Problem with 2 emails daily on Fedora

[egmweb]

Hello all,

I have a server with Fedora core and I'm having problems with it.

I'm receiving 2 emails daily with the following subjects:

1) Cron <root@account> run-parts /etc/cron.daily
At the body of this email I have:

/etc/cron.daily/logrotate:

error: stat of /var/log/ppp/connect-errors failed: No such file or directory

The second email is:
2) LogWatch for mydomain.com

and here I have a lot of IP addresses trying to connect to my server...

Please I'm new on this Fedora world and I don't know how fix that...

Thanks you.

 

[RhythmAce]

The first one is saying that it can't write to this error log. It's the log for your ppp (dial-up modem) connections. Open /etc/logrotate.d/ppp with a text editor and add this line if it isn't there:

create 0600 root root

On the second one, you didn't say how they were trying to access your server. Which one, or what port?

 

[egmweb]

Thanks you very much...

Ok, the second email is too big, so the resume is that I'm receiving about 500 emails like spam... to an account that i have configured in case of someone send an email to an account that not exist on the domain.

On that account I'm receiving daily about 500-700 emails from different people and sometimes with the same subject and sometimes with other subject like: re[21]... etc.

Please I'm desperate with this problem...

Thanks you.

 

[RhythmAce]

Rather than create an account for this type of mail you can reject it. Which mail server do you use?

 

[egmweb]

Thanks you, but I don't know what kind of mail server i'm using... How can I do that? and I have created an account but at plesk I I add some emails to the blacklst but it is too much. I'm very worried about that 500 emails daily.

Thanks you very much for your help.

 

[egmweb]

Here is some content of the log of the server:

################### LogWatch 5.1 (02/03/04) #########
Processing Initiated: Tue Jul 12 07:02:02 2005
Date Range Processed: yesterday
Detail Level of Output: 0
Logfiles for Host: mydomain.com
###########################################################

--------------------- httpd Begin ------------------------

A total of 1 unidentified 'other' records logged
<HTML> with response code(s) 501

---------------------- httpd End -------------------------


--------------------- PAM_pwdb Begin ---------------------


Opened Sessions:
Service: ftp
User maracaibo - 4 Time(s)
User valencia - 20 Time(s)
User aruba - 177 Time(s)
User guiafashion - 20 Time(s)

---------------------- PAM_pwdb End ---------------------


-------------------- pam_unix Begin ---------------------

sshd:
Authentication Failures:
alias (blackhole.tuscanylasvegas.com): 1 Time(s)
daemon (blackhole.tuscanylasvegas.com): 1 Time(s)
drweb (blackhole.tuscanylasvegas.com): 1 Time(s)
mysql (blackhole.tuscanylasvegas.com): 1 Time(s)
root (200-109-170-105.genericrev.cantv.net): 1 Time(s)
root (blackhole.tuscanylasvegas.com): 1 Time(s)
rpc (blackhole.tuscanylasvegas.com): 1 Time(s)
smmsp (blackhole.tuscanylasvegas.com): 1 Time(s)
xfs (blackhole.tuscanylasvegas.com): 1 Time(s)
Invalid Users:
Unknown Account: 701 Time(s)
Unknown Entries:
authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=blackhole.tuscanylasvegas.com : 699 Time(s)
authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=200-109-170-105.genericrev.cantv.net : 2 Time(s)


---------------------- pam_unix End ----------------------


--------------------- proftpd-messages Begin ------------

**Unmatched Entries**
72.22.64.122 (200.82.220.183[200.82.220.183]) - FTP no transfer timeout, disconnected
72.22.64.122 (200.82.220.183[200.82.220.183]) - FTP no transfer timeout, disconnected

...... here continue of unmatched Entries

---------------------- proftpd-messages End --------------


--------------------- Connections (secure-log) Begin ----


Connections:
Service ftp:
199.0.84.108: 4 Time(s)
199.2.115.70: 126 Time(s)
200.82.220.183: 34 Time(s)
200.84.35.207: 6 Time(s)
200.90.118.25: 34 Time(s)
201.248.97.125: 4 Time(s)
201.249.43.15: 16 Time(s)
204.212.124.155: 25 Time(s)
216.30.216.25: 1 Time(s)
Service smtp:
12.5.101.109: 1 Time(s)
12.10.123.20: 1 Time(s)
12.152.82.224: 1 Time(s)
12.210.204.2: 1 Time(s)
24.0.60.6: 1 Time(s)
24.2.172.156: 1 Time(s)
24.4.209.165: 1 Time(s)

..... here continues .....

---------------------- Connections (secure-log) End -------------------------


--------------------- SSHD Begin ------------------------


Failed logins from these:
Ionutz/password from ::ffff:216.241.48.194: 1 Time(s)
Melk/password from ::ffff:216.241.48.194: 1 Time(s)
aaron/password from ::ffff:216.241.48.194: 1 Time(s)
abc/password from ::ffff:216.241.48.194: 2 Time(s)
abraham/password from ::ffff:216.241.48.194: 1 Time(s)
ace/password from ::ffff:216.241.48.194: 1 Time(s)

... here are hundred of accounts, about 1000 acounts ...

zeus/none from ::ffff:216.241.48.194: 1 Time(s)
zeus/password from ::ffff:216.241.48.194: 1 Time(s)

Users logging in through sshd:
root:
200-109-170-105.genericrev.cantv.net (200.109.170.105): 1 time

---------------------- SSHD End -------------------------



------------------ Disk Space --------------------

Filesystem Size Used Avail Use% Mounted on
/dev/hda3 73G 7.7G 61G 12% /
/dev/hda1 99M 5.9M 88M 7% /boot
none 249M 0 249M 0% /dev/shm


###################### LogWatch End #####################



Thanks you, and please help me with this...

 

[normntwrk]

you should be able to drop those connections by using
the /etc/hosts.deny file . Just put in the subnet that you want to drop (make sure it ends in a . (dot)

ALL: 200.11.78.
ALL: 200.147.105.
ALL: 200.171.182.
ALL: 200.179.

Make sure to check your logs after for any misconfig


works great for me
Norm

 

[egmweb]

Hello normntwrk,

Thanks you, very much. I will do your suggestions and I will post theresults.

Regards.