LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   log organisation (http://www.linuxquestions.org/questions/linux-security-4/log-organisation-515733/)

namit 01-02-2007 06:32 PM

log organisation
 
Just wondering the best way of keeping track of logs because i have 101 files in /var/log and can not keep track of them what would you recommend?

I am looking for the failed logins what the best way of searching for these logs?

Thanks

unSpawn 01-03-2007 02:55 AM

i have 101 files in /var/log
That number may include logrotated ones, not all used logs, right?


can not keep track of them what would you recommend?
Something like Logwatch. Configure and cronjob it.


I am looking for the failed logins what the best way of searching for these logs?
For SSH implement one of http://www.linuxquestions.org/questi...d.php?t=340366 and you won't have to worry about that. PAM-enabled services log to syslog (also see there's pam_tally), Sudo logs to syslog as well and then there's last/lastb for looking at wtmp (login records).

archtoad6 01-03-2007 09:27 AM

Nicely formatted answer!

unSpawn 01-03-2007 11:00 AM

Nicely formatted answer!
What exactly do you mean by saying that? My formatting-fu rules major?
And what valuable insights does this add to answer the OP's questions?


BTW: That number may include logrotated ones, not all used logs, right? you would find out by doing something like:
Code:

/usr/sbin/lsof -n +D /var |egrep -ve "[[:blank:]](cwd|rtd)[[:blank:]]"|awk '{print $9}'|grep "^/"|sort|uniq

namit 01-03-2007 12:08 PM

nice one lads i found that this ip 62.193.230.48 tried to login a lot of times so can not block him but good thing to see they did not get in.

As for logs should i clear them after i email myself them? or do you not recommend this?

unSpawn 01-03-2007 05:20 PM

i found that this ip 62.193.230.48 tried to login a lot of times so can not block him
That does not compute.

Even if you're on the same subnet you could block it: depends on if what you're running needs to be publicly accessable. If it does not you could use a more restrictive "deny from all, allow from some_nets" ruleset. In any case please spend some time hardening your box and see my previous note about SSH.


As for logs should i clear them after i email myself them? or do you not recommend this?
Unnecessary unless you didn't install logrotate or configuring logrotate to not delete logs or save a nonsensical amount of rotations.

namit 01-03-2007 05:38 PM

i mean to say that i now can block him

namit 01-04-2007 05:32 AM

few followup questions that have arose from viewing these logs

is it commen that have around 30 Illegal users a day try to login to your servers?

Also whats the difference between Failed logins and illegal users?
Quote:

Failed logins from these:
asdf/keyboard-interactive/pam from ::ffff:83.70.232.2: 1 Time(s)
helloworld/keyboard-interactive/pam from ::ffff:83.70.232.2: 1 Time(s)

Illegal users from these:
adm/none from ::ffff:83.227.4.103: 1 Time(s)
admin/none from ::ffff:61.90.197.55: 6 Time(s)
admin/none from ::ffff:83.227.4.103: 2 Time(s)
.... lots lots more


Also commands are being run i no nothing about

Quote:

Commands Run:
User amavis:
... Command ...
but i have deleted amavis and if so how how do i stop this from running?

unSpawn 01-04-2007 07:01 AM

is it commen that have around 30 Illegal users a day try to login to your servers?
Some nets are more exposed than others, so yeah, not uncommon.


Also whats the difference between Failed logins and illegal users?
"Failed" is like wrong pass, "illegal" is like unknown or disabled accountname.


Also commands are being run i no nothing about
Well, then familiarise yourself with what accounts are available on the machine.
Typing "getent passwd amavis" should show it's an inert system account for running Amavis AV.


but i have deleted amavis and if so how how do i stop this from running?
If you deleted the account w/o uninstalling the software then you made an error. And what exactly is running?

fotoguy 01-04-2007 07:35 PM

Might be a little of topic but I created this backup script a few years ago that might come in handy to backup all those log files to a cdrom, it may just need some tweaking to get it right, I haven't used it for quite a while.

Code:

#!/bin/sh
###########################################################################
Backup_Dirs="/var/log"
Backup_Dest_Path="/tmp/backup"
Backup_Date=`date +%a%b-%d-%Y-%R`
Backup_Name="Hostname-domainname"
Speed="8"                                # Use best speed for CD-R/RW disks on YOUR system
MAILTO="someone@somewhere.com"
###########################################################################
#        Check to see of backup directory exists, if not then create it
function makeBackupDir {
        if [ ! -d $Backup_Dest_Path ]; then
                mkdir $Backup_Dest_Path
                chmod 700 $Backup_Dest_Path
        fi
}
makeBackupDir
###########################################################################
#        Create tar file with todays Month Day Year prepended for easy identification  and also create a log file
function tarBackupDir {
        echo "Start creating backups including log files"
        tar -cvzpf $Backup_Dest_Path/$Backup_Name-$Backup_Date.tar.gz $Backup_Dirs > $Backup_Dest_Path/$Backup_Name-$Backup_Date.log
        echo "Finished creating backups including log files"
}
tarBackupDir
###########################################################################
#        Create a image that can be written to writeable media
function makeImage {
        echo "Making image file"
        #mkisofs -R -o /tmp/$Backup_Name-$Backup_Date.img $Backup_Dest_Path
        mkisofs -l -r -J -V $Backup_Name-$backup_Date -o /tmp/$Backup_Name-$Backup_Date.iso $Backup_Dest_Path
        echo "Finished making iso file"
}
makeImage
###########################################################################
#        Check size of backup image be for we burn it
function checkSize {
        echo "Check size of file before burning to disc"
        SIZE=`du -m /tmp/$Backup_Name-$Backup_Date.iso | awk '{print $1}'`
        if [ "$SIZE" -lt "700" ]; then
                echo "Size OK to burn"
        else
                echo "Size too big to burn"
                exit 1
        fi
        echo "Finished size checking"
}
checkSize
###########################################################################
#        Burn to disc
function burnImage {
        BURNER=`cdrecord dev=ATAPI -scanbus | grep "'" | awk '{print $1}' | grep "0"`
        echo "Burning back-up to disc."
        cdrecord dev=ATAPI:$BURNER -v blank=fast -eject fs=64M driveropts=burnproof speed=$Speed -sao /tmp/$Backup_Name-$Backup_Date.iso
        echo "Successfully burnt: $Backup_Name-$Backup_Date.iso to disc"
}
burnImage
###########################################################################
#        Mail a backup notice to someone
function mailTo {
        echo "Mail sent to $MAILTO"
        mail -s "$Backup_Name-$Backup_Date: $Size MB : Backup Complete" $MAILTO < /dev/null
}
mailTo
###########################################################################
#        Lets clear out some old backups that are older than 7 days
function cleanUp {
        find $Backup_Dirs -type f -mtime +7 -exec rm -f '{}' \; #Delete logfiles older than 7 days (After backup)
        find $Backup_Dest_Path -type f -exec rm -f '{}' \; #Delete files in backup directory
}
cleanUp
###########################################################################
exit 0
###########################################################################


namit 01-05-2007 10:30 PM

Quote:

Originally Posted by unSpawn
but i have deleted amavis and if so how how do i stop this from running?
If you deleted the account w/o uninstalling the software then you made an error. And what exactly is running?

this what is running
test -e /usr/bin/sa-learn && test -e /usr/sbin/amavisd-new && /usr/bin/sa-learn --rebuild >/dev/null 2>&1: 8 Time(s)

Also is it commen that i should get this and should i be worried?

backup : 3 Time(s)
bin : 1 Time(s)
bind : 2 Time(s)
..alot of names tried they are all blocked form login in
root : 453 Time(s)
spam : 3 Time(s)
sshd : 4 Time(s)
sys : 2 Time(s)
www-data : 3 Time(s)

and is there anyway that i can find out what passwords these people are trying?


All times are GMT -5. The time now is 10:45 AM.