When attacks happening, what should I check besides auth.log?
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
When attacks happening, what should I check besides auth.log?
Hi,
My two server is under heavy attacks, this is not my normal day I can tell from log files,
Denyhost already blocked offensive ips
My concern is what should I check beside auth.log file?
All the traffic comes from two ips and they are already blocked by denyhost, the second ip started after 30 minutes
I suspect these are not bots but person because of every attempt started +/-30 sec after each other
Thanks in advance
Last edited by neopandid; 12-08-2011 at 10:20 AM.
Reason: additional info added
Unless you explicitly configured it to use iptables Denyhosts by default uses tcp_wrappers. As I explained here there's a difference in how unwanted traffic is warded off. For attacks you want to block traffic as efficient and early as possible with the least effect on performance and security and definitely shouldn't allow it to reach the application layer.
As for your question what attacks are you talking about? When did this start? The whole machine or a specific service? What's the machines purpose? SOHO machine, Payment server, Squid host, FTP, game or whatever-else-server? Did you do anything to provoke it? Any traffic (ports, packets per second, any IDS data, etc etc?), affected system or daemon logs and performance data you should share?
Thank you for your response,
I didn't configured denyhost to use iptables but I blocked two ips manually several hours after attacks started. Because I wanted to see what will going to happen. I called the first attacker's hosting company but they said they can't do anything.
My machine is a soho machine with unlimited bandwidth, open services for authenticated users proxy, sftp, transmission and simple webserver.
and No I didn't do anything to provoke.
I am not seeing any effect on performance, attacks are on specifically on sshd but these are not typical scans I can tell, I am not an cli guru so what should I check beside auth.log?
Thank you
Last edited by neopandid; 12-08-2011 at 01:12 PM.
Reason: additional info added
attacks are on specifically on sshd but these are not typical scans I can tell
Would you please elaborate. It is very difficult to make recommendations on generalities. Please consider posting a portion of the offending log entries (you can mask your IP addr if that makes you comfortable).
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.