FreeNAS e-mailed me about a 1 year old security event last night

Status
Not open for further replies.
E

errmatt

Dabbler
Joined
Jun 3, 2014
Messages
16
Code:
Dec 18 21:30:49 sterling sshd[14528]: Invalid user matt from 192.168.83.57
Dec 18 21:30:49 sterling sshd[14528]: input_userauth_request: invalid user matt [preauth]


I had a mini heart palpatation this morning thinking I had a compromised system trying to ssh to my FreeNAS box last night while I was definitely outside shoveling snow. After some careful inspection of /var/log/auth.log I found that this event was actually Dec. 18th 2014. Of course, as you can see in the above paste of the notification e-mail, the year of the event is not included in /var/log/auth.log. I was confused at first until I looked at the beginning of the auth.log file and found the exact event, from what appears to be one year ago. I say this because there are other events in the months in between listed.

Is this a bug or do I not have some kind of log rotation setting turned up high enough to discard logs from over a year ago? Thoughts?
 
D

dlavigne

Guest
What's your build (from System -> Information)? There was a bug a month or so back but it was fixed with one of the recent software updates.
 
E

errmatt

Dabbler
Joined
Jun 3, 2014
Messages
16
This bug: https://bugs.freenas.org/issues/11760

Also this one, which appears to be closed and fixed: https://bugs.freenas.org/issues/8532

Here's the relevant line in newsyslog.conf

Code:
/var/log/auth.log                       600  7     100  @0101T JC


I might update to the latest build later this evening, to see if auth.log gets rotated or there is a change to the newsyslog.conf file. I can't wrap my head around the @0101T for "when" right at this moment even though I spent about 5 minutes reading and re-reading the man page for newsyslog.conf. Maybe later after I have more coffee or something.
 
D

dlavigne

Guest
Code:
/var/log/auth.log                       600  7     100  @0101T JC


Hmm, so it's patched. Weird that a patch from 8 months ago would still result in a message from a year ago. Yes, I think more coffee is in order....
 
Status
Not open for further replies.

Important Announcement for the TrueNAS Community.

The TrueNAS Community has now been moved. This forum will now become READ-ONLY for historical purposes. Please feel free to join us on the new TrueNAS Community Forums.

Related topics on forums.truenas.com for thread: "FreeNAS e-mailed me about a 1 year old security event last night"

Similar threads

Avro
  • Locked
False 'security run output' emails?
Replies
4
Views
2K
Avro
Avro
B
  • Locked
Is someone trying to hack into my FreeNAS???
2 3
Replies
48
Views
15K
joeschmuck
joeschmuck
D
  • Locked
freenas.local daily security run output - login failures
Replies
10
Views
7K
Chris Moore
Chris Moore
L
  • Locked
FreeNAS-8.3.1 Fatal Trap 12 Random
Replies
1
Views
2K
lobhead
L
G
  • Locked
Problems with Eaton E series UPS
Replies
19
Views
11K
vbaForFun
V
Top