Hi all! I'm a Technology Coordinator at a small theraputic school. I'm new to Clearos but loving it so far (I switched from endian firewall).
So I'm looking through the logs, specifically "secure" and I find numerous versions of the following (replace someusername with one of our 40 users - all of them seem to appear at one point or another):
Jun 25 07:12:07 firewall unix_chkpwd[3421]: check pass; user unknown
Jun 25 07:12:07 firewall unix_chkpwd[3422]: check pass; user unknown
Jun 25 07:12:07 firewall unix_chkpwd[3422]: password check failed for user (someusername)
Jun 25 07:12:07 firewall (pam_auth): pam_unix(squid:auth): authentication failure; logname= uid=23 euid=23 tty= ruser= r
My research points me in the direction of squid not being able to access /etc/shadow but I'm not sure that's really the issue. Coincidentally, or maybe not, /etc/shadow and /etc/shadow- both have permissions of 000 which is weird... right?
Anyway, anyone here have tips or explanations for uncovering the root of the above errors? They're burying any real alerts under a ton of noise.
Thanks much!
-ry
So I'm looking through the logs, specifically "secure" and I find numerous versions of the following (replace someusername with one of our 40 users - all of them seem to appear at one point or another):
Jun 25 07:12:07 firewall unix_chkpwd[3421]: check pass; user unknown
Jun 25 07:12:07 firewall unix_chkpwd[3422]: check pass; user unknown
Jun 25 07:12:07 firewall unix_chkpwd[3422]: password check failed for user (someusername)
Jun 25 07:12:07 firewall (pam_auth): pam_unix(squid:auth): authentication failure; logname= uid=23 euid=23 tty= ruser= r
My research points me in the direction of squid not being able to access /etc/shadow but I'm not sure that's really the issue. Coincidentally, or maybe not, /etc/shadow and /etc/shadow- both have permissions of 000 which is weird... right?
Anyway, anyone here have tips or explanations for uncovering the root of the above errors? They're burying any real alerts under a ton of noise.
Thanks much!
-ry
Share this post:
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »