Share your knowledge at the LQ Wiki.
Go Back > Forums > Linux Forums > Linux - Security
User Name
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.


  Search this Thread
Old 08-10-2010, 10:30 AM   #1
LQ Newbie
Registered: Dec 2009
Posts: 8

Rep: Reputation: 0
Need info on logging who reboots the server

Someone has been logging in and issuing reboot commands. I am Running Redhat EL 5. Is it possible to find a log or start logging from which IP the reboot command came from or which user?

Last edited by warduke; 08-10-2010 at 12:20 PM.
Old 08-10-2010, 10:46 AM   #2
Registered: Nov 2006
Distribution: RHEL, CentOS, Debian Lenny, Ubuntu
Posts: 638

Rep: Reputation: 113Reputation: 113
you can user last command.
root     pts/2       Wed Aug 11 02:43   still logged in
root     pts/1        :0.0             Wed Aug 11 02:39   still logged in
root     :0                            Wed Aug 11 02:39   still logged in
reboot   system boot  2.6.18-53.el5    Wed Aug 11 02:38          (00:05)
shailesh pts/1       Wed Aug 11 02:36 - down   (00:00)
root     tty1                          Wed Aug 11 02:32 - down   (00:04)
root     pts/1        :0.0             Wed Aug 11 02:20 - 02:32  (00:11)
Old 08-10-2010, 10:58 AM   #3
LQ Newbie
Registered: Dec 2009
Posts: 8

Original Poster
Rep: Reputation: 0
Thanks I tried that but here is what I get. Im not sure why it shows this way..It doesnt say who issued the reboot command unless I am missing something

root pts/1 1x.1x.4.x Tue Aug 10 00:17 - 04:18 (04:01)
root pts/1 1x.1x.4.x Tue Aug 10 00:09 - 00:10 (00:00)
root pts/1 1x.1x.4.x Tue Aug 10 00:00 - 00:02 (00:01)
root pts/1 1x.1x.4.x Mon Aug 9 23:55 - 23:58 (00:03)
root pts/1 1x.1x.4.x Mon Aug 9 23:52 - 23:54 (00:02)
root pts/0 1x.1x.4.x Mon Aug 9 23:49 - 00:22 (00:32)
reboot system boot 2.6.18-92.el5 Mon Aug 9 23:48 (11:59)
wxxx pts/4 1x.1x.4.x Mon Aug 9 15:39 - 15:43 (00:03)
Old 08-10-2010, 01:56 PM   #4
Registered: Jan 2008
Posts: 105

Rep: Reputation: 28
Only super users (such as root) have privileges to reboot a system. The "last" command will only tell you when the command was issued by the pseudo user "reboot".
The only way to tell is to go through the ~/.bash_history of each user and check for any su or sudo commands to root with subsequent attempts to reboot.
This logic will obviously not apply if you are sharing the root password with anybody else. Also check for any cron jobs that are set up.
To sum it up, enforce the use of sudo.
Old 08-10-2010, 04:05 PM   #5
LQ Guru
Registered: Nov 2004
Location: San Jose, CA
Distribution: Debian, Arch
Posts: 8,507

Rep: Reputation: 128Reputation: 128
Moved: This thread is more suitable in Linux - Security and has been moved accordingly to help your thread/question get the exposure it deserves.


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
where to find info/help about snort 2.4.5 logging rules? ssnort Linux - Software 3 08-05-2010 06:13 PM
Ubuntu and Bind - Named log file is not logging info after syslogd restarts Spacetrucker Linux - Server 7 05-13-2009 10:56 AM
ssh logging info redirect from one linux to another junust Linux - Security 1 07-20-2008 05:21 PM
python: logging can't log info level? Chowroc Programming 2 05-07-2006 03:57 AM
server reboots on its own gurpurpai Red Hat 4 01-16-2006 08:20 PM > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 03:41 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration