cron Authentication failure

Discussion in 'Installation/Configuration' started by pecka33, Jun 12, 2020.

  1. pecka33

    pecka33 Member

    Hello,

    i am using Debian 10 Buster and yesterday I did update of package - security etc. Everything was fine and working fine. Bu ti check my logs in var/log/ and in user.log file i can see lines like this.

    Jun 11 17:20:01 vm28069 cron[314]: Authentication failure
    Jun 11 17:25:01 vm28069 cron[314]: Authentication failure
    Jun 11 17:30:01 vm28069 cron[314]: Authentication failure
    Jun 11 17:35:01 vm28069 cron[314]: Authentication failure
    Jun 11 17:40:01 vm28069 cron[314]: Authentication failure
    Jun 11 17:45:01 vm28069 cron[314]: Authentication failure
    Jun 11 17:50:01 vm28069 cron[314]: Authentication failure
    Jun 11 17:55:01 vm28069 cron[314]: Authentication failure
    Jun 11 18:00:01 vm28069 cron[314]: Authentication failure
    Jun 11 18:05:01 vm28069 cron[314]: Authentication failure
    Jun 11 18:10:01 vm28069 cron[314]: Authentication failure

    Any ideas what does it means? I have set for my web cron every 5 minutes every hour, 1:05,2:05 etc. I checked access log and cron tasks are done with code 200 and works. Cron for isp config works fine too.

    Before update in this file was just something like this

    Jun 8 22:27:02 vm28069 os-prober: debug: running /usr/lib/os-probes/mounted/05efi on mounted /dev/vda1
    Jun 8 22:27:02 vm28069 05efi: debug: Not on UEFI platform
    Jun 8 22:27:02 vm28069 os-prober: debug: running /usr/lib/os-probes/mounted/10freedos on mounted /dev/vda1
    Jun 8 22:27:02 vm28069 10freedos: debug: /dev/vda1 is not a FAT partition: exiting
    Jun 8 22:27:02 vm28069 os-prober: debug: running /usr/lib/os-probes/mounted/10qnx on mounted /dev/vda1
    Jun 8 22:27:02 vm28069 10qnx: debug: /dev/vda1 is not a QNX4 partition: exiting
    Jun 8 22:27:02 vm28069 os-prober: debug: running /usr/lib/os-probes/mounted/20macosx on mounted /dev/vda1
    Jun 8 22:27:02 vm28069 macosx-prober: debug: /dev/vda1 is not an HFS+ partition: exiting
    Jun 8 22:27:02 vm28069 os-prober: debug: running /usr/lib/os-probes/mounted/20microsoft on mounted /dev/vda1
    Jun 8 22:27:02 vm28069 20microsoft: debug: /dev/vda1 is not a MS partition: exiting
    Jun 8 22:27:02 vm28069 os-prober: debug: running /usr/lib/os-probes/mounted/30utility on mounted /dev/vda1
    Jun 8 22:27:02 vm28069 30utility: debug: /dev/vda1 is not a FAT partition: exiting
    Jun 8 22:27:02 vm28069 os-prober: debug: running /usr/lib/os-probes/mounted/40lsb on mounted /dev/vda1
    Jun 8 22:27:02 vm28069 os-prober: debug: running /usr/lib/os-probes/mounted/70hurd on mounted /dev/vda1
    Jun 8 22:27:02 vm28069 os-prober: debug: running /usr/lib/os-probes/mounted/80minix on mounted /dev/vda1
    Jun 8 22:27:02 vm28069 os-prober: debug: running /usr/lib/os-probes/mounted/83haiku on mounted /dev/vda1
    Jun 8 22:27:02 vm28069 83haiku: debug: /dev/vda1 is not a BeFS partition: exiting
    Jun 8 22:27:02 vm28069 os-prober: debug: running /usr/lib/os-probes/mounted/90linux-distro on mounted /dev/vda1
    Jun 8 22:27:02 vm28069 os-prober: debug: running /usr/lib/os-probes/mounted/90solaris on mounted /dev/vda1
     
  2. pecka33

    pecka33 Member

    I check via ps ax and found that id 314 is for
    314 ? Ss 2:08 /usr/sbin/cron -f
    but not sure where is the problem, because looks like cron works fine.

    When i use crontab –l i get –l: No such file or directory


    for less /etc/crontab
    17 * * * * root cd / && run-parts --report /etc/cron.hourly
    25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
    47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
    52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
     
  3. pecka33

    pecka33 Member

    This is probably cron for isp config, used sudo cat /var/log/syslog | grep cron

    and get lines like

    Jun 12 20:30:01 vm28069 cron[314]: Authentication failure
    Jun 12 20:30:01 vm28069 CRON[8731]: (root) CMD (/usr/local/ispconfig/server/cron .sh 2>&1 | while read line; do echo `/bin/date` "$line" >> /var/log/ispconfig/cr on.log; done)
    Jun 12 20:30:01 vm28069 CRON[8732]: (root) CMD (/usr/local/ispconfig/server/serv er.sh 2>&1 | while read line; do echo `/bin/date` "$line" >> /var/log/ispconfig/ cron.log; done)
    Jun 12 20:31:01 vm28069 CRON[8821]: (root) CMD (/usr/local/ispconfig/server/serv er.sh 2>&1 | while read line; do echo `/bin/date` "$line" >> /var/log/ispconfig/ cron.log; done)
    Jun 12 20:31:01 vm28069 CRON[8822]: (root) CMD (/usr/local/ispconfig/server/cron .sh 2>&1 | while read line; do echo `/bin/date` "$line" >> /var/log/ispconfig/cr on.log; done)
    Jun 12 20:32:01 vm28069 CRON[8842]: (root) CMD (/usr/local/ispconfig/server/serv er.sh 2>&1 | while read line; do echo `/bin/date` "$line" >> /var/log/ispconfig/ cron.log; done)
    Jun 12 20:32:01 vm28069 CRON[8843]: (root) CMD (/usr/local/ispconfig/server/cron .sh 2>&1 | while read line; do echo `/bin/date` "$line" >> /var/log/ispconfig/cr on.log; done)
    Jun 12 20:33:01 vm28069 CRON[8858]: (root) CMD (/usr/local/ispconfig/server/serv er.sh 2>&1 | while read line; do echo `/bin/date` "$line" >> /var/log/ispconfig/ cron.log; done)
    Jun 12 20:33:01 vm28069 CRON[8859]: (root) CMD (/usr/local/ispconfig/server/cron .sh 2>&1 | while read line; do echo `/bin/date` "$line" >> /var/log/ispconfig/cr on.log; done)
    Jun 12 20:34:01 vm28069 CRON[8873]: (root) CMD (/usr/local/ispconfig/server/serv er.sh 2>&1 | while read line; do echo `/bin/date` "$line" >> /var/log/ispconfig/ cron.log; done)
    Jun 12 20:34:01 vm28069 CRON[8874]: (root) CMD (/usr/local/ispconfig/server/cron .sh 2>&1 | while read line; do echo `/bin/date` "$line" >> /var/log/ispconfig/cr on.log; done)
    Jun 12 20:35:01 vm28069 CRON[8900]: (root) CMD (/usr/local/ispconfig/server/cron .sh 2>&1 | while read line; do echo `/bin/date` "$line" >> /var/log/ispconfig/cr on.log; done)
    Jun 12 20:35:01 vm28069 cron[314]: Authentication failure
    Jun 12 20:35:02 vm28069 CRON[8901]: (root) CMD (/usr/local/ispconfig/server/serv er.sh 2>&1 | while read line; do echo `/bin/date` "$line" >> /var/log/ispconfig/ cron.log; done)
     
  4. pecka33

    pecka33 Member

    I checked it again and maybe there is something with postfix. In ispconfig in system log tab a can see lines. Maybe looks like someone try to send emails via cron task?

    Jun 13 09:29:03 vm28069 postfix/submission/smtpd[7374]: connect from unknown[178.238.8.106]
    Jun 13 09:29:03 vm28069 postfix/submission/smtpd[7374]: disconnect from unknown[178.238.8.106] ehlo=1 auth=0/1 rset=0/1 quit=1 commands=2/4
    Jun 13 09:29:26 vm28069 postfix/submission/smtpd[7374]: connect from unknown[178.238.8.106]
    Jun 13 09:29:26 vm28069 postfix/submission/smtpd[7374]: disconnect from unknown[178.238.8.106] ehlo=1 auth=0/1 rset=0/1 quit=1 commands=2/4
    Jun 13 09:29:46 vm28069 postfix/submission/smtpd[7374]: connect from unknown[178.238.8.106]
    Jun 13 09:29:47 vm28069 postfix/submission/smtpd[7374]: disconnect from unknown[178.238.8.106] ehlo=1 auth=0/1 rset=0/1 quit=1 commands=2/4
    Jun 13 09:30:01 vm28069 cron[314]: Authentication failure
    Jun 13 09:30:01 vm28069 CRON[7640]: Authentication failure
     
  5. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    You have cron job starting every five minutes. Find out which job that is, and look what it does. Something in that job causes the authentication failure.
    Is the exact same line in both user.log and syslog?
     
  6. Steini86

    Steini86 Active Member

    Happens for example, when the password of the user expired (can also happen for root). Can you login with root account?
    Also happens, if a cron job exists for a user which does no longer exist or the user is locked.
    Is there any uncommented line in /etc/security/access.conf ?
    What is the output of "ls -al /var/spool/cron/crontabs" Any non-existing users?

    Thats unrelated, has nothing to do with cron. Just a "normal" mail spam attempt.
     
  7. pecka33

    pecka33 Member

    Thank you. Via my site I have not set any crons, only every hour I wrote and this execute fine. I can not find any other active crons, only for ispconfig - i have preinstalled from my hosting provider vps with ispconfig

    Via crontab -l there are just ispconfig cron
    * * * * * /usr/local/ispconfig/server/server.sh 2>&1 | while read line; do echo `/bin/date` "$line" >> /var/log/ispconfig/cron.log; done
    * * * * * /usr/local/ispconfig/server/cron.sh 2>&1 | while read line; do echo `/bin/date` "$line" >> /var/log/ispconfig/cron.log; done

    Yes, I can log in as root

    I checked file /etc/security/access.conf and all lines was commented.

    Output of command ls -al /var/spool/cron/crontabs is

    total 16
    drwx-wx--T 2 root crontab 4096 Jun 13 08:55 .
    drwxr-xr-x 5 root root 4096 May 7 2015 ..
    -rw------- 1 getmail crontab 253 Apr 3 16:40 getmail
    -rw------- 1 root crontab 457 Apr 3 16:40 root
     
  8. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    My guess is the getmail cronjob makes the authentication failure. Look what is in that file, and the script file it maybe starts.
    Code:
    cat /var/spool/cron/crontabs/getmail
     
  9. pecka33

    pecka33 Member

    Thank you. Yes, you are right.I check this file and there is theese lines
    # DO NOT EDIT THIS FILE - edit the master and reinstall.
    # (crontab.txt installed on Fri Apr 3 16:40:57 2020)
    # (Cron version -- $Id: crontab.c,v 2.13 1994/01/17 03:20:37 vixie Exp $)
    */5 * * * * /usr/local/bin/run-getmail.sh > /dev/null 2>> /dev/null

    here is 5 minutes cron.

    file run-getmail.sh include

    #!/bin/bash
    PATH=/sbin:/usr/sbin:/bin:/usr/bin:/usr/local/sbin:/usr/local/bin:/usr/X11R6/bin
    set -e
    cd /etc/getmail
    rcfiles=""
    for file in *.conf ; do
    if [ $file != "*.conf" ]; then
    rcfiles="$rcfiles -r $file"
    fi
    done
    #echo $rcfiles
    if [ -f /tmp/.getmail_lock ]; then
    echo 'Found getmail lock file /tmp/.getmail_lock, we quit here.'
    else
    touch /tmp/.getmail_lock
    if [ "$rcfiles" != "" ]; then
    /usr/bin/getmail -v -g /etc/getmail $rcfiles || true
    fi
    rm -f /tmp/.getmail_lock
    fi
     
  10. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    Still guessing here, but I say one of the accounts you have configured for getmail has wrong username or password or some such. You can look in the files,
    Code:
    ls -lh /etc/getmail/ 
    or check what you have set up in ISPConfig panel, Mail tab and Fetchmail item.
     
  11. pecka33

    pecka33 Member

    Thank you. i try it all and check configuration. In all case /etc/getmail/ is empty. I found that this directory has 0700, try to set to 0755
     
  12. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    It should be rwx for owner, nothing for others. Owner is getmail and group owner root.
    Don't go changing system files permissions and owners when you are not sure they must be changed.
     
  13. Steini86

    Steini86 Active Member

    Does the manual execution of that command work?
    Code:
    sudo -u getmail /usr/local/bin/run-getmail.sh
    If not, can you login with getmail user?
    Code:
    su getmail
     
  14. pecka33

    pecka33 Member

    When i use first command i can not see any errors, with second
    su: Authentication failure
     
  15. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    After su getmail it should ask for password. Does it do that?
    If you do it as root user, that is login as root then do su getmail it should directly switch user to getmail without asking for passwords. Does it work like this? If not, the getmail account is somehow unable to log in, so examine that.
     
  16. Steini86

    Steini86 Active Member

    This looks like the getmail user is not allowed to log in. This can have several reasons, maybe the account is locked. (Have you done any changes lately?)
    See if account is locked with
    Code:
    passwd --status getmail
    See if account is expired with
    Code:
    chage -l getmail
    See if user has no valid shell with
    Code:
    grep ^getmail /etc/passwd
     
  17. pecka33

    pecka33 Member

    Thank you. No changes. But probably this is not big problem, but ii would like to find reason why this is happened, but this is not priority, everything wowking fine.

    When i use first get

    Code:
    root@xxxx:~# passwd --status getmail
    getmail P
    
    second
    root@xx:~# chage -l getmail
    Last password change                                    : never
    Password expires                                        : never
    Password inactive                                       : never
    Account expires                                         : never
    Minimum number of days between password change          : -1
    Maximum number of days between password change          : -1
    Number of days of warning before password expires       : -1
    
    and last
    
    root@xxx:~# grep ^getmail /etc/passwd
    getmail:x:5001:5001::/etc/getmail:/bin/sh
     
  18. Steini86

    Steini86 Active Member

    Yes, since you do not use getmail, there is no problem with it not working. Finding out the reason would be good ;)
    However, I don't know how to help you further. Something is messed up. Did you change anything in /etc/security?
    You could try "strace su getmail" and see if something obvious comes up. But this output is not easy to interpret.
     

Share This Page