Hello, i am using Debian 10 Buster and yesterday I did update of package - security etc. Everything was fine and working fine. Bu ti check my logs in var/log/ and in user.log file i can see lines like this. Jun 11 17:20:01 vm28069 cron[314]: Authentication failure Jun 11 17:25:01 vm28069 cron[314]: Authentication failure Jun 11 17:30:01 vm28069 cron[314]: Authentication failure Jun 11 17:35:01 vm28069 cron[314]: Authentication failure Jun 11 17:40:01 vm28069 cron[314]: Authentication failure Jun 11 17:45:01 vm28069 cron[314]: Authentication failure Jun 11 17:50:01 vm28069 cron[314]: Authentication failure Jun 11 17:55:01 vm28069 cron[314]: Authentication failure Jun 11 18:00:01 vm28069 cron[314]: Authentication failure Jun 11 18:05:01 vm28069 cron[314]: Authentication failure Jun 11 18:10:01 vm28069 cron[314]: Authentication failure Any ideas what does it means? I have set for my web cron every 5 minutes every hour, 1:05,2:05 etc. I checked access log and cron tasks are done with code 200 and works. Cron for isp config works fine too. Before update in this file was just something like this Jun 8 22:27:02 vm28069 os-prober: debug: running /usr/lib/os-probes/mounted/05efi on mounted /dev/vda1 Jun 8 22:27:02 vm28069 05efi: debug: Not on UEFI platform Jun 8 22:27:02 vm28069 os-prober: debug: running /usr/lib/os-probes/mounted/10freedos on mounted /dev/vda1 Jun 8 22:27:02 vm28069 10freedos: debug: /dev/vda1 is not a FAT partition: exiting Jun 8 22:27:02 vm28069 os-prober: debug: running /usr/lib/os-probes/mounted/10qnx on mounted /dev/vda1 Jun 8 22:27:02 vm28069 10qnx: debug: /dev/vda1 is not a QNX4 partition: exiting Jun 8 22:27:02 vm28069 os-prober: debug: running /usr/lib/os-probes/mounted/20macosx on mounted /dev/vda1 Jun 8 22:27:02 vm28069 macosx-prober: debug: /dev/vda1 is not an HFS+ partition: exiting Jun 8 22:27:02 vm28069 os-prober: debug: running /usr/lib/os-probes/mounted/20microsoft on mounted /dev/vda1 Jun 8 22:27:02 vm28069 20microsoft: debug: /dev/vda1 is not a MS partition: exiting Jun 8 22:27:02 vm28069 os-prober: debug: running /usr/lib/os-probes/mounted/30utility on mounted /dev/vda1 Jun 8 22:27:02 vm28069 30utility: debug: /dev/vda1 is not a FAT partition: exiting Jun 8 22:27:02 vm28069 os-prober: debug: running /usr/lib/os-probes/mounted/40lsb on mounted /dev/vda1 Jun 8 22:27:02 vm28069 os-prober: debug: running /usr/lib/os-probes/mounted/70hurd on mounted /dev/vda1 Jun 8 22:27:02 vm28069 os-prober: debug: running /usr/lib/os-probes/mounted/80minix on mounted /dev/vda1 Jun 8 22:27:02 vm28069 os-prober: debug: running /usr/lib/os-probes/mounted/83haiku on mounted /dev/vda1 Jun 8 22:27:02 vm28069 83haiku: debug: /dev/vda1 is not a BeFS partition: exiting Jun 8 22:27:02 vm28069 os-prober: debug: running /usr/lib/os-probes/mounted/90linux-distro on mounted /dev/vda1 Jun 8 22:27:02 vm28069 os-prober: debug: running /usr/lib/os-probes/mounted/90solaris on mounted /dev/vda1
I check via ps ax and found that id 314 is for 314 ? Ss 2:08 /usr/sbin/cron -f but not sure where is the problem, because looks like cron works fine. When i use crontab –l i get –l: No such file or directory for less /etc/crontab 17 * * * * root cd / && run-parts --report /etc/cron.hourly 25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily ) 47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly ) 52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
This is probably cron for isp config, used sudo cat /var/log/syslog | grep cron and get lines like Jun 12 20:30:01 vm28069 cron[314]: Authentication failure Jun 12 20:30:01 vm28069 CRON[8731]: (root) CMD (/usr/local/ispconfig/server/cron .sh 2>&1 | while read line; do echo `/bin/date` "$line" >> /var/log/ispconfig/cr on.log; done) Jun 12 20:30:01 vm28069 CRON[8732]: (root) CMD (/usr/local/ispconfig/server/serv er.sh 2>&1 | while read line; do echo `/bin/date` "$line" >> /var/log/ispconfig/ cron.log; done) Jun 12 20:31:01 vm28069 CRON[8821]: (root) CMD (/usr/local/ispconfig/server/serv er.sh 2>&1 | while read line; do echo `/bin/date` "$line" >> /var/log/ispconfig/ cron.log; done) Jun 12 20:31:01 vm28069 CRON[8822]: (root) CMD (/usr/local/ispconfig/server/cron .sh 2>&1 | while read line; do echo `/bin/date` "$line" >> /var/log/ispconfig/cr on.log; done) Jun 12 20:32:01 vm28069 CRON[8842]: (root) CMD (/usr/local/ispconfig/server/serv er.sh 2>&1 | while read line; do echo `/bin/date` "$line" >> /var/log/ispconfig/ cron.log; done) Jun 12 20:32:01 vm28069 CRON[8843]: (root) CMD (/usr/local/ispconfig/server/cron .sh 2>&1 | while read line; do echo `/bin/date` "$line" >> /var/log/ispconfig/cr on.log; done) Jun 12 20:33:01 vm28069 CRON[8858]: (root) CMD (/usr/local/ispconfig/server/serv er.sh 2>&1 | while read line; do echo `/bin/date` "$line" >> /var/log/ispconfig/ cron.log; done) Jun 12 20:33:01 vm28069 CRON[8859]: (root) CMD (/usr/local/ispconfig/server/cron .sh 2>&1 | while read line; do echo `/bin/date` "$line" >> /var/log/ispconfig/cr on.log; done) Jun 12 20:34:01 vm28069 CRON[8873]: (root) CMD (/usr/local/ispconfig/server/serv er.sh 2>&1 | while read line; do echo `/bin/date` "$line" >> /var/log/ispconfig/ cron.log; done) Jun 12 20:34:01 vm28069 CRON[8874]: (root) CMD (/usr/local/ispconfig/server/cron .sh 2>&1 | while read line; do echo `/bin/date` "$line" >> /var/log/ispconfig/cr on.log; done) Jun 12 20:35:01 vm28069 CRON[8900]: (root) CMD (/usr/local/ispconfig/server/cron .sh 2>&1 | while read line; do echo `/bin/date` "$line" >> /var/log/ispconfig/cr on.log; done) Jun 12 20:35:01 vm28069 cron[314]: Authentication failure Jun 12 20:35:02 vm28069 CRON[8901]: (root) CMD (/usr/local/ispconfig/server/serv er.sh 2>&1 | while read line; do echo `/bin/date` "$line" >> /var/log/ispconfig/ cron.log; done)
I checked it again and maybe there is something with postfix. In ispconfig in system log tab a can see lines. Maybe looks like someone try to send emails via cron task? Jun 13 09:29:03 vm28069 postfix/submission/smtpd[7374]: connect from unknown[178.238.8.106] Jun 13 09:29:03 vm28069 postfix/submission/smtpd[7374]: disconnect from unknown[178.238.8.106] ehlo=1 auth=0/1 rset=0/1 quit=1 commands=2/4 Jun 13 09:29:26 vm28069 postfix/submission/smtpd[7374]: connect from unknown[178.238.8.106] Jun 13 09:29:26 vm28069 postfix/submission/smtpd[7374]: disconnect from unknown[178.238.8.106] ehlo=1 auth=0/1 rset=0/1 quit=1 commands=2/4 Jun 13 09:29:46 vm28069 postfix/submission/smtpd[7374]: connect from unknown[178.238.8.106] Jun 13 09:29:47 vm28069 postfix/submission/smtpd[7374]: disconnect from unknown[178.238.8.106] ehlo=1 auth=0/1 rset=0/1 quit=1 commands=2/4 Jun 13 09:30:01 vm28069 cron[314]: Authentication failure Jun 13 09:30:01 vm28069 CRON[7640]: Authentication failure
You have cron job starting every five minutes. Find out which job that is, and look what it does. Something in that job causes the authentication failure. Is the exact same line in both user.log and syslog?
