nagios user failed login attempts

[jenstar13]

when i was working in my development nagios I noticed that when i became the nagios user I got

Last failed login: Tue Jul 24 07:04:01 EDT 2018
There were 1391 failed login attempts since the last successful login.

I do not have any script ssh'ing to the machine to drop off files.

I only use this to make new checks, so i thought, ok, it's been sitting a while
i knew the counter in Redhat 7.5 resets after a successful login, but when i logged in a minute later, there were 3 failed logins, and it happened every time i let it rest and became nagios

so i looked in /var/log/secure and saw this happening every hour
Jul 24 07:07:01 devnagxi01 su: pam_unix(su:auth): auth could not identify password for [nagios]

that didn't explain the many failed logins, so I looked in /var/log/messages and saw this almost every minute
Jul 24 07:17:01 devnagxi01 su: FAILED SU (to nagios) nagios on none

Then I checked my other XI installs and they all have the same entries in the logs

I looked for a cron, but neither nagios or root don't have any crons running
in /etc/cron.d/nagiosxi are a bunch of scripts, and some of them run every hour, but I'm not sure what could be messed up for the failed login as the nagios user

do you have any ideas?

[scottwilkerson]

My guess is you have a check command that runs sudo but the command line has not been added to the sudoers file

If you go to CCM -> Commands you can search for sudo

Another possibility is that you are performing NRPE checks on this server that has sudo in one of the commands

Code: Select all

grep sudo /usr/local/nagios/etc/nrpe.cfg |grep command
grep sudo -R /usr/local/nagios/etc/nrpe/*.cfg |grep command

[jenstar13]

if a check is not being used, will XI go through the steps anyway
We only have 3 commands with sudo in it, and I think they are standard from you

check_xi_service_status sudo /usr/local/nagiosxi/scripts/manage_services.sh status $ARG1$
check-mysql-processlist $USER1$/check_by_ssh -t 30 -p 22 -H $HOSTADDRESS$ '/usr/bin/sudo /usr/lib/nagios/plugins/pmp-check-mysql-processlist'
check-mysql-processlist $USER1$/check_by_ssh -t 30 -p 22 -H $HOSTADDRESS$ '/usr/bin/sudo /usr/lib/nagios/plugins/pmp-check-mysql-processlist'

We're not using NRPE, we use NCPA for the other question

[scottwilkerson]

if a check is not being used, will XI go through the steps anyway

No

This should already be in sudoers

Code: Select all

check_xi_service_status sudo /usr/local/nagiosxi/scripts/manage_services.sh status $ARG1$

This would be the one I would question:

Code: Select all

check-mysql-processlist $USER1$/check_by_ssh -t 30 -p 22 -H $HOSTADDRESS$ '/usr/bin/sudo /usr/lib/nagios/plugins/pmp-check-mysql-processlist'

run

Code: Select all

grep pmp-check-mysql-processlist /etc/sudoers

But on the server it is calling..

[jenstar13]

I guess you can close this, I added both to sudoers, and it still happened, it's not affecting anything but logs, so it's a nuisance not a problem

[scottwilkerson]

I guess you can close this, I added both to sudoers, and it still happened, it's not affecting anything but logs, so it's a nuisance not a problem

Closing