Hello,
We have a HA cluster Zabbix environment which is connected via LDAP. I believe the guest user cannot be deleted within Zabbix, only disabled, which we did. Yet we did not disable frontend access and after a few days we see a TON of access attempts from user 'guest' from the localhost (image attached).
From a brief look at the access.log (grep "Zabbix 3.2.1" /var/log/apache2/access.log|tail) we see increments of access attempts every 10s,20s.
From a brief online search it states that the HTTP process sends a simple HTTP request back to itself. But why does Zabbix use the guest account to login.
We do not have any web monitoring, login attempts configured ATM. This wouldn't work with the internal guest user unless that user is added to our LDAP anyways, I believe.
We did manage to stop the access log showing failed attempts by disabling frontend access completely within the user groups.
We are just curious as to why Zabbix using the internal guest user to try login attempts?
Any ideas would help us sleep better
We have a HA cluster Zabbix environment which is connected via LDAP. I believe the guest user cannot be deleted within Zabbix, only disabled, which we did. Yet we did not disable frontend access and after a few days we see a TON of access attempts from user 'guest' from the localhost (image attached).
From a brief look at the access.log (grep "Zabbix 3.2.1" /var/log/apache2/access.log|tail) we see increments of access attempts every 10s,20s.
Code:
$ grep "Zabbix 3.2.1" /var/log/apache2/access.log|tail 127.0.0.1 - - [24/Feb/2017:17:41:15 +0000] "HEAD / HTTP/1.1" 200 4254 "-" "Zabbix 3.2.1" 127.0.0.1 - - [24/Feb/2017:17:41:25 +0000] "HEAD / HTTP/1.1" 200 4254 "-" "Zabbix 3.2.1" 127.0.0.1 - - [24/Feb/2017:17:41:45 +0000] "HEAD / HTTP/1.1" 200 4254 "-" "Zabbix 3.2.1" 127.0.0.1 - - [24/Feb/2017:17:41:55 +0000] "HEAD / HTTP/1.1" 200 4254 "-" "Zabbix 3.2.1" 127.0.0.1 - - [24/Feb/2017:17:42:15 +0000] "HEAD / HTTP/1.1" 200 4254 "-" "Zabbix 3.2.1" 127.0.0.1 - - [24/Feb/2017:17:42:25 +0000] "HEAD / HTTP/1.1" 200 4254 "-" "Zabbix 3.2.1" 127.0.0.1 - - [24/Feb/2017:17:42:45 +0000] "HEAD / HTTP/1.1" 200 4254 "-" "Zabbix 3.2.1" 127.0.0.1 - - [24/Feb/2017:17:42:55 +0000] "HEAD / HTTP/1.1" 200 4254 "-" "Zabbix 3.2.1" 127.0.0.1 - - [24/Feb/2017:17:43:15 +0000] "HEAD / HTTP/1.1" 200 4254 "-" "Zabbix 3.2.1" 127.0.0.1 - - [24/Feb/2017:17:43:25 +0000] "HEAD / HTTP/1.1" 200 4254 "-" "Zabbix 3.2.1"
We do not have any web monitoring, login attempts configured ATM. This wouldn't work with the internal guest user unless that user is added to our LDAP anyways, I believe.
We did manage to stop the access log showing failed attempts by disabling frontend access completely within the user groups.
We are just curious as to why Zabbix using the internal guest user to try login attempts?
Any ideas would help us sleep better
Attached Files