Happens for example, when the password of the user expired (can also happen for root). Can you login with root account? Also happens, if a cron job exists for a user which does no longer exist or the user is locked. Is there any uncommented line in /etc/security/access.conf ? What is the output of "ls -al /var/spool/cron/crontabs" Any non-existing users? Thats unrelated, has nothing to do with cron. Just a "normal" mail spam attempt.
Thank you. Via my site I have not set any crons, only every hour I wrote and this execute fine. I can not find any other active crons, only for ispconfig - i have preinstalled from my hosting provider vps with ispconfig Via crontab -l there are just ispconfig cron * * * * * /usr/local/ispconfig/server/server.sh 2>&1 | while read line; do echo `/bin/date` "$line" >> /var/log/ispconfig/cron.log; done * * * * * /usr/local/ispconfig/server/cron.sh 2>&1 | while read line; do echo `/bin/date` "$line" >> /var/log/ispconfig/cron.log; done Yes, I can log in as root I checked file /etc/security/access.conf and all lines was commented. Output of command ls -al /var/spool/cron/crontabs is total 16 drwx-wx--T 2 root crontab 4096 Jun 13 08:55 . drwxr-xr-x 5 root root 4096 May 7 2015 .. -rw------- 1 getmail crontab 253 Apr 3 16:40 getmail -rw------- 1 root crontab 457 Apr 3 16:40 root
My guess is the getmail cronjob makes the authentication failure. Look what is in that file, and the script file it maybe starts. Code: cat /var/spool/cron/crontabs/getmail
Thank you. Yes, you are right.I check this file and there is theese lines # DO NOT EDIT THIS FILE - edit the master and reinstall. # (crontab.txt installed on Fri Apr 3 16:40:57 2020) # (Cron version -- $Id: crontab.c,v 2.13 1994/01/17 03:20:37 vixie Exp $) */5 * * * * /usr/local/bin/run-getmail.sh > /dev/null 2>> /dev/null here is 5 minutes cron. file run-getmail.sh include #!/bin/bash PATH=/sbin:/usr/sbin:/bin:/usr/bin:/usr/local/sbin:/usr/local/bin:/usr/X11R6/bin set -e cd /etc/getmail rcfiles="" for file in *.conf ; do if [ $file != "*.conf" ]; then rcfiles="$rcfiles -r $file" fi done #echo $rcfiles if [ -f /tmp/.getmail_lock ]; then echo 'Found getmail lock file /tmp/.getmail_lock, we quit here.' else touch /tmp/.getmail_lock if [ "$rcfiles" != "" ]; then /usr/bin/getmail -v -g /etc/getmail $rcfiles || true fi rm -f /tmp/.getmail_lock fi
Still guessing here, but I say one of the accounts you have configured for getmail has wrong username or password or some such. You can look in the files, Code: ls -lh /etc/getmail/ or check what you have set up in ISPConfig panel, Mail tab and Fetchmail item.
Thank you. i try it all and check configuration. In all case /etc/getmail/ is empty. I found that this directory has 0700, try to set to 0755
It should be rwx for owner, nothing for others. Owner is getmail and group owner root. Don't go changing system files permissions and owners when you are not sure they must be changed.
Does the manual execution of that command work? Code: sudo -u getmail /usr/local/bin/run-getmail.sh If not, can you login with getmail user? Code: su getmail
After su getmail it should ask for password. Does it do that? If you do it as root user, that is login as root then do su getmail it should directly switch user to getmail without asking for passwords. Does it work like this? If not, the getmail account is somehow unable to log in, so examine that.
This looks like the getmail user is not allowed to log in. This can have several reasons, maybe the account is locked. (Have you done any changes lately?) See if account is locked with Code: passwd --status getmail See if account is expired with Code: chage -l getmail See if user has no valid shell with Code: grep ^getmail /etc/passwd
Thank you. No changes. But probably this is not big problem, but ii would like to find reason why this is happened, but this is not priority, everything wowking fine. When i use first get Code: root@xxxx:~# passwd --status getmail getmail P second root@xx:~# chage -l getmail Last password change : never Password expires : never Password inactive : never Account expires : never Minimum number of days between password change : -1 Maximum number of days between password change : -1 Number of days of warning before password expires : -1 and last root@xxx:~# grep ^getmail /etc/passwd getmail:x:5001:5001::/etc/getmail:/bin/sh
Yes, since you do not use getmail, there is no problem with it not working. Finding out the reason would be good However, I don't know how to help you further. Something is messed up. Did you change anything in /etc/security? You could try "strace su getmail" and see if something obvious comes up. But this output is not easy to interpret.