spamfilter eingerichtet..-> serer per ssh nicht erreichbar, qmail-dienst gestörrt

forquato · Aug 29, 2008

Hallo,

ich habe zum einrichten des spam- und virenfilters folgende Anleitung benutzt:
Ubuntu 6.06 LTS + Plesk + Viren&Spamschutz + Greylist auf Strato V-Server

Mein System:
Ubuntu 6.06 LTS
Plesk 8.4

Alles funktioniert wunderbar, nur nach einiger zeit tretten folgende gravierenden Fehler auf:

- mein server per ssh nicht mehr erreichbar
folgende fehlermeldung:

Code:

ssh_exchange_identification: Connection closed by remote host

- Der Emaildienst stoppt seine Arbeit. d.h.: ich kann meine mails nicht mehr per imap abhollen

Welche Log-Dateien sollte ich angucken, um den fehler zu finden?
Welche Log-Dateien sind wichtig?

Ich danke für die Hilfe!

gruß,

forquato

forquato · Aug 29, 2008

log-file auth.log

konnte meinen server neustraten mit hilfe des recovery-manegers von strato.
auth.log hat folgende zeillen.... konnte es sein, dass mein server gehackt wurde?

check pass; user unknown
Aug 29 15:29:18 h1349201 sshd[7955]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=h-72-244-168-13.lsanca54.covad.net
Aug 29 15:29:21 h1349201 sshd[7955]: Failed password for invalid user gameserver from 72.244.168.13 port 55662 ssh2
Aug 29 15:29:22 h1349201 sshd[7961]: Invalid user gameserver from 72.244.168.13
Aug 29 15:29:22 h1349201 sshd[7961]: (pam_unix) check pass; user unknown
Aug 29 15:29:22 h1349201 sshd[7961]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=h-72-244-168-13.lsanca54.covad.net
Aug 29 15:29:24 h1349201 sshd[7961]: Failed password for invalid user gameserver from 72.244.168.13 port 55950 ssh2
Aug 29 15:29:26 h1349201 sshd[7968]: Invalid user vmail from 72.244.168.13
Aug 29 15:29:26 h1349201 sshd[7968]: (pam_unix) check pass; user unknown
Aug 29 15:29:26 h1349201 sshd[7968]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=h-72-244-168-13.lsanca54.covad.net
Aug 29 15:29:28 h1349201 sshd[7968]: Failed password for invalid user vmail from 72.244.168.13 port 56224 ssh2
Aug 29 15:30:01 h1349201 CRON[8036]: (pam_unix) session opened for user root by (uid=0)
Aug 29 15:30:02 h1349201 CRON[8035]: (pam_unix) session opened for user www-data by (uid=0)
Aug 29 15:30:02 h1349201 CRON[8036]: (pam_unix) session closed for user root
Aug 29 15:30:02 h1349201 CRON[8035]: (pam_unix) session closed for user www-data
Aug 29 15:33:01 h1349201 CRON[9525]: (pam_unix) session opened for user root by (uid=0)
Aug 29 15:33:01 h1349201 CRON[9525]: (pam_unix) session closed for user root
Aug 29 15:39:01 h1349201 CRON[11500]: (pam_unix) session opened for user root by (uid=0)
Aug 29 15:39:01 h1349201 CRON[11501]: (pam_unix) session opened for user root by (uid=0)
Aug 29 15:39:01 h1349201 CRON[11500]: (pam_unix) session closed for user root
Aug 29 15:39:01 h1349201 CRON[11501]: (pam_unix) session closed for user root
Aug 29 15:40:01 h1349201 CRON[11647]: (pam_unix) session opened for user www-data by (uid=0)
Aug 29 15:40:01 h1349201 CRON[11647]: (pam_unix) session closed for user www-data
Aug 29 15:45:01 h1349201 CRON[13504]: (pam_unix) session opened for user root by (uid=0)
Aug 29 15:45:01 h1349201 CRON[13504]: (pam_unix) session closed for user root
Aug 29 15:50:01 h1349201 CRON[14178]: (pam_unix) session opened for user www-data by (uid=0)
Aug 29 15:50:01 h1349201 CRON[14178]: (pam_unix) session closed for user www-data
Aug 29 16:00:01 h1349201 CRON[17700]: (pam_unix) session opened for user www-data by (uid=0)
Aug 29 16:00:01 h1349201 CRON[17701]: (pam_unix) session opened for user root by (uid=0)
Aug 29 16:00:01 h1349201 CRON[17700]: (pam_unix) session closed for user www-data
Aug 29 16:00:01 h1349201 CRON[17701]: (pam_unix) session closed for user root
Aug 29 16:09:01 h1349201 CRON[20238]: (pam_unix) session opened for user root by (uid=0)
Aug 29 16:09:01 h1349201 CRON[20239]: (pam_unix) session opened for user root by (uid=0)
Aug 29 16:09:02 h1349201 CRON[20239]: (pam_unix) session closed for user root
Aug 29 16:09:02 h1349201 CRON[20238]: (pam_unix) session closed for user root
Aug 29 16:10:01 h1349201 CRON[20315]: (pam_unix) session opened for user www-data by (uid=0)
Aug 29 16:10:01 h1349201 CRON[20315]: (pam_unix) session closed for user www-data
Aug 29 16:15:01 h1349201 CRON[22022]: (pam_unix) session opened for user root by (uid=0)
Aug 29 16:15:01 h1349201 CRON[22022]: (pam_unix) session closed for user root
Aug 29 16:20:01 h1349201 CRON[23704]: (pam_unix) session opened for user www-data by (uid=0)
Aug 29 16:20:01 h1349201 CRON[23704]: (pam_unix) session closed for user www-data
Aug 29 16:23:03 h1349201 sshd[24146]: Did not receive identification string from 74.86.5.122
Aug 29 16:30:01 h1349201 CRON[26156]: (pam_unix) session opened for user root by (uid=0)
Aug 29 16:30:01 h1349201 CRON[26155]: (pam_unix) session opened for user www-data by (uid=0)
Aug 29 16:30:01 h1349201 CRON[26155]: (pam_unix) session closed for user www-data
Aug 29 16:30:01 h1349201 CRON[26156]: (pam_unix) session closed for user root
Aug 29 16:33:01 h1349201 CRON[26478]: (pam_unix) session opened for user root by (uid=0)
Aug 29 16:33:01 h1349201 CRON[26478]: (pam_unix) session closed for user root
Aug 29 16:39:01 h1349201 CRON[28385]: (pam_unix) session opened for user root by (uid=0)
Aug 29 16:39:01 h1349201 CRON[28387]: (pam_unix) session opened for user root by (uid=0)
Aug 29 16:39:01 h1349201 CRON[28387]: (pam_unix) session closed for user root
Aug 29 16:39:01 h1349201 CRON[28385]: (pam_unix) session closed for user root
Aug 29 16:40:01 h1349201 CRON[28514]: (pam_unix) session opened for user www-data by (uid=0)
Aug 29 16:40:01 h1349201 CRON[28514]: (pam_unix) session closed for user www-data
Aug 29 16:45:01 h1349201 CRON[30133]: (pam_unix) session opened for user root by (uid=0)
Aug 29 16:45:01 h1349201 CRON[30133]: (pam_unix) session closed for user root
Aug 29 16:50:01 h1349201 CRON[31963]: (pam_unix) session opened for user www-data by (uid=0)
Aug 29 16:50:01 h1349201 CRON[31963]: (pam_unix) session closed for user www-data
Aug 29 17:45:26 h1349201 su[15957]: + ??? root:clamav
Aug 29 17:45:26 h1349201 su[15957]: (pam_unix) session opened for user clamav by (uid=0)
Aug 29 17:45:26 h1349201 su[15957]: (pam_unix) session closed for user clamav
Aug 29 17:45:28 h1349201 su[16065]: + ??? root:clamav
Aug 29 17:45:28 h1349201 su[16065]: (pam_unix) session opened for user clamav by (uid=0)
Aug 29 17:45:28 h1349201 su[16065]: (pam_unix) session closed for user clamav
Aug 29 17:45:56 h1349201 sshd[17704]: Server listening on 0.0.0.0 port 22.
Aug 29 17:46:09 h1349201 sshd[17827]: Accepted password for root from 85.180.64.67 port 49916 ssh2
Aug 29 17:46:09 h1349201 sshd[17831]: (pam_unix) session opened for user root by root(uid=0)
Aug 29 17:50:01 h1349201 CRON[18164]: (pam_unix) session opened for user www-data by (uid=0)
Aug 29 17:50:01 h1349201 CRON[18164]: (pam_unix) session closed for user www-data

Roger Wilco · Aug 29, 2008

forquato said:
konnte es sein, dass mein server gehackt wurde?

Möglich ist viel. Der Logauszug lässt darauf aber keine konkreten Rückschlüsse zu.

Wenn du einen V-Server hat, würde ich sagen, dass dir einfach der Speicher ausgegangen ist und du solltest in /proc/user_beancounters mal nach dem Failcount für die einzelnen Resourcen schauen.

forquato · Aug 30, 2008

Es weist meiner Meinung auch eher auf einen Speichermangel hin :-(

Plesk-Admin-Oberfläche zeigt dann z.B.

ERROR: PleskFatalException
Shortcut erstellenShortcut erstellen
Unable to create ComponentsChecker object: Unable to exec utility listmng: Empty error message from utility.

0: /opt/psa/admin/plib/common_func.php3:154
psaerror(string 'Unable to create ComponentsChecker object: Unable to exec utility listmng: Empty error message from utility.')
1: /opt/psa/admin/plib/class.ComponentsChecker.php:37
ComponentsCheckerMaker()
2: /opt/psa/admin/plib/ui/server.autoinstaller.php:29
plesk__server__autoinstaller->validateItem(object of type UserAdmin)
3: /opt/psa/admin/plib/UIPointer.php:969
UIPointer->validate()
4: /opt/psa/admin/plib/elements.php3:158
get_button_params_by_uip(object of type plesk__server__autoinstaller, NULL null, NULL null, string '', array, boolean false, integer '1')
5: /opt/psa/admin/plib/elements.php3:187
uipointer_button(object of type plesk__server__autoinstaller)
6: /opt/psa/admin/plib/class.ServerForm.php:123
ServerForm->assign(object of type ComponentsChecker)
7: /opt/psa/admin/htdocs/server/server.php3:115

Wie gesagt sind diese Problöeme erst nach dem Einrichten eines Spam- und Virenfilters entstanden...

in var/log/syslog kann man folgendes lesen:

Code:

Aug 30 17:50:01 h1349201 CRON[3645]: PAM [dlerror: /lib/security/pam_permit.so: failed to map segment from shared object: Cannot allocate mem$
Aug 30 17:50:01 h1349201 CRON[3645]: PAM adding faulty module: /lib/security/pam_permit.so
Aug 30 17:50:01 h1349201 CRON[3645]: PAM unable to dlopen(/lib/security/pam_env.so)
Aug 30 17:50:01 h1349201 CRON[3645]: PAM [dlerror: /lib/security/pam_env.so: failed to map segment from shared object: Cannot allocate memory]
Aug 30 17:50:01 h1349201 CRON[3645]: PAM adding faulty module: /lib/security/pam_env.so
Aug 30 17:50:01 h1349201 CRON[3645]: PAM unable to dlopen(/lib/security/pam_foreground.so)
Aug 30 17:50:01 h1349201 CRON[3645]: PAM [dlerror: /lib/security/pam_foreground.so: failed to map segment from shared object: Cannot allocate$
Aug 30 17:50:01 h1349201 CRON[3645]: PAM adding faulty module: /lib/security/pam_foreground.so
Aug 30 17:50:01 h1349201 CRON[3645]: PAM unable to dlopen(/lib/security/pam_limits.so)
Aug 30 17:50:01 h1349201 CRON[3645]: PAM [dlerror: /lib/security/pam_limits.so: failed to map segment from shared object: Cannot allocate mem$
Aug 30 17:50:01 h1349201 CRON[3645]: PAM adding faulty module: /lib/security/pam_limits.so
Aug 30 17:50:01 h1349201 CRON[3645]: Module is unknown
Aug 30 18:00:01 h1349201 CRON[6028]: PAM unable to dlopen(/lib/security/pam_plesk.so)
Aug 30 18:00:01 h1349201 CRON[6028]: PAM [dlerror: libmysqlclient.so.14: failed to map segment from shared object: Cannot allocate memory]
Aug 30 18:00:01 h1349201 CRON[6028]: PAM adding faulty module: /lib/security/pam_plesk.so
Aug 30 18:00:01 h1349201 CRON[6030]: PAM unable to dlopen(/lib/security/pam_plesk.so)
Aug 30 18:00:01 h1349201 CRON[6030]: PAM [dlerror: libmysqlclient.so.14: failed to map segment from shared object: Cannot allocate memory]
Aug 30 18:00:01 h1349201 CRON[6030]: PAM adding faulty module: /lib/security/pam_plesk.so

cat /proc/user_beancounters zeigt nach einen frischen neustart:

Code:

Version: 2.5
       uid  resource           held    maxheld    barrier      limit    failcnt
   1349201: kmemsize        4675431    4675431    8512433    9823665          0
            lockedpages           0          0       3800       4096          0
            privvmpages       98916      99001     138256     202568          0
            shmpages           6019       6019     131072     131072          0
            dummy                 0          0          0          0          0
            numproc              55         55        232        232          0
            physpages         41448      41448          0 2147483647          0
            vmguarpages           0          0      66400 2147483647          0
            oomguarpages      41448      41448      66400 2147483647          0
            numtcpsock           20         20        500        500          0
            numflock              9          9        200        232          0
            numpty                1          1         64         64          0
            numsiginfo            0          1        512        512          0
            tcpsndbuf        178880     178880    4683256    6102456          0
            tcprcvbuf        327680     327680    4683256    6102456          0
            othersockbuf      26388      26388    1503232    4063232          0
            dgramrcvbuf           0          0     240000     262144          0
            numothersock         22         22        382        382          0
            dcachesize            0          0    2194304    2317184          0
            numfile            1883       1883       5432       5432          0
            dummy                 0          0          0          0          0
            dummy                 0          0          0          0          0
            dummy                 0          0          0          0          0
            numiptent            14         14        128        128          0

ennu · Jun 24, 2010

Lösung?

Hi - gab es für dieses Problem inzwischen schon eine Lösung? Ich habe nämlich genau dasselbe Problem.

Grüße von
Ennu

spamfilter eingerichtet..-> serer per ssh nicht erreichbar, qmail-dienst gestörrt

forquato

New Member

forquato

New Member

Roger Wilco

Active Member

forquato

New Member

ennu

New Member

We value your privacy