LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 08-23-2013, 09:50 AM   #1
newbie14
Member
 
Registered: Sep 2011
Posts: 411

Rep: Reputation: Disabled
Logwatch now showing


Hi,
I notice suddenly my logwatch is not showing me anything with regards to httpd whereas there are so many activities going on and it also not showing the ssh login log either. Anything wrong because I am using the same command throughout and earlier I use to have thing. Here is my command just say for last 10 days.

logwatch --detail High --service All --range -10 --archives --numeric > ~/logwatch.test
 
Old 08-24-2013, 01:48 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,458
Blog Entries: 54

Rep: Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897
I explained before to you how you can use logwatch in --debug mode and grep for things to find out what gets processed.
 
Old 08-25-2013, 08:21 AM   #3
newbie14
Member
 
Registered: Sep 2011
Posts: 411

Original Poster
Rep: Reputation: Disabled
Dear Unspawn,
Ok the debug is helpful and I notice it look into my httpd and ssh logs. So for the benefit of the rest my earlier mistake was not putting days is should be logwatch --detail High --service All --range '-10 days' --archives --numeric > ~/logwatch.test. It got some more discovery made and puzzles me it shows that it is picking the ssh during debug but when I generate the log there is no ssh entries shown. I can see in my debug mode All Services: is showing me this [74] = sshd and [75] = sshd2.

Another interesting here below is my last 30 days logs for httpd


Quote:
--------------------- httpd Begin ------------------------

28.78 MB transferred in 4107 responses (1xx 0, 2xx 3152, 3xx 67, 4xx 888, 5xx 0)
707 Images (0.43 MB),
3397 Content pages (28.35 MB),
3 Other (0.00 MB)

Requests with error response codes
403 Forbidden
//tmm1/cstr/: 2 Time(s)
/tmm1/cstr/: 241 Time(s)
404 Not Found
/MyAdmin/scripts/setup.php: 1 Time(s)
/config/bd_mpc/offers.json: 1 Time(s)
/favicon.ico: 511 Time(s)
/images/shadow.gif: 89 Time(s)
/manager/html: 1 Time(s)
/myadmin/scripts/setup.php: 1 Time(s)
/phpMyAdmin/scripts/setup.php: 1 Time(s)
/phpmyadmin/scripts/setup.php: 1 Time(s)
/pma/scripts/setup.php: 1 Time(s)
/robots.txt: 3 Time(s)
/w00tw00t.at.blackhats.romanian.anti-sec: 1 Time(s)

A total of 3 ROBOTS were logged
Mozilla/5.0 (compatible; YandexBot/3.0; +http://yandex.com/bots) 1 Time(s)
Mozilla/5.0 (Windows NT 5.1; rv:6.0.2) Gecko/20100101 Firefox/6.0.2 1 Time(s)
NCBot (http://netcomber.com?st=ba : tool for finding true domain owners) Queries/complaints: bot@netcomber.com 1 Time(s)

---------------------- httpd End -------------------------
Here is my last 21 days.

Quote:
--------------------- httpd Begin ------------------------

18.11 MB transferred in 1626 responses (1xx 0, 2xx 1213, 3xx 54, 4xx 358, 5xx 1)
342 Images (0.37 MB),
1282 Content pages (17.74 MB),
1 mod_proxy requests (0.00 MB),
1 Other (0.00 MB)

Attempts to use known hacks by 1 hosts were logged 1 time(s) from:
76.14.105.172: 1 Time(s)
^null$ 1 Time(s)

Connection attempts using mod_proxy:
212.42.17.74 -> www.fbi.gov:80: 1 Time(s)

A total of 1 sites probed the server
76.14.105.172

Requests with error response codes
403 Forbidden
//tmm1/cstr/: 1 Time(s)
/tmm1/cstr/: 56 Time(s)
404 Not Found
/FastHTTPAuthScanner200test/: 1 Time(s)
/HNAP1/: 1 Time(s)
/admin/: 1 Time(s)
/cgi/index_voipgate.cgi: 1 Time(s)
/configuration_administrator/VoIP/VoIP_1.htm: 1 Time(s)
/favicon.ico: 217 Time(s)
/images/shadow.gif: 39 Time(s)
/robots.txt: 1 Time(s)
/~root/: 1 Time(s)
http://best-proxies.ru/azenv.php?rand=137a ... a67c6a5dd0a74d0: 1 Time(s)
http://best-proxies.ru/azenv.php?rand=58ec ... 497d99ddc93c331: 1 Time(s)
http://best-proxies.ru/azenv.php?rand=c05c ... 46d88c9e7b31235: 1 Time(s)
http://best-proxies.ru/azenv.php?rand=e177 ... 7548ed655526131: 1 Time(s)
405 Method Not Allowed
www.fbi.gov:80: 1 Time(s)
501 Not Implemented
null: 1 Time(s)

A total of 1 ROBOTS were logged
- 1 Time(s)

---------------------- httpd End -------------------------

Can you see the difference why isn't that the last 30 days have a full coverage and should be covering what is shown in the last 21 days ?
 
Old 08-25-2013, 02:51 PM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,458
Blog Entries: 54

Rep: Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897
Quote:
Originally Posted by newbie14 View Post
(..)It got some more discovery made and puzzles me it shows that it is picking the ssh during debug but when I generate the log there is no ssh entries shown. I can see in my debug mode All Services: is showing me this [74] = sshd and [75] = sshd2.
I don't see any log so I have no idea.


Quote:
Originally Posted by newbie14 View Post
Can you see the difference why isn't that the last 30 days have a full coverage and should be covering what is shown in the last 21 days ?
If those requests were made in the first week then the report covering the last three weeks wouldn't show them?

BTW please review your Apache configuration because if you're still running mod_proxy I'm gonna smack you.
 
Old 08-26-2013, 03:55 AM   #5
newbie14
Member
 
Registered: Sep 2011
Posts: 411

Original Poster
Rep: Reputation: Disabled
Dear Unspawn,
I have email you my file (logwatch240813_debug) with the debug capability because its not allowed to be uploaded here due to file size. Back to report coverage. Ok with regards to the report if say I need for the last 30 days I guess I must put the between which I got it after doing some reading where if I just put -21 days will just the last 21st day and -30 days will be just the 30th day. Can you see why my sshd or fail2ban is not being reported too in the logwatch?

I have also attached the httpd.conf file where I have double check all those with proxy I have commented it out. Any chance for other loop hole?
Attached Files
File Type: txt httpd.conf_240813.txt (33.6 KB, 8 views)
 
Old 08-27-2013, 04:05 PM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,458
Blog Entries: 54

Rep: Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897
Quote:
Originally Posted by newbie14 View Post
I have email you my file (logwatch240813_debug) with the debug capability because its not allowed to be uploaded here due to file size.
No, that is not OK. You really should not email me files without me explicitly requesting it.
 
Old 08-27-2013, 07:43 PM   #7
newbie14
Member
 
Registered: Sep 2011
Posts: 411

Original Poster
Rep: Reputation: Disabled
Dear Unspawn,
Sorry for the mistake it shall not happen again.
 
Old 08-28-2013, 01:49 AM   #8
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,458
Blog Entries: 54

Rep: Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897
OK. I'll get on it when I find the time.
 
Old 08-28-2013, 01:50 AM   #9
newbie14
Member
 
Registered: Sep 2011
Posts: 411

Original Poster
Rep: Reputation: Disabled
Dear Unspawn,
Many apology for my mistake and extremely sorry for that hope is forgiven. Sorry.
 
Old 08-29-2013, 01:34 AM   #10
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,458
Blog Entries: 54

Rep: Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897
Start by defining (in /etc/logwatch/conf/logwatch.conf) only the services you actually run?
And it seems you correctly disabled all mod_proxy* DSO's.
 
Old 08-29-2013, 08:53 AM   #11
newbie14
Member
 
Registered: Sep 2011
Posts: 411

Original Poster
Rep: Reputation: Disabled
Dear Unspawn,
I dont get you by what you saying here defining. But I know my mistake because when I run with range as 'between -30 days and today' it is showing correctly. So I guess is nothing is wrong with the logwatch all is ok fine. But how about proxy what else can I do to stop further proxy attacks.
 
Old 08-31-2013, 02:46 AM   #12
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,458
Blog Entries: 54

Rep: Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897
Quote:
Originally Posted by newbie14 View Post
I dont get you by what you saying here defining.
I mean that if you do not run a service (say Pluto or sshd2) then you should not (need to) run that check. In your case you run sshd and not sshd2.


Quote:
Originally Posted by newbie14 View Post
But how about proxy what else can I do to stop further proxy attacks.
Check your actual (error) log file for any proxy (error) lines?
 
Old 08-31-2013, 10:46 AM   #13
newbie14
Member
 
Registered: Sep 2011
Posts: 411

Original Poster
Rep: Reputation: Disabled
Dear Unspawn,
What is the best command to verify the services we are running against what is captured by logwatch? I will go through my http error log and get back to you if anything on proxy.
 
Old 09-01-2013, 07:18 AM   #14
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,458
Blog Entries: 54

Rep: Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897
Quote:
Originally Posted by newbie14 View Post
What is the best command to verify the services we are running against what is captured by logwatch?
I don't know any better way than to manually compare contents of /usr/share/logwatch/scripts/services with what your package management says you have.
Doing it this way probably is NOT SAFE OR ALL-ENCOMPASSING:
Code:
find /usr/share/logwatch/scripts/services -type f -printf "%f\n"|xargs -iX whereis 'X'\
|grep -v ":$"|awk -F': ' '{print "Service = "$1}' >> /etc/logwatch/conf/logwatch.conf
 
Old 09-01-2013, 11:48 AM   #15
newbie14
Member
 
Registered: Sep 2011
Posts: 411

Original Poster
Rep: Reputation: Disabled
Dear Unspawn,
Further to your advice I went through all the http error and access log which have been zipped. Below is what I find in the error log.

Quote:
[Sun Aug 04 07:06:53 2013] [error] [client 212.42.17.74] File does not exist: /var/www/html/FastHTTPAuthScanner200test
[Sun Aug 04 07:07:06 2013] [error] [client 212.42.17.74] File does not exist: /var/www/html/admin
[Sun Aug 04 07:07:24 2013] [error] [client 212.42.17.74] File does not exist: /var/www/html/~root
[Sun Aug 04 07:07:41 2013] [error] [client 212.42.17.74] File does not exist: /var/www/html/configuration_administrator
Here is what I found in the access log. Looks like they have managed to connect via this httpd right? How to stop this now ?


Quote:
212.42.17.74 - - [04/Aug/2013:07:06:07 +0800] "GET / HTTP/1.1" 200 30 "-" "Mozilla/5.0 (FHScan Core 1.1)"
212.42.17.74 - - [04/Aug/2013:07:06:26 +0800] "GET http://www.fbi.gov/ HTTP/1.1" 200 30 "-" "-"
212.42.17.74 - - [04/Aug/2013:07:06:37 +0800] "CONNECT www.fbi.gov:80 HTTP/1.0" 405 235 "-" "-"
212.42.17.74 - - [04/Aug/2013:07:06:53 +0800] "GET /FastHTTPAuthScanner200test/ HTTP/1.1" 404 225 "-" "Mozilla/5.0 (FHScan Core 1.1)"
212.42.17.74 - - [04/Aug/2013:07:07:06 +0800] "GET /admin/ HTTP/1.1" 404 204 "-" "Mozilla/5.0 (FHScan Core 1.1)"
212.42.17.74 - - [04/Aug/2013:07:07:24 +0800] "GET /~root/ HTTP/1.1" 404 204 "-" "Mozilla/5.0 (FHScan Core 1.1)"
212.42.17.74 - - [04/Aug/2013:07:07:41 +0800] "GET /configuration_administrator/VoIP/VoIP_1.htm HTTP/1.1" 404 241 "-" "Mozilla/5.0 (FHScan Core 1.1)"
202.46.55.59 - - [04/Aug/2013:07:07:54 +0800] "GET / HTTP/1.1" 200 30 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)"
212.42.17.74 - - [04/Aug/2013:07:07:55 +0800] "GET /cgi/index_voipgate.cgi HTTP/1.1" 404 220 "-" "Mozilla/5.0 (FHScan Core 1.1)"
But then in logwatch I do see this line.

Quote:
405 Method Not Allowed
www.fbi.gov:80: 1 Time(s)
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Has anyone used Logwatch? juniperguy28 Linux - Security 3 09-01-2012 01:30 PM
[SOLVED] Screen not showing on laptop but showing on projector when connected someshpr Linux - General 3 04-18-2011 04:58 PM
I want to disable logwatch on our RHEL servers to stop the logwatch mail svik Linux - Enterprise 10 08-27-2009 02:51 PM
Does logwatch run automatically? How can I reset logwatch? abefroman Linux - Software 4 06-17-2009 02:17 AM
logwatch lildrummerboy Linux - Newbie 1 07-29-2004 07:38 PM


All times are GMT -5. The time now is 10:54 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration