Sorry, never ticked the box for an email on notify...
Faris, I do note these throughout the day in general patterns, but the size of the server doesn't warrant the amount of connections.
The connections are coming in during the night, in very quick succession - to me, it looks automated, and there are thousands of them.
My /var/log/secure is full of these, just about each night, - last night from 4:50am to 5:40am.
I do believe
something is causing them.
Something perhaps ASL could look at and block?
The problem is, there are no IP addresses listed in the logs:
Excerpt:
Code: Select all
Sep 16 05:38:31 server su: pam_unix(su-l:session): session closed for user popuser
Sep 16 05:38:31 server su: pam_unix(su-l:session): session opened for user popuser by (uid=0)
Sep 16 05:38:33 server su: pam_unix(su-l:session): session closed for user popuser
Sep 16 05:38:33 server su: pam_unix(su-l:session): session opened for user popuser by (uid=0)
Sep 16 05:38:34 server su: pam_unix(su-l:session): session closed for user popuser
Sep 16 05:38:34 server su: pam_unix(su-l:session): session opened for user popuser by (uid=0)
Sep 16 05:38:36 server su: pam_unix(su-l:session): session closed for user popuser
Sep 16 05:38:36 server su: pam_unix(su-l:session): session opened for user popuser by (uid=0)
Sep 16 05:38:37 server su: pam_unix(su-l:session): session closed for user popuser
Sep 16 05:38:37 server su: pam_unix(su-l:session): session opened for user popuser by (uid=0)
Sep 16 05:38:38 server su: pam_unix(su-l:session): session closed for user popuser
Sep 16 05:38:39 server su: pam_unix(su-l:session): session opened for user popuser by (uid=0)
Sep 16 05:38:40 server su: pam_unix(su-l:session): session closed for user popuser
Sep 16 05:38:40 server su: pam_unix(su-l:session): session opened for user popuser by (uid=0)
Sep 16 05:38:41 server su: pam_unix(su-l:session): session closed for user popuser
Sep 16 05:38:41 server su: pam_unix(su-l:session): session opened for user popuser by (uid=0)
Sep 16 05:38:43 server su: pam_unix(su-l:session): session closed for user popuser
Sep 16 05:38:43 server su: pam_unix(su-l:session): session opened for user popuser by (uid=0)
Sep 16 05:38:44 server su: pam_unix(su-l:session): session closed for user popuser
Sep 16 05:38:44 server su: pam_unix(su-l:session): session opened for user popuser by (uid=0)
Sep 16 05:38:45 server su: pam_unix(su-l:session): session closed for user popuser
Sep 16 05:38:45 server su: pam_unix(su-l:session): session opened for user popuser by (uid=0)
Sep 16 05:38:47 server su: pam_unix(su-l:session): session closed for user popuser
Sep 16 05:38:47 server su: pam_unix(su-l:session): session opened for user popuser by (uid=0)
Sep 16 05:38:49 server su: pam_unix(su-l:session): session closed for user popuser
Sep 16 05:38:49 server su: pam_unix(su-l:session): session opened for user popuser by (uid=0)
Sep 16 05:38:50 server su: pam_unix(su-l:session): session closed for user popuser
Sep 16 05:38:51 server su: pam_unix(su-l:session): session opened for user popuser by (uid=0)
Sep 16 05:38:52 server su: pam_unix(su-l:session): session closed for user popuser
Sep 16 05:38:52 server su: pam_unix(su-l:session): session opened for user popuser by (uid=0)
Sep 16 05:38:53 server su: pam_unix(su-l:session): session closed for user popuser
Sep 16 05:38:53 server su: pam_unix(su-l:session): session opened for user popuser by (uid=0)
Sep 16 05:38:55 server su: pam_unix(su-l:session): session closed for user popuser
Sep 16 05:38:55 server su: pam_unix(su-l:session): session opened for user popuser by (uid=0)
Sep 16 05:38:56 server su: pam_unix(su-l:session): session closed for user popuser
Sep 16 05:38:56 server su: pam_unix(su-l:session): session opened for user popuser by (uid=0)
Sep 16 05:38:58 server su: pam_unix(su-l:session): session closed for user popuser
Sep 16 05:38:58 server su: pam_unix(su-l:session): session opened for user popuser by (uid=0)
Sep 16 05:38:59 server su: pam_unix(su-l:session): session closed for user popuser