LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   Hwo do I log as much information as possible about connections made to Linux Box? (https://www.linuxquestions.org/questions/linux-security-4/hwo-do-i-log-as-much-information-as-possible-about-connections-made-to-linux-box-113620/)

jdruin 11-07-2003 09:35 PM

Hwo do I log as much information as possible about connections made to Linux Box?
 
Hopefully this is an easy question. I have a box at school that I would like to monitor traffic from. I am running ssh, http, smtp services and am really worried about the box because of its proximity to smart, board people. I would like to keep a log of traffic hitting the box. Any ideas?

DavidPhillips 11-08-2003 03:23 AM

look in /var/log

ssh: /var/log/secure
http: /var/log/httpd/*_log ( lots of logs there)
smtp: /var/log/maillog
system: /var/log/messages

jdruin 11-08-2003 08:31 PM

Thanks, for the info. May I ask, does tcpdump provide usefull info also, seems like it shows too much info perhaps. Also, I do not know how to interpret the lines of output.

DavidPhillips 11-09-2003 01:02 AM

You can configure it for what you want and make it readable.

Your talking about chewing up some resources there.

kahpeetan 11-09-2003 06:41 PM

guess it depends on how much info u actually need or want to log. I usually log unusual packets using the iptables -LOG option an review the messages in /var/log/messages

tcpdump will log all the packet headers but this will consume resources and most "smart" people would have already found a way of spoofing their ip address which makes this method somewhat obsolete

unSpawn 11-10-2003 06:23 AM

I would like to keep a log of traffic hitting the box. Any ideas?
First harden the box itself.
You didn't specify the box' place in your network (be more verbose), if it resides in a network, block off "the usual suspects" at the router before hardening the box.
To use application and system logging "better", you would need to tune applications to log verbose and add a line similar to "*.*<tab><tab>/var/log/catchall.log" to syslog.conf (and restart syslogd) to catch all that get's logged. Next to the usual logging facilities at hand like application and Netfilter/iptables logging I would suggest running an IDS like Snort. It will give known exploit and malicious traffic signalling capabilities. If you need bandwidth accounting in addition to that to signal excessive bandwidth usage due to P2P, FXP or whatever else, use MRTG.


If you're worried about clever people cracking or abusing the box, make sure you log to a remote hardened syslog server that does nothing but syslog.

warath 11-10-2003 01:12 PM

Install portsentry so that anyone who does try to access your box on a port that you don't have open for a service that you need, will get blocked and logged. That or you can setup an IPTABLE rule to log all traffic (or have tcpdump running all the time)! But I think that would be overkill.


All times are GMT -5. The time now is 02:35 AM.