hi,

i am unsure if one of my servers has been hacked, as a precaution to see of the hacker comes back can i set a trap of some sort to tell me if someone is logging in?

if i can set a trap how would i go about it?

It depends where you suspect you've been hacked via, check all your log files everywhere for ip addresses or names that you dont recognize.

also try...
www.chkrootkit.org to see if they've left any back doors.

but setting a trap isn't going to do you any good if your software is still insecure, firstly upgrade your softwares to the latest versions so they're less likely to be hacked into, then try to fix things up otherwise they'll just come again and again.

Yes, check log files. A neat log watching tool is SWATCH (http://packetstormsecurity.nl/UNIX/IDS/indexdate.shtml). You will need perl installed to run SWATCH. Once they are both installed you can configure SWATCH to look for both failed logon attempts as well as successful logon attempts. Since there shouldn't be too many people with the rights to logon to the server you will recognize a different name or IP if they have successfully logged on. Or you may find interesting patterns such as 2 failed attempts and a successful attempt all within 1 minute or something. This would be cause for concern. Configure SWATCH to send you an email in real time whenever something suspicious happens to your server. If you are running ssh disable root logons.

I agree with niknah and cuss you should first check your reporting for anomalies, and then fix your current SW setup.

Please apply this rule before every other rule: if you can't trust a system for 100 percent, reformat+reinstall. I mean your best bet is to assess tru what means the compromise happened and what damage was done. Then decide to repair, restore a backup or reformat+reinstall on the basis of your knowledge + your assessment of the damage. Also don't forget to replace all security and authentication info after restore/reinstall.

Not to cramp your stylee, but I would never give you the advice to set up a trap or use a box as honeypot if you haven't got a clue about what damage has been done already and what the crackers intentions where/are. You may well be investing more time that you'll get (usefull) info out of it.

on the topic of honeypots....here is a site that has some very interesting info and gear regarding honeypots

http://www.project.honeynet.org/

Ed.

how do you disable root log-ons via ssh? and also, i see you guys mentioning reading logs, with a default install of 7.3, where would the logs be located or what are the filenames of said logs.

edit /etc/ssh/sshd_config(or whereever sshd_config is) and change "PermitRootLogin no"
The logs should mostly be in /var/log/