Security log

[bluegold92]

I have been carefully monitoring my security log after having installed the server just to be sure that I don't have some error in my LAN setup that allows someone else in. For example, I have installed "denyhosts" so that attackers are automatically added to the "hosts.deny" file. I have periodically looked at the \var\log\secure file to be sure of who is attempting to log in.

Here's what I found yesterday:

• Mar 23 01:45:45 fedora12 groupadd[27988]: group added to /etc/group: name=saslauth, GID=47 8
  Mar 23 01:45:45 fedora12 groupadd[27988]: group added to /etc/gshadow: name=saslauth
  Mar 23 01:45:45 fedora12 groupadd[27988]: new group: name=saslauth, GID=478
  Mar 23 01:45:45 fedora12 useradd[27993]: new user: name=saslauth, UID=491, GID=478, home=/ var/empty/saslauth, shell=/sbin/nologin
  Mar 23 01:45:58 fedora12 userdel[28016]: delete user 'saslauth'
  Mar 23 01:45:58 fedora12 userdel[28016]: removed group 'saslauth' owned by 'saslauth'

I am not familiar with "saslauth', but I was not using the computer at this time. Can anyone help me understand what was going on?

[cpg]

first, do you have any ports forwarded to your hda?

if you don't then, external things accessing your HDA directly should be contained.

now, if you worry about some other machine in your network being rogue, that is a whole other matter.

amahi is meant for more or less trusted environments. there is authentication, etc. but not ultra-paranoid.

to answer your question, i see that in my logs as well. it appears to be related to a fedora update of at least these packages:

Code: Select all

system-config-printer-libs cyrus-sasl-plain

did you do an update at Mar 23 01:45:45 ?

[bluegold92]

Could be an automatic update, now that I think about it. The update backend is set to do Fedora security updates automatically, then that might be what was happening. I was sleeping soundly at that time of night. I do have one port forwarded, incidentally - SSH, but I have it protected with root and password logins disabled (only public key authentication) and I have it protected with denyhosts. I am paranoid, but I have had at least one to two Internet hosts per day trying to do a brute force attack through SSH.