Software Watchdog Timer: 0.07 initialized. soft_noboot=0
soft_margin=60 sec (nowayout= 0)
2 Time(s): TCP bic registered
2 Time(s): TCP bind hash table entries: 8192 (order: 4, 65536 bytes)
2 Time(s): TCP established hash table entries: 16384 (order: 5, 131072
bytes)
2 Time(s): TCP reno registered
2 Time(s): TCP: Hash tables configured (established 16384 bind 8192)
2 Time(s): Time: tsc clocksource has been installed.
1 Time(s): Total of 1 processors activated (5989.49 BogoMIPS).
1 Time(s): Total of 1 processors activated (5989.50 BogoMIPS).
2 Time(s): Uniform Multi-Platform E-IDE driver Revision: 7.00alpha2
2 Time(s): Using IPI Shortcut mode
2 Time(s): VFS: Disk quotas dquot_6.5.1
2 Time(s): VFS: Mounted root (ext3 filesystem) readonly.
2 Time(s): ata1: SATA max UDMA/133 cmd 0xD400 ctl 0xD002 bmdma 0xC000
irq 18
2 Time(s): ata2.00: ATA-7, max UDMA/133, 160836480 sectors: LBA48 NCQ
(depth 0/32)
2 Time(s): ata2.00: ata2: dev 0 multi count 16
2 Time(s): ata2.00: configured for UDMA/133
2 Time(s): ata2: SATA max UDMA/133 cmd 0xC800 ctl 0xC402 bmdma 0xC008
irq 18
2 Time(s): ata_piix 0000:00:1f.2: MAP [ P0 -- P1 -- ]
2 Time(s): device-mapper: ioctl: 4.7.0-ioctl (2006-06-24) initialised:
dm-devel@redhat.com
2 Time(s): drivers/rtc/hctosys.c: unable to open rtc device (rtc0)
2 Time(s): e100: Copyright(c) 1999-2005 Intel Corporation
2 Time(s): e100: Intel(R) PRO/100 Network Driver, 3.5.10-k2-NAPI
2 Time(s): eth0: Yukon Gigabit Ethernet 10/100/1000Base-T Adapter
2 Time(s): eth0: network connection up using port A
2 Time(s): floppy0: no floppy controllers found
2 Time(s): found SMP MP-table at 000ff780
2 Time(s): ide: Assuming 33MHz system bus speed for PIO modes; override
with idebus=xx
2 Time(s): io scheduler anticipatory registered (default)
2 Time(s): io scheduler cfq registered
2 Time(s): io scheduler deadline registered
2 Time(s): io scheduler noop registered
2 Time(s): ip_conntrack version 2.4 (4029 buckets, 32232 max) - 224
bytes per conntrack
2 Time(s): ip_tables: (C) 2000-2006 Netfilter Core Team
4 Time(s): kjournald starting. Commit interval 5 seconds
2 Time(s): klogd 1.4.1, log source = /proc/kmsg started.
2 Time(s): loop: loaded (max 8 devices)
4 Time(s): md: ... autorun DONE.
4 Time(s): md: Autodetecting RAID arrays.
4 Time(s): md: autorun ...
2 Time(s): md: bitmap version 4.39
2 Time(s): md: linear personality registered for level -1
2 Time(s): md: md driver 0.90.3 MAX_MD_DEVS=256, MD_SB_DISKS=27
2 Time(s): md: multipath personality registered for level -4
2 Time(s): md: raid0 personality registered for level 0
2 Time(s): md: raid1 personality registered for level 1
2 Time(s): md: raid4 personality registered for level 4
2 Time(s): md: raid5 personality registered for level 5
2 Time(s): md: raid6 personality registered for level 6
2 Time(s): megasas: 00.00.03.01 Sun May 14 22:49:52 PDT 2006
2 Time(s): mice: PS/2 mouse device common for all mice
2 Time(s): migration_cost=0
2 Time(s): monitor/mwait feature present.
2 Time(s): mptctl: /dev/mptctl @ (major,minor=10,220)
2 Time(s): mptctl: Registered with Fusion MPT base driver
2 Time(s): raid5: automatically using best checksumming function:
pIII_sse
1 Time(s): raid5: using function: pIII_sse (4821.000 MB/sec)
1 Time(s): raid5: using function: pIII_sse (4822.000 MB/sec)
1 Time(s): raid6: int32x1 862 MB/s
1 Time(s): raid6: int32x1 863 MB/s
2 Time(s): raid6: int32x2 795 MB/s
2 Time(s): raid6: int32x4 708 MB/s
1 Time(s): raid6: int32x8 543 MB/s
1 Time(s): raid6: int32x8 544 MB/s
1 Time(s): raid6: mmxx1 1831 MB/s
1 Time(s): raid6: mmxx1 1840 MB/s
2 Time(s): raid6: mmxx2 2122 MB/s
2 Time(s): raid6: sse1x1 1057 MB/s
1 Time(s): raid6: sse1x2 1208 MB/s
1 Time(s): raid6: sse1x2 1210 MB/s
1 Time(s): raid6: sse2x1 2099 MB/s
1 Time(s): raid6: sse2x1 2101 MB/s
1 Time(s): raid6: sse2x2 2252 MB/s
1 Time(s): raid6: sse2x2 2254 MB/s
1 Time(s): raid6: using algorithm sse2x2 (2252 MB/s)
1 Time(s): raid6: using algorithm sse2x2 (2254 MB/s)
2 Time(s): scsi0 : ata_piix
2 Time(s): scsi1 : ata_piix
2 Time(s): sd 1:0:0:0: Attached scsi disk sda
4 Time(s): sda: Write Protect is off
2 Time(s): serial8250: ttyS0 at I/O 0x3f8 (irq = 4) is a 16550A
2 Time(s): serio: i8042 AUX port at 0x60,0x64 irq 12
2 Time(s): serio: i8042 KBD port at 0x60,0x64 irq 1
2 Time(s): tun: (C) 1999-2004 Max Krasnyansky <maxk@qualcomm.com>
2 Time(s): tun: Universal TUN/TAP device driver, 1.6
2 Time(s): using mwait in idle threads.
---------------------- Kernel End -------------------------
I've been getting this log watch from my server emailed to me on a daily basis. It gives me a list of all the authentification failures via SSH and other protocols. Should I be actively concerned that there's specific IP addresses consistantly trying to access my SSH account? Likewise, for any type of failed login. Should I actively block their IP address from accessing the server at all?
I've also noticed in the Connections group, there's a lot of monitoringservice.net connections -- is this normal?
Just want to make sure I'm taking an active effort on preventing my server being brought down. I mean, I have 2000+ SSHd authentication failures... seems really high.
I was searching for something else the other day and came across this (search for LogWatch on the page).
It changes the default paths for some of the log files so that they work on a cPanel/WHM server.
This will give you more reports in your daily LogWatch email - specifically, it adds exim, apache, courier and PureFTP logs.
Most tutorials only show you how to change the detail level or the email address in logwatch.conf.
So, I thought I'd share this piece of information.
I found that a few changes were necessary for my system.
So, I'll give all the steps I followed below:
1) After you have installed LogWatch, change the following in /usr/share/logwatch/default.conf/logwatch.conf :
Code:
Detail = High
MailTo = <your email address>
You can use Detail = Med if you want to reduce the details you get.
2) Add the following to /etc/logwatch/conf/override.conf (you may have to create the file):
Code:
logfiles/exim: LogFile = exim_mainlog
logfiles/http: LogFile = /usr/local/apache/logs/access_log
services/pop3: *OnlyService = cpanelpop
services/pop3: *RemoveHeaders = 1
services/pureftpd: LogFile = messages
services/pureftpd: $show_logins = 1
services/pureftpd: $show_logouts = 1
services/pureftpd: $show_new_connections = 1
So, if you are not bored reading LogWatch's daily logs and would like to increase your workload, you now know how to
How have you configured your LogWatch installation ? Or do you use something other than LogWatch?
I logged into my email to check for my nightly logwatch report (at 12am).
Nothing.
So I log into ssh and manually run it, get greeted with this:
You have old files in your logwatch tmpdir (/var/cache/logwatch):
logwatch.zcTV3hC0
The directories listed above were most likely created by a
logwatch run that failed to complete successfully. If so, you
may delete these directories.
I last ran logwatch around 10:30pm, it worked fine.
I try to run logwatch again, same error.. except now there's another temp file showing beneath the first.
I go ahead and delete both of them, run logwatch again...it worked. I also got the other reports from when I tried running logwatch manually and was stopped with this error.
I've never had this happen before, so I'm curious as to what caused it? Logwatch is in cron.daily and has never missed a single report.
Just typical data corruption (as can happen with any computer file) or could something have interfered with its processing at 12?
My /var partition is getting full and most of the problem seems to be with the files in /var/cache/logwatch/ using up all the space. Can those be deleted?
View 4 Replies View RelatedI'm running out of disk space on /var and it seem /var/cache/logwatch has almost 4GB of space. Can I remove everything inside and uninstall logwatch? How do I remove logwatch from the system and any affect of the system functionality.
DirectAdmin
CentOS4.4
I have been receivig a huge logwatch report, seems that logwatch is not parsing the /var/log/secure file, but sending the log entries instead of any resume of it. I got thousands of lines like
Cp-Wrap: Pushing "47 GETDISKUSED pvargas lights.com.co" to '/usr/local/cpanel/bin/eximadmin' for UID: 47 : 25 Time(s)
Cp-Wrap: Pushing "47 GETDISKUSED r.perez konecrans.com" to '/usr/local/cpanel/bin/eximadmin' for UID: 47 : 69 Time(s)
Cp-Wrap: Pushing "47 GETDISKUSED r.rodriguez konecrans.com" to '/usr/local/cpanel/bin/eximadmin' for UID: 47 : 114 Time(s)
I have upgraded to the most recent version of Logwatch with default configuration. Any ideas on what could be wrong?
Is this someone trying to gain access to the server and just trying different password or ways? The server is new with no websites hosted yet but already getting this.
Will Brute Force not take care of this?
Is this common? Any ideas?
**Unmatched Entries**
sendto(72.64.118.118): Operation not permitted: 72 time(s)
sendto(69.182.190.97): Operation not permitted: 73 time(s)
sendto(66.93.44.19): Operation not permitted: 72 time(s)
Does anyone have a link to some Logwatch installation instructions. There nothing on the logwatch website and not manage to find anything on here or on google.
I jusy want to set it up and have it email me every day.
I have never used rpm installs before.
# cd /usr/src
# wget ftp://ftp.kaybee.org/pub/linux/logwatch-7.3.6.tar.gz
# tar -xvzf logwatch-7.3.6.tar.gz
# cd logwatch*
# ./install_logwatch.sh
-bash: ./install_logwatch.sh: Permission denied
Posts have been disappearing the last 2 days on WHT. Let me try this again.
The server is new and do not have any websites setup yet. It's already getting these entries. Is this normal? Should we move to a different SSH port?
**Unmatched Entries**
sendto(72.64.118.118): Operation not permitted: 72 time(s)
sendto(69.182.190.97): Operation not permitted: 73 time(s)
sendto(66.93.44.19): Operation not permitted: 72 time(s)
I used a little vServer with ubuntu (turnkey) and use logwatch to be informed by email about any errors. I'm confused about the following errors from Apache:
--------------------- httpd Begin ------------------------
Requests with error response codes
404 Not Found
http://translate.google.com/gen204: 1 Time(s)
http://www.teddybrinkofski.com/ip_json.php: 1 Time(s)
503 Service Unavailable
http://www.google.com/: 1 Time(s)
---------------------- httpd End -------------------------
These errors are definetly not from my own code. I have checked that mod_proxy is disabled and i disabled also CONNECT like here described: [URL] ....
What does these errors mean and how can i disabled this?