LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 11-07-2003, 09:35 PM   #1
jdruin
Member
 
Registered: Jul 2003
Location: Louisville aka Derby City
Distribution: WinXP SP2 and SP3, W2K Server, Ubuntu
Posts: 313

Rep: Reputation: 30
Question Hwo do I log as much information as possible about connections made to Linux Box?


Hopefully this is an easy question. I have a box at school that I would like to monitor traffic from. I am running ssh, http, smtp services and am really worried about the box because of its proximity to smart, board people. I would like to keep a log of traffic hitting the box. Any ideas?
 
Old 11-08-2003, 03:23 AM   #2
DavidPhillips
Guru
 
Registered: Jun 2001
Location: South Alabama
Distribution: Fedora / RedHat / SuSE
Posts: 7,154

Rep: Reputation: 56
look in /var/log

ssh: /var/log/secure
http: /var/log/httpd/*_log ( lots of logs there)
smtp: /var/log/maillog
system: /var/log/messages
 
Old 11-08-2003, 08:31 PM   #3
jdruin
Member
 
Registered: Jul 2003
Location: Louisville aka Derby City
Distribution: WinXP SP2 and SP3, W2K Server, Ubuntu
Posts: 313

Original Poster
Rep: Reputation: 30
Thanks, for the info. May I ask, does tcpdump provide usefull info also, seems like it shows too much info perhaps. Also, I do not know how to interpret the lines of output.
 
Old 11-09-2003, 01:02 AM   #4
DavidPhillips
Guru
 
Registered: Jun 2001
Location: South Alabama
Distribution: Fedora / RedHat / SuSE
Posts: 7,154

Rep: Reputation: 56
You can configure it for what you want and make it readable.

Your talking about chewing up some resources there.
 
Old 11-09-2003, 06:41 PM   #5
kahpeetan
LQ Newbie
 
Registered: Nov 2003
Distribution: redhat
Posts: 17

Rep: Reputation: 0
guess it depends on how much info u actually need or want to log. I usually log unusual packets using the iptables -LOG option an review the messages in /var/log/messages

tcpdump will log all the packet headers but this will consume resources and most "smart" people would have already found a way of spoofing their ip address which makes this method somewhat obsolete
 
Old 11-10-2003, 06:23 AM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,304
Blog Entries: 54

Rep: Reputation: 2856Reputation: 2856Reputation: 2856Reputation: 2856Reputation: 2856Reputation: 2856Reputation: 2856Reputation: 2856Reputation: 2856Reputation: 2856Reputation: 2856
I would like to keep a log of traffic hitting the box. Any ideas?
First harden the box itself.
You didn't specify the box' place in your network (be more verbose), if it resides in a network, block off "the usual suspects" at the router before hardening the box.
To use application and system logging "better", you would need to tune applications to log verbose and add a line similar to "*.*<tab><tab>/var/log/catchall.log" to syslog.conf (and restart syslogd) to catch all that get's logged. Next to the usual logging facilities at hand like application and Netfilter/iptables logging I would suggest running an IDS like Snort. It will give known exploit and malicious traffic signalling capabilities. If you need bandwidth accounting in addition to that to signal excessive bandwidth usage due to P2P, FXP or whatever else, use MRTG.


If you're worried about clever people cracking or abusing the box, make sure you log to a remote hardened syslog server that does nothing but syslog.
 
Old 11-10-2003, 01:12 PM   #7
warath
Member
 
Registered: Oct 2001
Location: Ontario, Canada
Distribution: Redhat 9
Posts: 43

Rep: Reputation: 15
Install portsentry so that anyone who does try to access your box on a port that you don't have open for a service that you need, will get blocked and logged. That or you can setup an IPTABLE rule to log all traffic (or have tcpdump running all the time)! But I think that would be overkill.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Log into Linux Box Over the Internet esi-eric Linux - Security 5 06-10-2005 03:42 PM
XP Box won't take DHCP information or an IP from Linux gateway Diademed Linux - Newbie 2 10-22-2004 05:47 PM
log in to linux from windows Box tonan Linux - Newbie 2 09-24-2004 06:55 AM
One linux box and nic card, two high-speed internet connections ajnunes Linux - Networking 3 10-24-2002 04:34 PM
how can i log in to my linux box remotly thesoccerking Linux - Newbie 7 05-21-2002 08:03 AM


All times are GMT -5. The time now is 03:35 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration