LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 01-02-2007, 06:32 PM   #1
namit
Member
 
Registered: Aug 2005
Distribution: Debian
Posts: 355

Rep: Reputation: 30
log organisation


Just wondering the best way of keeping track of logs because i have 101 files in /var/log and can not keep track of them what would you recommend?

I am looking for the failed logins what the best way of searching for these logs?

Thanks
 
Old 01-03-2007, 02:55 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,005
Blog Entries: 54

Rep: Reputation: 2763Reputation: 2763Reputation: 2763Reputation: 2763Reputation: 2763Reputation: 2763Reputation: 2763Reputation: 2763Reputation: 2763Reputation: 2763Reputation: 2763
i have 101 files in /var/log
That number may include logrotated ones, not all used logs, right?


can not keep track of them what would you recommend?
Something like Logwatch. Configure and cronjob it.


I am looking for the failed logins what the best way of searching for these logs?
For SSH implement one of http://www.linuxquestions.org/questi...d.php?t=340366 and you won't have to worry about that. PAM-enabled services log to syslog (also see there's pam_tally), Sudo logs to syslog as well and then there's last/lastb for looking at wtmp (login records).
 
Old 01-03-2007, 09:27 AM   #3
archtoad6
Senior Member
 
Registered: Oct 2004
Location: Houston, TX (usa)
Distribution: MEPIS, Debian, Knoppix,
Posts: 4,727
Blog Entries: 15

Rep: Reputation: 230Reputation: 230Reputation: 230
Nicely formatted answer!
 
Old 01-03-2007, 11:00 AM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,005
Blog Entries: 54

Rep: Reputation: 2763Reputation: 2763Reputation: 2763Reputation: 2763Reputation: 2763Reputation: 2763Reputation: 2763Reputation: 2763Reputation: 2763Reputation: 2763Reputation: 2763
Nicely formatted answer!
What exactly do you mean by saying that? My formatting-fu rules major?
And what valuable insights does this add to answer the OP's questions?


BTW: That number may include logrotated ones, not all used logs, right? you would find out by doing something like:
Code:
/usr/sbin/lsof -n +D /var |egrep -ve "[[:blank:]](cwd|rtd)[[:blank:]]"|awk '{print $9}'|grep "^/"|sort|uniq
 
Old 01-03-2007, 12:08 PM   #5
namit
Member
 
Registered: Aug 2005
Distribution: Debian
Posts: 355

Original Poster
Rep: Reputation: 30
nice one lads i found that this ip 62.193.230.48 tried to login a lot of times so can not block him but good thing to see they did not get in.

As for logs should i clear them after i email myself them? or do you not recommend this?
 
Old 01-03-2007, 05:20 PM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,005
Blog Entries: 54

Rep: Reputation: 2763Reputation: 2763Reputation: 2763Reputation: 2763Reputation: 2763Reputation: 2763Reputation: 2763Reputation: 2763Reputation: 2763Reputation: 2763Reputation: 2763
i found that this ip 62.193.230.48 tried to login a lot of times so can not block him
That does not compute.

Even if you're on the same subnet you could block it: depends on if what you're running needs to be publicly accessable. If it does not you could use a more restrictive "deny from all, allow from some_nets" ruleset. In any case please spend some time hardening your box and see my previous note about SSH.


As for logs should i clear them after i email myself them? or do you not recommend this?
Unnecessary unless you didn't install logrotate or configuring logrotate to not delete logs or save a nonsensical amount of rotations.
 
Old 01-03-2007, 05:38 PM   #7
namit
Member
 
Registered: Aug 2005
Distribution: Debian
Posts: 355

Original Poster
Rep: Reputation: 30
i mean to say that i now can block him
 
Old 01-04-2007, 05:32 AM   #8
namit
Member
 
Registered: Aug 2005
Distribution: Debian
Posts: 355

Original Poster
Rep: Reputation: 30
few followup questions that have arose from viewing these logs

is it commen that have around 30 Illegal users a day try to login to your servers?

Also whats the difference between Failed logins and illegal users?
Quote:
Failed logins from these:
asdf/keyboard-interactive/pam from ::ffff:83.70.232.2: 1 Time(s)
helloworld/keyboard-interactive/pam from ::ffff:83.70.232.2: 1 Time(s)

Illegal users from these:
adm/none from ::ffff:83.227.4.103: 1 Time(s)
admin/none from ::ffff:61.90.197.55: 6 Time(s)
admin/none from ::ffff:83.227.4.103: 2 Time(s)
.... lots lots more

Also commands are being run i no nothing about

Quote:
Commands Run:
User amavis:
... Command ...
but i have deleted amavis and if so how how do i stop this from running?

Last edited by namit; 01-04-2007 at 05:45 AM.
 
Old 01-04-2007, 07:01 AM   #9
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,005
Blog Entries: 54

Rep: Reputation: 2763Reputation: 2763Reputation: 2763Reputation: 2763Reputation: 2763Reputation: 2763Reputation: 2763Reputation: 2763Reputation: 2763Reputation: 2763Reputation: 2763
is it commen that have around 30 Illegal users a day try to login to your servers?
Some nets are more exposed than others, so yeah, not uncommon.


Also whats the difference between Failed logins and illegal users?
"Failed" is like wrong pass, "illegal" is like unknown or disabled accountname.


Also commands are being run i no nothing about
Well, then familiarise yourself with what accounts are available on the machine.
Typing "getent passwd amavis" should show it's an inert system account for running Amavis AV.


but i have deleted amavis and if so how how do i stop this from running?
If you deleted the account w/o uninstalling the software then you made an error. And what exactly is running?
 
Old 01-04-2007, 07:35 PM   #10
fotoguy
Senior Member
 
Registered: Mar 2003
Location: Brisbane Queensland Australia
Distribution: KirraMail Live Email Server
Posts: 1,276

Rep: Reputation: 61
Might be a little of topic but I created this backup script a few years ago that might come in handy to backup all those log files to a cdrom, it may just need some tweaking to get it right, I haven't used it for quite a while.

Code:
#!/bin/sh
###########################################################################
Backup_Dirs="/var/log"
Backup_Dest_Path="/tmp/backup"
Backup_Date=`date +%a%b-%d-%Y-%R`
Backup_Name="Hostname-domainname"
Speed="8"				# Use best speed for CD-R/RW disks on YOUR system
MAILTO="someone@somewhere.com"
########################################################################### 
#	Check to see of backup directory exists, if not then create it
function makeBackupDir {
	if [ ! -d $Backup_Dest_Path ]; then
		mkdir $Backup_Dest_Path
		chmod 700 $Backup_Dest_Path
	fi
}
makeBackupDir
########################################################################### 
# 	Create tar file with todays Month Day Year prepended for easy identification  and also create a log file
function tarBackupDir {
	echo "Start creating backups including log files"
	tar -cvzpf $Backup_Dest_Path/$Backup_Name-$Backup_Date.tar.gz $Backup_Dirs > $Backup_Dest_Path/$Backup_Name-$Backup_Date.log
	echo "Finished creating backups including log files"
}
tarBackupDir
########################################################################### 
#	Create a image that can be written to writeable media
function makeImage {
	echo "Making image file"
	#mkisofs -R -o /tmp/$Backup_Name-$Backup_Date.img $Backup_Dest_Path
	mkisofs -l -r -J -V $Backup_Name-$backup_Date -o /tmp/$Backup_Name-$Backup_Date.iso $Backup_Dest_Path
	echo "Finished making iso file"
}
makeImage
########################################################################### 
#	Check size of backup image be for we burn it 
function checkSize {
	echo "Check size of file before burning to disc"
	SIZE=`du -m /tmp/$Backup_Name-$Backup_Date.iso | awk '{print $1}'`
	if [ "$SIZE" -lt "700" ]; then
		echo "Size OK to burn"
	else
		echo "Size too big to burn"
		exit 1
	fi
	echo "Finished size checking"
}
checkSize
########################################################################### 
#	Burn to disc
function burnImage {
	BURNER=`cdrecord dev=ATAPI -scanbus | grep "'" | awk '{print $1}' | grep "0"`
	echo "Burning back-up to disc."
	cdrecord dev=ATAPI:$BURNER -v blank=fast -eject fs=64M driveropts=burnproof speed=$Speed -sao /tmp/$Backup_Name-$Backup_Date.iso
	echo "Successfully burnt: $Backup_Name-$Backup_Date.iso to disc"
}
burnImage
###########################################################################
#	Mail a backup notice to someone
function mailTo {
	echo "Mail sent to $MAILTO"
	mail -s "$Backup_Name-$Backup_Date: $Size MB : Backup Complete" $MAILTO < /dev/null
}
mailTo
###########################################################################
#	Lets clear out some old backups that are older than 7 days
function cleanUp {
	find $Backup_Dirs -type f -mtime +7 -exec rm -f '{}' \; #Delete logfiles older than 7 days (After backup)
	find $Backup_Dest_Path -type f -exec rm -f '{}' \; #Delete files in backup directory
}
cleanUp
###########################################################################
exit 0
###########################################################################
 
Old 01-05-2007, 10:30 PM   #11
namit
Member
 
Registered: Aug 2005
Distribution: Debian
Posts: 355

Original Poster
Rep: Reputation: 30
Quote:
Originally Posted by unSpawn
but i have deleted amavis and if so how how do i stop this from running?
If you deleted the account w/o uninstalling the software then you made an error. And what exactly is running?
this what is running
test -e /usr/bin/sa-learn && test -e /usr/sbin/amavisd-new && /usr/bin/sa-learn --rebuild >/dev/null 2>&1: 8 Time(s)

Also is it commen that i should get this and should i be worried?

backup : 3 Time(s)
bin : 1 Time(s)
bind : 2 Time(s)
..alot of names tried they are all blocked form login in
root : 453 Time(s)
spam : 3 Time(s)
sshd : 4 Time(s)
sys : 2 Time(s)
www-data : 3 Time(s)

and is there anyway that i can find out what passwords these people are trying?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: Akademy 2007 Call for Location and Organisation LXer Syndicated Linux News 0 07-25-2006 03:33 AM
Kerberos beyond one organisation zimolin Linux - Networking 0 09-09-2004 08:01 AM
Qn: How to restrict in/out emails within a domain name/internal organisation only? rebel Red Hat 11 08-24-2004 07:25 AM
Qn: How to restrict in/out emails within a domain name/internal organisation only? rebel Linux - Security 1 08-18-2004 11:03 PM
organisation software tsitras Linux - Software 0 08-12-2004 07:47 AM


All times are GMT -5. The time now is 09:21 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration