Quote:
Originally Posted by nomb
is there suppose to be a /var/log/secure on debian?
|
Something like 'grep secure /etc/syslog.conf' should tell, depending on what system logger you use.
Quote:
Originally Posted by nomb
And if someone got into the server through either bruteforcing ssh or an exploit is there a command or a way to show you what is causing network activity or what activity is going through what ports?
|
If somebody is bruteforcing SSH it'll pop up in whatever SSH logs to (unless you set the logging level too high), system logs if you use tcp_wrappers and system logs if you implemented a limiting or blocking feature with iptables or one of the tools mentioned in
http://www.linuxquestions.org/questi...tempts-340366/. All this assumes you have properly *hardened* the box like disallowing the root account user to use SSH, etc, etc. Also if the box was exploited you may find anomalous messages in the system or daemon logs, processes running with an unexpected ID, (setuid root binaries or) files in unexpected places, etc, etc. What I'm trying to say is that there's more than "just" network connections to consider. For instance a box could have been exploited but left while the cracker rounds up a few more boxen. In that case, since there would be no or no "weird" connections to alert. Hiding connections using a rootkit is also an option. See remarks under "useful commands" below. Rootkit usage seems relatively rare these days due to the fantastic piggybacking options PHP-based apps provide. That type of cracker is usually after spam or bot hosts in which case you'll often see IRC connections from that host or an IRCd running (under a disguised name of course).
Quote:
Originally Posted by jeenam
If you want to see what IP's are currently connected to your box try installing iptraf
|
Basic system tools like netstat, fuser and lsof should suffice for listing network connections. Hell, you could even cat data from proc network settings... OTOH if you have suspicions only listing connections isn't good enough, you'll want to capture it (tcpdump) and dissect it on another box with Snort and Wireshark.
Quote:
Originally Posted by jeenam
Useful Commands
|
Also note that if a box was thoroughly compromised chances are you won't see a thing as some std binaries could be rigged and the logs doctored. In that case you'll need to investigate to confirm your suspicions by loading a Live CD like KNOPPIX(-STD), HELIX, FIRE and use Intruder Detection Checklist (CERT):
http://www.cert.org/tech_tips/intrud...checklist.html as guideline.