07-18-2010 03:34 PM - edited 03-15-2019 11:47 PM
Hi guys,
I wonder if any of you experts have come across this error before ?.
I have a customer that is getting this alarm 3 times a day on all three call Managers in the 3 node cluster at exactly the same time. running CM V7.0
SyslogSeverityMatchFound events generated: SeverityMatch - Alert sshd(pam_unix)[6836]: check pass; user unknown
I have seen this discussed in the past but with a different code (6836) . But basically saying somebodsy is logging in with the
wrong SSH id/pswd. The issues is it is on all three nodes at the same time !!!.
My question is :-
will one logon fail replicate to all the nodes in the cluster with this alarm. ??
this is happening 3 times a day and seems too regular to be a random user logon .
Is there anything else that could be causing this alarm (any automated process of any sort ??.
Any help appreciated.
Guys .
Cheers Keith
07-19-2010 12:31 AM
Hi
If it's the same time every day, do a packet cap on the CCM at the time it is expected. You can then review the packet cap to see which IP connections to port 22 for SSH are arriving at, and track it from there. Use this command from the server CLI to set up the cap:
utils network capture file mycap count 100000 size all
I would guess it's some kind of monitoring tool...
Regards
Aaron
Please rate helpful posts..
07-20-2010 01:19 AM
Thanks Aaron ,
I will set this up and see what we can find .
Thanks again for your help .
Keith
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide