Linux - GeneralThis Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
That is a good question. I was thinking the same last night and am quarious to see how to disable it. Its not an SSHd setting because it will display the same when logging on locally. If anyone knows where it keeps this or how it is generated I too would like to know. (Im thinking it might have to do with PAM)
Are you talking about the /var/log/wtmp file that the last command (and /var/log/btmp for lastb) uses? On my system (Slackware) the files are only populated if they exist.
If you're the root user you'll have permission to remove the files. If you're not, you need to talk to the system's administrator.
If you're hoping to hide your access from a system administrator, good luck. Unless the sysadm is not terribly good at what they do. Yes, there are lastlogin files and wtmp as has been mentioned, but that's not all. The places where a sysadmin would look for questionable ssh accesses are not even viewable by a standard user, much less modifiable. There are bad guys out there who could root a system and hide their tracks, but from the sounds of your questions, I don't think you're one of these. No offense intended - I'm certainly not one who could (or would) do this either!
If you're hoping to hide your access from a system administrator, good luck. Unless the sysadm is not terribly good at what they do. Yes, there are lastlogin files and wtmp as has been mentioned, but that's not all. The places where a sysadmin would look for questionable ssh accesses are not even viewable by a standard user, much less modifiable. There are bad guys out there who could root a system and hide their tracks, but from the sounds of your questions, I don't think you're one of these. No offense intended - I'm certainly not one who could (or would) do this either!
Well, now I have to ask this question: lets say a cracker gained access via ssh and "only" deleted lastlog and wtmp. As a system administrator where else could I look? I'm guessing last place would be firewall logs; having it log the ip address that connects to that port on a remote database or something not directly on the system. Are there any more system configs that could be checked for ssh login?
Last edited by GUIPenguin; 04-17-2006 at 07:20 PM.
Well, now I have to ask this question: lets say a cracker gained access via ssh and "only" deleted lastlog and wtmp. As a system administrator where else could I look?
It depends on how you setup ssh and syslogging of auth messages. On my system, these go to /var/log/auth.log (only readable by root). For example, here is a log of me coming in remotely as userid "david" using pubkey authentication and running "sudo fdisk -l" (remote IP address manually blanked to "aaa.bbb.ccc.ddd" by me for display here):
Code:
Apr 17 16:30:05 familyroom sshd[19652]: Accepted publickey for david from aaa.bbb.ccc.ddd port 33742 ssh2
Apr 17 16:30:05 familyroom sshd[19656]: (pam_unix) session opened for user david by (uid=0)
Apr 17 16:30:05 familyroom sudo: david : TTY=unknown ; PWD=/home/david ; USER=root ; COMMAND=/sbin/fdisk -l
Apr 17 16:30:05 familyroom sshd[19656]: (pam_unix) session closed for user david
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.