Nextcloud version: 13.0.1
Operating system and version: Debian 8.11
Apache or nginx version: Apache 2.4.10
PHP version: PHP 5.6.38
I have my system set up to run Nextcloud’s cron.php every 15 minutes. It does this via the web server users cron file (in this case www-data for Apache.) I noticed failed login attempts as root ever 15 minutes from the localhost:
drake@data:~$ sudo lastb -5
root ssh:notty localhost Tue Nov 13 21:42 - 21:42 (00:00)
root ssh:notty localhost Tue Nov 13 21:30 - 21:30 (00:00)
root ssh:notty localhost Tue Nov 13 21:15 - 21:15 (00:00)
root ssh:notty localhost Tue Nov 13 21:00 - 21:00 (00:00)
root ssh:notty localhost Tue Nov 13 20:45 - 20:45 (00:00)
btmp begins Thu Nov 1 06:30:04 2018
Further looking at “/var/log/auth.log” I found multiple entires similar to the one bellow but with different ports each time:
Nov 13 21:15:01 data CRON[28859]: pam_unix(cron:session): session opened for user www-data by (uid=0)
Nov 13 21:15:01 data sshd[28863]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost user=root
Nov 13 21:15:03 data sshd[28863]: Failed password for root from 127.0.0.1 port 34037 ssh2
Nov 13 21:15:03 data sshd[28863]: Received disconnect from 127.0.0.1: 11: [preauth]
Nov 13 21:15:04 data CRON[28859]: pam_unix(cron:session): session closed for user www-data
This is the only entry in the webservers crontab
*/15 * * * * php -f /var/www/html/nextcloud/cron.php
This seems odd that Nextcloud would be trying to log in as root. Any thoughts?