hi together, today i found some interesting entries in my warn-log: Sep 24 14:51:20 host sendmail[13594]: OAA13594: forward /bin/false/.forward.host: Not a directory Sep 24 14:51:20 host sendmail[13594]: OAA13594: forward /bin/false/.forward: Not a directory Sep 24 14:51:20 host sendmail[13596]: OAA13594: forward /bin/false/.forward.host: Not a directory Sep 24 14:51:20 host sendmail[13596]: OAA13594: forward /bin/false/.forward: Not a directory Sep 24 16:14:04 host sendmail[14191]: QAA14190: forward /bin/false/.forward.host: Not a directory Sep 24 16:14:04 host sendmail[14191]: QAA14190: forward /bin/false/.forward: Not a directory Sep 24 16:40:51 host (squid)[353]: WARNING: DNSSERVER #3 (FD 8) exited Sep 21 16:40:51 host popper[14309]: warning: can't get client address: Connection reset by peer Sep 24 16:40:52 host popper[14336]: warning: can't get client address: Connection reset by peer Sep 24 17:07:50 host sendmail[14525]: RAA14524: forward /bin/false/.forward.host: Not a directory Sep 24 17:07:50 host sendmail[14525]: RAA14524: forward /bin/false/.forward: Not a directory any normal user connecting to the system (intern/extern) can't use a valid shell (just /bin/false). what's going on? some kind of attack? i think i am a little bit paranoid since i am reading this mailing list...:-) thanks and bye, daniel
Hi Daniel,
Sep 24 14:51:20 host sendmail[13594]: OAA13594: forward /bin/false/.forward.host: Not a directory
These are most likely a result of /bin/false used as the home directory of the user. This is an error: The user home directory must exist, must be a directory, must be owned by the user and must be readable and writeable for the user it belongs to. Sendmail checks for the existence of .forward files in the recipient's home directory. If the entry in /etc/passwd isn't a directory, you get these errors. If the user does not log on (or is not supposed to be able to do so in the first place), then give him a root-owned read-only directory. This suits the first two conditions and should be enough for mail delivery.
Sep 24 16:40:52 host popper[14336]: warning: can't get client address: Connection reset by peer
This seems to ba a half-open connection that died before it was fully established. It happens with some sorts of port scans, but occurs with other error conditions as well.
any normal user connecting to the system (intern/extern) can't use a valid shell (just /bin/false). what's going on? some kind of attack? i think i am a little bit paranoid since i am reading this mailing list...:-) thanks and bye,
You're not paranoid unless you're absolutely sure they already got you! :-)
daniel
Roman.
--
- -
| Roman Drahtmüller
Ever though about another mail system - I prefer qmail with vmailmgr and fastforward, which has no need for Homedirectories or even Useraccounts to act as and pop-toaster. Greetings, Stefan
participants (3)
-
Daniel Quappe
-
Roman Drahtmueller
-
Stefan Nauber