Tackling Logwatch Results

Tackling Logwatch Results

Server stuff….otherwise knows as server admin tasks….can take a lot of time. And for those of us who wear many hats, managing our web server is just one of the many things we have to do. So let’s take a look at our logs.

I was noticing strange entries in logwatch, so I decided to tackle a few. I’ve put the results below in hopes that they can save someone else a bit of time.

logwatch error:

——————— Automount Begin ————————
**Unmatched Entries**
lookup_read_master: lookup(nisplus): couldn’t locate nis+ table auto.master: 1 Time(s)

– edit /etc/auto.master
– comment out +auto.master 

logwatch error:

——————— Named Begin ————————
**Unmatched Entries**
client query (cache) ‘ns1.themotiongroup.tv/AAAA/IN’ denied: 10 Time(s)
client query (cache) ‘ns2.themotiongroup.tv/AAAA/IN’ denied: 10 Time(s)
client query (cache) ‘ns1.themotiongroup.tv/AAAA/IN’ denied: 9 Time(s)
…and a ton more of these

– edit /etc/resolv.conf
– add Google’s nameservers at the top of your file:

logwatch error:

——————— Named Begin ————————
network unreachable resolving ‘’: 2001:13c7:7002:3000::11#53: 1 Time(s)
network unreachable resolving ‘’: 2001:43f8:110::10#53: 1 Time(s)
network unreachable resolving ‘’: 2001:500:13::c7d4:35#53: 1 Time(s)
… and tons more

– edit /etc/sysconfig/named
– add the following:

This will cause the BIND server to only resolve or use IPV4 and disable IPV6 support. Save the file and restart BIND server.

logwatch error:

——————— pam_unix Begin ————————
Authentication Failures:
   root ( 440 Time(s)
   …and many more 

Getting lot’s of authentication errors? Most likely people who have too much time on their hands and want to hack your server.

Here’s a couple of things I did:
disable root user login

1. Add a new user. The following example, I added the user admin. I’d pick something more unique, as it will help prevent illegal logins. No…I’m not telling you what name I used 😉

[root@root ~]# adduser admin
[root@root ~]# id admin
uid=10018(admin) gid=10018(admin) groups=10018(admin)
[root@root ~]# ls -lad /home/admin/
drwx—— 2 admin admin 4096 Jun 25 16:01 /home/admin/

2. Set the password for the admin user. When prompted, type and then retype the password.
[root@root ~]# passwd admin
Changing password for user admin.
New UNIX password:
Retype new UNIX password:
passwd: all authentication tokens updated successfully.
[root@root ~]#

3. SSH to the server with the new admin user and ensure that the login works. Want to make sure you can still login before we disallow the root user.
[root@root ~]#ssh admin@my.ip.or.hostname
admin@my.ip.or.hostname’s password:
[admin@admin ~]$

4. Verify that you can su (switch user) to root with the admin user.
[admin@admin ~]$ su –
[root@root ~]$ whoami

5. Edit /etc/ssh/sshd_config with your favorite text editor. On a Mac? simply login to your server using Transmit. (be sure to use the new username and not root.)
[root@root ~]# vi /etc/ssh/sshd_config
Change this line:
#PermitRootLogin yes
to this:
PermitRootLogin no

6. Ensure that you are logged into the box with another shell before restarting sshd to avoid locking yourself out of the server.
[root@root ~]# /etc/init.d/sshd restart
Stopping sshd: [ OK ]
Starting sshd: [ OK ]
[root@root ~]#

7. Trying logging in again as root user. If it doesn’t work…you’ve succeeded.

From now on, connect to your server via ssh with the admin (or the creative name you came up with) user and then use the command su to switch to the root user.

helpful tip: If you’re using a Mac, create an AppleScript that you store in the User Script Folder that logs you in as the ssh user, and then switches you to the root user. In fact, I have written AppleScripts for most Linux command lines that I use on a regular basis. Login. Restart Apache. Restart Plesk…and many more. A great time saver!

Leave a Reply