Elastix 1.6-14 shutdown by itself

Discussion in 'General' started by logtech, Apr 28, 2010.

  1. logtech

    Joined:
    Apr 9, 2010
    Messages:
    147
    Likes Received:
    0
    I have Elastix just fresh installation of 1.6-14 and it started to reboot by itself. I am newebie so just googled that should see messages and I fount this:

    Apr 27 15:49:36 elastix kernel: usbcore: deregistering driver xpp_usb
    Apr 27 15:49:36 elastix kernel: dahdi_transcode: Loaded.
    Apr 27 15:49:36 elastix kernel: INFO-xpp: revision trunk-r6963 MAX_XPDS=64 (8*8)
    Apr 27 15:49:36 elastix kernel: INFO-xpp: FEATURE: with BRISTUFF support
    Apr 27 15:49:36 elastix kernel: INFO-xpp: FEATURE: with PROTOCOL_DEBUG
    Apr 27 15:49:36 elastix kernel: INFO-xpp: FEATURE: with sync_tick() from DAHDI
    Apr 27 15:49:36 elastix kernel: INFO-xpp_usb: revision trunk-r6963
    Apr 27 15:49:36 elastix kernel: usbcore: registered new driver xpp_usb
    Apr 27 15:49:36 elastix kernel: Unified AP4XX PCI Card Driver
    Apr 27 15:49:36 elastix kernel: DAHDI Dynamic Span support LOADED
    Apr 27 15:49:37 elastix kernel: All TDMoE multiframe span groups are active.
    Apr 27 16:02:33 elastix xinetd[2485]: START: tftp pid=1166 from=192.168.1.51
    Apr 27 16:13:00 elastix shutdown[1283]: shutting down for system reboot
    Apr 27 16:13:00 elastix init: Switching to runlevel: 6
    Apr 27 16:13:01 elastix FaxQueuer[3060]: QUIT
    Apr 27 16:13:01 elastix saslauthd[3097]: server_exit : master exited: 3097
    Apr 27 16:13:05 elastix xinetd[2485]: Exiting...
    Apr 27 16:13:06 elastix ntpd[2519]: ntpd exiting on signal 15
    Apr 27 16:13:06 elastix rpc.statd[2091]: Caught signal 15, un-registering and exiting.
    Apr 27 16:13:06 elastix auditd[1991]: The audit daemon is exiting.
    Apr 27 16:13:06 elastix kernel: audit(1272402786.991:4594): audit_pid=0 old=1991 by auid=4294967295
    Apr 27 16:13:07 elastix kernel: Kernel logging (proc) stopped.
    Apr 27 16:13:07 elastix kernel: Kernel log daemon terminating.

    What and where should I chacked to troubleshoot this wired behaviour of Elastix.

    Thank You
     
  2. dicko

    Joined:
    Oct 24, 2008
    Messages:
    4,099
    Likes Received:
    0
    I assume you found out about /var/log/messages as your post looks like that log file.

    Truth is someone or something sent the OS a shutdown -r command,


    .
    .
    Apr 27 16:13:00 elastix shutdown[1283]: shutting down for system reboot
    .
    .

    Asterisk nor Elastix will do that, seeing that it happened exactly at the "minute" I would investigate your cron jobs, and possibly suspect a penetration of your system.

    As you are a self proclaimed newbie, I suggest you install webmin to look at the cron job stuff and investigate /var/log/secure for logins from entities other than you. ( I would like to assume that your root password is not a dictionary word and really quite complex, unfortunately many here make that often costly mistake despite repeated warnings, so I won't make that assumption until you can confirm it)


    dicko
     
  3. logtech

    Joined:
    Apr 9, 2010
    Messages:
    147
    Likes Received:
    0
    thank you dicko

    i have chacked all cron schedules and do not see any stating anything about shuting down or terminating anything so it is less possible that cron do that; however, I will keep an eye on cron jobs.

    This is /var/log/secure from the time that shutdown occured:

    pr 27 15:14:57 elastix sshd[31183]: Accepted password for user from x.x.x.x port 22 ssh2
    Apr 27 15:14:57 elastix sshd[31183]: pam_unix(sshd:session): session opened for user user by (uid=0)
    Apr 27 15:15:54 elastix sshd[31183]: pam_unix(sshd:session): session closed for user user
    Apr 27 15:49:17 elastix sudo: asterisk : TTY=unknown ; PWD=/var/www/html ; USER=root ; COMMAND=/usr/sbin/hardware_detector
    Apr 27 15:49:39 elastix su: pam_unix(su-l:session): session opened for user asterisk by (uid=0)
    Apr 27 15:49:39 elastix su: pam_unix(su-l:session): session closed for user asterisk
    Apr 27 15:50:31 elastix sudo: asterisk : TTY=unknown ; PWD=/var/www/html ; USER=root ; COMMAND=/usr/bin/nmap -sP -n 192.168.30.0/24
    Apr 27 15:51:05 elastix sudo: asterisk : TTY=unknown ; PWD=/var/www/html ; USER=root ; COMMAND=/usr/bin/nmap -sP -n 192.168.30.0/24
    Apr 27 16:12:39 elastix sudo: asterisk : TTY=unknown ; PWD=/var/www/html ; USER=root ; COMMAND=/sbin/shutdown -r now
    Apr 27 16:13:01 elastix sshd[17101]: Received signal 15; terminating.
    Apr 27 16:13:02 elastix runuser: pam_unix(runuser-l:session): session opened for user cyrus by (uid=0)
    Apr 27 16:13:03 elastix runuser: pam_unix(runuser-l:session): session closed for user cyrus
    Apr 27 16:14:47 elastix sshd[2455]: Server listening on :: port 1999.
    Apr 27 16:14:47 elastix sshd[2455]: error: Bind to port 2000 on 0.0.0.0 failed: Address already in use.
    Apr 27 16:14:49 elastix runuser: pam_unix(runuser-l:session): session opened for user cyrus by (uid=0)
    Apr 27 16:14:51 elastix runuser: pam_unix(runuser-l:session): session closed for user cyrus
    Apr 27 16:15:09 elastix sshd[2455]: Received signal 15; terminating.
    Apr 27 16:15:09 elastix runuser: pam_unix(runuser-l:session): session opened for user cyrus by (uid=0)
    Apr 27 16:15:11 elastix runuser: pam_unix(runuser-l:session): session closed for user cyrus
    Apr 27 16:17:19 elastix sshd[2467]: Server listening on :: port 1999.
    Apr 27 16:17:19 elastix sshd[2467]: error: Bind to port 1999 on 0.0.0.0 failed: Address already in use.
    Apr 27 16:17:21 elastix runuser: pam_unix(runuser-l:session): session opened for user cyrus by (uid=0)
    Apr 27 16:17:23 elastix runuser: pam_unix(runuser-l:session): session closed for user cyrus
    Apr 27 16:17:42 elastix su: pam_unix(su-l:session): session opened for user asterisk by (uid=0)
    Apr 27 16:17:42 elastix su: pam_unix(su-l:session): session closed for user asterisk
    Apr 27 16:38:35 elastix sudo: asterisk : TTY=unknown ; PWD=/var/www/html ; USER=root ; COMMAND=/usr/sbin/hardware_detector
    Apr 27 16:39:06 elastix su: pam_unix(su-l:session): session opened for user asterisk by (uid=0)
    Apr 27 16:39:06 elastix su: pam_unix(su-l:session): session closed for user asterisk
    Apr 27 16:46:14 elastix sshd[5741]: Accepted password for user from 192.168.0.64 port 1712 ssh2
    Apr 27 16:46:14 elastix sshd[5741]: pam_unix(sshd:session): session opened for user user by (uid=0)

    and cron log from 16:13 that shutdown occured:

    Apr 27 16:01:01 elastix crond[1158]: (root) CMD (run-parts /etc/cron.hourly)
    Apr 27 16:05:01 elastix crond[1180]: (root) CMD (/usr/bin/php -q /usr/local/elastix/sampler.php)
    Apr 27 16:10:01 elastix crond[1245]: (root) CMD (/usr/bin/php -q /usr/local/elastix/sampler.php)
    Apr 27 16:15:00 elastix crond[2894]: (CRON) STARTUP (V5.0)
    Apr 27 16:17:33 elastix crond[2909]: (CRON) STARTUP (V5.0)


    I think that these lines are the most important:

    Apr 27 15:51:05 elastix sudo: asterisk : TTY=unknown ; PWD=/var/www/html ; USER=root ; COMMAND=/usr/bin/nmap -sP -n 192.168.30.0/24
    Apr 27 16:12:39 elastix sudo: asterisk : TTY=unknown ; PWD=/var/www/html ; USER=root ; COMMAND=/sbin/shutdown -r now
    Apr 27 16:13:01 elastix sshd[17101]: Received signal 15; terminating.

    is that mean that signal for shutdown comes from www web page that is from elastix www ?
     
  4. dicko

    Joined:
    Oct 24, 2008
    Messages:
    4,099
    Likes Received:
    0
    I would be far more concerned about
    .
    .
    Apr 27 16:14:47 elastix sshd[2455]: Server listening on :: port 1999.
    Apr 27 16:14:47 elastix sshd[2455]: error: Bind to port 2000 on 0.0.0.0 failed: Address already in use.
    Apr 27 16:14:49 elastix runuser: pam_unix(runuser-lession): session opened for user cyrus by (uid=0)
    Apr 27 16:14:51 elastix runuser: pam_unix(runuser-lession): session closed for user cyrus
    Apr 27 16:15:09 elastix sshd[2455]: Received signal 15; terminating.
    Apr 27 16:15:09 elastix runuser: pam_unix(runuser-lession): session opened for user cyrus by (uid=0)
    Apr 27 16:15:11 elastix runuser: pam_unix(runuser-lession): session closed for user cyrus
    Apr 27 16:17:19 elastix sshd[2467]: Server listening on :: port 1999.
    Apr 27 16:17:19 elastix sshd[2467]: error: Bind to port 1999 on 0.0.0.0 failed: Address already in use.

    Unless you have as a newbie changed your ssh port, and spend your time hardware discovering and extension discovering. and starting and stopping ssh with different configurations, then something else is doing it.

    My intuition is that either you have been compromised, or ( I hope not) you doing so many things that you don't remember pressing ctrl-alt-delete or typing reboot at that time.

    You didn't answer as to how strong your root password was.
     
  5. logtech

    Joined:
    Apr 9, 2010
    Messages:
    147
    Likes Received:
    0
    yes dicko I have changed ssh port, and the other ports by myself reading your directions :) in elastix forum

    I am your big fan like elastix fan. I have read a lot of your posts and I am impressed. Regarding "or ( I hope not) you doing so many things that you don't remember pressing ctrl-alt-delete or typing reboot at that time." - this may be the sad true that I have pressed ctrl alt dlt by mistake. At that time I had many elastix shh' opened so I am not saying that was me or not. If ctrl-alt-del can do shutdown from remote ssh using putty then it is very possible it was me.

    Do you think that installing additionally APF and BFD besides fail2ban is ok? APF may interfere with fail2ban as I am not sure. I totally understand security concerns so I am after installing as much as possible to secure elastix until I cause "danger" by myself :) in case ctrl alt del .......


    good day and night dicko and all reading this post

    LOG
     

Share This Page