LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   security sort of (https://www.linuxquestions.org/questions/linux-newbie-8/security-sort-of-782606/)

johnh10000 01-16-2010 10:24 AM
security sort of
 
My 2 linux jaunty boxes are running 24/7.

Cam home to find the box running my ftp server is going mad, hub lights. no prob. but check most causes for access, all log say no access.

what logs should I check? Tried proftp, samba, and ssh

jlinkels 01-16-2010 10:39 AM
/var/log/auth.log

jlinkels

johnh10000 01-16-2010 10:49 AM
Quote:
Originally Posted by jlinkels (Post 3828757)
/var/log/auth.log

jlinkels
thanks. still help. logged my box after restar as another user. fine no unusual activity.

so it must be a process i'm running! less concerned.
Code:
Jan 16 16:37:48 tux dbus-daemon: Rejected send message, 1 matched rules; type="method_call", sender=":1.52" (uid=1000 pid=41
Jan 16 16:37:59 tux dbus-daemon: Rejected send message, 1 matched rules; type="method_call", sender=":1.52" (uid=1000 pid=41
Jan 16 16:38:03 tux dbus-daemon: Rejected send message, 1 matched rules; type="method_call", sender=":1.52" (uid=1000 pid=41
Jan 16 16:38:08 tux gdm[3357]: pam_unix(gdm:session): session closed for user edie
Jan 16 16:38:26 tux gdm[3357]: pam_unix(gdm:session): session opened for user johnh10000 by (uid=0)
Jan 16 16:38:26 tux gdm[3357]: pam_ck_connector(gdm:session): nox11 mode, ignoring PAM_TTY :0
Jan 16 16:38:26 tux gnome-keyring-daemon[4324]: Couldn't unlock login keyring with provided password
Jan 16 16:38:26 tux gnome-keyring-daemon[4324]: Failed to unlock login on startup
Jan 16 16:39:01 tux CRON[4556]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 16 16:39:01 tux CRON[4556]: pam_unix(cron:session): session closed for user root
Jan 16 16:40:01 tux CRON[4781]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 16 16:43:04 tux sudo: johnh10000 : TTY=pts/1 ; PWD=/home/johnh10000 ; USER=root ; COMMAND=/bin/bash
heres the latest on that log:

johnh10000 01-16-2010 11:45 AM
Quote:
Originally Posted by jlinkels (Post 3828757)
/var/log/auth.log

jlinkels
Found it! someone ? was tring to breakin via my secondary http port! Sussed it, via firestarter

moved it, resolved. thanks

unSpawn 01-16-2010 01:16 PM
Moving a port is security by obscurity which does not make your machine any more secure: do a port range scan and it will be found again. It would be better to harden the machine. Done properly it can diminish the amount of attacks, alert you of events that should be dealt with and save you time and aggravation.


All times are GMT -5. The time now is 04:07 AM.