LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 09-27-2003, 11:06 AM   #1
noelcantona
LQ Newbie
 
Registered: Jun 2003
Posts: 23

Rep: Reputation: 15
commands logging questions


Question 1
-----------------
Is there anyway to loging down those crucial commands that leads to gather information on my computer?

Lets say I want to log down command like

1.ping
2.finger
3.netstat
4.traceroute
and many more


Question 2
------------------
May I know where is failure logins in the main page will be log. After reading one books on Linux I found out that 'syslogd' has the capibility of logging most of the stuff in Linux.

I browse through /var but I couldn't find any errors of failures of login.


Question 3
----------------
I try the 'top' command but when I run commands like 'ping' not stop and I make top -d 1(refresh rates per seconds) it still fails to log the ping activity for me.

Thank you.
 
Old 09-28-2003, 08:27 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,319
Blog Entries: 54

Rep: Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860
Is there anyway to loging down those crucial commands that leads to gather information on my computer?
For your default setup use your firewall + a scan logger + Snort.

May I know where is failure logins in the main page will be log.
What's "main page"?

After reading one books on Linux I found out that 'syslogd' has the capibility of logging most of the stuff in Linux.
Add this line to /etc/syslog.conf (mind the tabs and w/o outer quotes): "*.* /var/log/catchall", now "touch /var/log/catchall" and restart syslogd.

I browse through /var but I couldn't find any errors of failures of login.
Provided your distro set them up for you, wtmp, lastb, faillog are the files you're looking for. Commands see "last", "lastb", "w", "who", "sa".

I try the 'top' command but when I run commands like 'ping' not stop and I make top -d 1(refresh rates per seconds) it still fails to log the ping activity for me.
It's a firewall thing. There's more stuff like Grsecurity(.org)'s command logging, but that's advanced stuff.
 
Old 11-13-2003, 03:56 AM   #3
IamDaniel
Member
 
Registered: Mar 2003
Location: Sungai Petani
Distribution: Slackware
Posts: 143

Rep: Reputation: 15
Quote:
Originally posted by unSpawn

Add this line to /etc/syslog.conf (mind the tabs and w/o outer quotes): "*.* /var/log/catchall", now "touch /var/log/catchall" and restart syslogd.

Provided your distro set them up for you, wtmp, lastb, faillog are the files you're looking for. Commands see "last", "lastb", "w", "who", "sa".
Using Slackware 8

I'm trying to get the lastb command to work. I've touched /var/log/btmp and set the permissions to match wtmp. However, no bad logins are logged and command not found. What am I missing?

Also, what is the function of /var/log/catchall ?

Last edited by IamDaniel; 11-13-2003 at 03:58 AM.
 
Old 11-13-2003, 04:57 AM   #4
repe
Member
 
Registered: Aug 2003
Location: Finland
Distribution: Slackware 9.0 & 9.1. FreeBSD 4.8 & 5.1
Posts: 30

Rep: Reputation: 15
Quote:
Originally posted by IamDaniel
Also, what is the function of /var/log/catchall ?
Add this line to /etc/syslog.conf (mind the tabs and w/o outer quotes): "*.* /var/log/catchall", now "touch /var/log/catchall" and restart syslogd.

"*.*" logs everything, "/var/log/catchall" is the file where syslogd saves that log. "touch /var/log/catchall" creates empty file.
 
Old 11-13-2003, 09:40 PM   #5
IamDaniel
Member
 
Registered: Mar 2003
Location: Sungai Petani
Distribution: Slackware
Posts: 143

Rep: Reputation: 15
Quote:
Originally posted by IamDaniel

I'm trying to get the lastb command to work. I've touched /var/log/btmp and set the permissions to match wtmp. However, no bad logins are logged and command not found. What am I missing?
What about the lastb, I had create a symlink to lastb --> last, but no luck, it just display the output exactly the same as last !! What happen ?
 
Old 11-17-2003, 10:09 AM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,319
Blog Entries: 54

Rep: Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860
What about the lastb, I had create a symlink to lastb --> last, but no luck, it just display the output exactly the same as last !

"which lastb": /usr/bin/lastb
"man last": Lastb is the same as last, except that by default it shows a log of the file /var/log/btmp, which contains all the bad login attempts.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Two questions - installation trouble and logging in Rhadryn Linux - Newbie 10 07-24-2005 12:31 PM
Questions about logging by FC2 Schmurff Fedora 1 10-05-2004 02:03 AM
Some Questions about Commands AoiSora Linux - Newbie 3 04-14-2004 03:08 AM
Logging questions sopiaz57 Linux - Security 2 02-13-2004 10:42 AM
questions about commands juanb Linux - General 1 02-20-2003 02:57 PM


All times are GMT -5. The time now is 07:34 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration