[BlueOnyx:27400] Re: Question about /var/log/secure and attack signatures
Michael Stauber
mstauber at blueonyx.it
Sun Dec 29 16:05:07 -05 2024
Hi Herbert,
> Is this message in /var/log/secure
>
> Accepted publickey for
> Failed to create session: Failed to add required mount
>
> an attack or a configuration issue or a chroot jail thing or a quota thing?
>
> Is there something I need to do about it as an administrator?
Yeah, that is an odd one. Normally it would look like this:
Accepted publickey for <user>
Failed to create session: Failed to add required mount
The "Failed to create session" message typically comes from
systemd-logind, which manages user sessions.
The "Failed to add required mount" part suggests that systemd couldn't
mount or access necessary directories like /run/user/<UID> or /tmp.
However, we can see that no username was supplied with the transaction
and that's why it failed. Because absence of a username means the lookup
in the PAM database will fail and the process does neither get the exec
rights, nor does the login continue, as the most basic pre-requisite
(username!) was missing.
This looks like someone probed the server.
--
With best regards
Michael Stauber
More information about the Blueonyx
mailing list