Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hello all,
I currently use logsentry(or whatever they named now) to parse my log files and find any "suspicious" entries. The last week I have noticed some strange log in attempts. Mainly I get something telling me that I tried to log onto my server from my computer at work(win2k machine) at a time that I was not at work. I am not aware of anything that can be used to try and use a windows machine to log onto a *nix os that could be accessed by an outsider(perhaps I am naive). Anyone have any ideas on this?
I didn't bother posting the log entry because it didn't say anything useful but here it goes:
Code:
Mar 21 16:55:21 host sshd(pam_unix)[14077]: authentication failure; log
name= uid=0 euid=0 tty=NODEVssh ruser= rhost=dhcp.remote.com user=fred
Mar 21 16:55:23 host sshd[14077]: Failed password for fred from 1.1.1.1 port 3801 ssh2
This was taken from "/var/log/auth.log". I changed the ip and rhost but they were all correct for my work system.
Aaahhhrrrggg. Sorry.
I meant the *src* box, I mean, unless they're wiped you should be able to extract login info etc from the W2K event logs. You don't run Floke Integrity, Syslog or any Aide equiv. on W2K by any chance, right?
All I run on my win2k box is ZoneAlarm that that didn't pop up anything. As far as I know you can't run putty from a consol alone so I am clueless as to how somethinglike this could happen even if my system had been breached. I don't run any remote server protocols on the win2k box so . . . . I was logged into the win2k box when it says the attmept came but the screen was locked and in a secured room and was fine when I came in this morning. my only thought was that there was something messed with the time stamps on the linux system log but all looked correct when I scanned the log files directly. I don't mean to frustrate you I just am completely clueless in this.
No, you're not frustrating me. Save a copy of your hives and the event logs just in case. Are you able to run netstat (or some of the Foundstone.com freeware tools) on it, see what ports are open? Same for processes? Are you running a scheduler? Are you able to run an antivirus scanner?
Not sure what "hives" are. I can't seem to find any freeware or any downloads in general on foundstone.com, it looks like netstat moved to another site that will be "re-birthed" on the 30th. No anitvirus scanner running at the current time but I haven't installed anything questionable nor clicked on anything questionable. No schedual running either. Thanks for all the help.
IMO chances that something automated logging in with Putty on your server are small. Chances someone should try and spoof logging in with your username from your W2K IP are infinitesimally slim. Add the fact *you* didn't install anything or clicked anything doesn't count as 100 percent proof there ain't nothing wrong in the very automated Wintendo world I'd say. Look for instance at the fact some M$ products install a hidden SQL server, or embedded ActiveX controls in pages to automagically muck with your registry.
If your event logs turn up nothing then it'll all be much harder to find "evidence" of it all. I don't say it can't be done, but doing forensics will just take much more time than you can justify.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.