LinuxQuestions.org - Debian /var/log/secure

- Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)

- - Debian /var/log/secure (https://www.linuxquestions.org/questions/linux-security-4/debian-var-log-secure-598660/)

Debian /var/log/secure

Hey I was just wondering after seeing my modem lights going like crazy...
is there suppose to be a /var/log/secure on debian? My server doesn't have one...

Code:

localhost:/var/log# ls

acpid            debug.2.gz        lastlog        mysql.log

acpid.1.gz      debug.3.gz        lpr.log        mysql.log.1.gz

acpid.2.gz      dmesg              lpr.log.0      mysql.log.2.gz

acpid.3.gz      dmesg.0            lpr.log.1.gz    mysql.log.3.gz

acpid.4.gz      dmesg.1.gz        lpr.log.2.gz    mysql.log.4.gz

apache2          dmesg.2.gz        mail.err        mysql.log.5.gz

aptitude        dmesg.3.gz        mail.info      mysql.log.6.gz

aptitude.1.gz    dmesg.4.gz        mail.info.0    mysql.log.7.gz

aptitude.2.gz    dpkg.log          mail.info.1.gz  news

auth.log        dpkg.log.1        mail.info.2.gz  proftpd

auth.log.0      dpkg.log.2.gz      mail.info.3.gz  pycentral.log

auth.log.1.gz    exim4              mail.log        samba

auth.log.2.gz    fail2ban.log      mail.log.0      syslog

auth.log.3.gz    fail2ban.log.1    mail.log.1.gz  syslog.0

boot            fail2ban.log.2.gz  mail.log.2.gz  syslog.1.gz

btmp            fail2ban.log.3.gz  mail.log.3.gz  syslog.2.gz

btmp.1          fail2ban.log.4.gz  mail.warn      syslog.3.gz

daemon.log      faillog            mail.warn.0    syslog.4.gz

daemon.log.0    fsck              messages        syslog.5.gz

daemon.log.1.gz  installer          messages.0      syslog.6.gz

daemon.log.2.gz  kern.log          messages.1.gz  user.log

daemon.log.3.gz  kern.log.0        messages.2.gz  uucp.log

debug            kern.log.1.gz      messages.3.gz  wtmp

debug.0          kern.log.2.gz      mysql          wtmp.1

debug.1.gz      kern.log.3.gz      mysql.err

And if someone got into the server through either bruteforcing ssh or an exploit is there a command or a way to show you what is causing network activity or what activity is going through what ports?

Thanks,

nomb

Useful Commands

w = who is logged in and what they are doing
who = who is logged in
last = successful logons, with source ip of sign-on if ssh
lastb = unsuccessful logon attempts

If you want to see what IP's are currently connected to your box try installing iptraf and have a look at the output. It's an ncurses based command line app.

Quote:

Originally Posted by nomb (Post 2954688)

is there suppose to be a /var/log/secure on debian?

Something like 'grep secure /etc/syslog.conf' should tell, depending on what system logger you use.

Quote:

Originally Posted by nomb (Post 2954688)

And if someone got into the server through either bruteforcing ssh or an exploit is there a command or a way to show you what is causing network activity or what activity is going through what ports?

If somebody is bruteforcing SSH it'll pop up in whatever SSH logs to (unless you set the logging level too high), system logs if you use tcp_wrappers and system logs if you implemented a limiting or blocking feature with iptables or one of the tools mentioned in http://www.linuxquestions.org/questi...tempts-340366/. All this assumes you have properly *hardened* the box like disallowing the root account user to use SSH, etc, etc. Also if the box was exploited you may find anomalous messages in the system or daemon logs, processes running with an unexpected ID, (setuid root binaries or) files in unexpected places, etc, etc. What I'm trying to say is that there's more than "just" network connections to consider. For instance a box could have been exploited but left while the cracker rounds up a few more boxen. In that case, since there would be no or no "weird" connections to alert. Hiding connections using a rootkit is also an option. See remarks under "useful commands" below. Rootkit usage seems relatively rare these days due to the fantastic piggybacking options PHP-based apps provide. That type of cracker is usually after spam or bot hosts in which case you'll often see IRC connections from that host or an IRCd running (under a disguised name of course).

Quote:

Originally Posted by jeenam (Post 2954910)

If you want to see what IP's are currently connected to your box try installing iptraf

Basic system tools like netstat, fuser and lsof should suffice for listing network connections. Hell, you could even cat data from proc network settings... OTOH if you have suspicions only listing connections isn't good enough, you'll want to capture it (tcpdump) and dissect it on another box with Snort and Wireshark.

Quote:

Originally Posted by jeenam (Post 2954910)

Useful Commands

Also note that if a box was thoroughly compromised chances are you won't see a thing as some std binaries could be rigged and the logs doctored. In that case you'll need to investigate to confirm your suspicions by loading a Live CD like KNOPPIX(-STD), HELIX, FIRE and use Intruder Detection Checklist (CERT): http://www.cert.org/tech_tips/intrud...checklist.html as guideline.

sweet, looking at /etc/syslog.conf shows debian does not use a secure log file. Atleast how I have it setup. The same output is in auth.log however. Thanks for those commands (w, who, last, lastb) I knew the first two but not the second.

I'm not too worried about ssh. I have fail2ban working and it has worked great. I have it set so after 3 bad logins that ip is blocked for 3 hours. I hardened the box as well as I knew how to but I'm still concerned I didn't do a good job.

"...you may find anomalous messages in the system or daemon logs, processes running with an unexpected ID, (setuid root binaries or) files in unexpected places, etc, etc."

How can you look for this stuff?

Quote:

Originally Posted by nomb (Post 2955330)

How can you look for this stuff?

There's tools like Logwatch and SEC to parse logs and check for anomalies.