Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
05-17-2009, 08:40 AM
|
#1
|
Member
Registered: Nov 2008
Location: Egypt
Posts: 110
Rep:
|
How can i trace users in Linux ?
Dears,,
Please,If someone shutdown the server or make any abnormal command.
From where can i trace this user or trace the machine that connected to that Linux server and accessed it?
Thanks & Regards,,
|
|
|
05-17-2009, 08:51 AM
|
#2
|
Member
Registered: Jun 2007
Location: Japan
Distribution: Debian lenny, DSL, Solaris 10
Posts: 157
Rep:
|
How was the computer accessed? if ssh, you could just look the log file(that depends on your linux distribution, in debian we use /var/log/auth.log), and it will tell who did "sudo halt" from his account, or who used the "su" command (to become root and shut down the computer) last.
|
|
|
05-17-2009, 09:04 AM
|
#3
|
Member
Registered: Nov 2008
Location: Egypt
Posts: 110
Original Poster
Rep:
|
Dear,,
If the user access the Linux server by putty or by VNC
From where can i trace this user?
I used Red Hat Enterprise Linux
From where can i find auth.log ?
Dear..
I already knew which IP address that was connected to the server before shutting down.
From where can i know that this IP who made shutdown?
Regards,,
Last edited by eng_mohammedmostafa; 05-17-2009 at 09:10 AM.
|
|
|
05-17-2009, 09:28 AM
|
#4
|
Member
Registered: Jun 2007
Location: Japan
Distribution: Debian lenny, DSL, Solaris 10
Posts: 157
Rep:
|
"putty" is not a method, is a program for windows to use "ssh"/linux terminal. I've never used VNC so don't really know.
But you say you already have the IP of the person you want to find(?), right? Then the rest is simple. Go go an IP tracing/whois site like http://network-tools.com and type that IP address, select "whois" and click GO. It will tell you the country and every data possible from that IP. Probably some e-mail address to which you can contact to complain(the ISP's e-mail address), if in your country, you maybe can even go to the police and sue the guy or something.
Last edited by rikijpn; 05-17-2009 at 09:32 AM.
|
|
|
05-17-2009, 09:41 AM
|
#5
|
Member
Registered: Nov 2008
Location: Egypt
Posts: 110
Original Poster
Rep:
|
Dear,,
Let me explain more . . .
I used last command ( It give me this result )
root pts/5 :0.0 Sun May 17 16:26 - 16:26 (00:00)
root pts/5 :0.0 Sun May 17 16:23 - 16:24 (00:00)
root pts/4 150.150.101.16 Sun May 17 15:31 - down (00:56)
So 150.150.101.16 was the last one while server is shutting down
but i can not say that this IP who make shutdown for server
My question: How can i decide that this IP who make shutdown.
Thanks,,
Last edited by eng_mohammedmostafa; 05-17-2009 at 09:51 AM.
|
|
|
05-17-2009, 09:55 AM
|
#6
|
Member
Registered: Jun 2007
Location: Japan
Distribution: Debian lenny, DSL, Solaris 10
Posts: 157
Rep:
|
All right. If you have a Red Hat can't you just ask the guys who sold it to you where are the log files for that or something? Maybe someone who uses RH will answer you from here anyway.
In my case, as I told you, using Debian, if I wanted to do something like that, I'd check my /var/log/auth.log file. It gives an output like this:
"May 10 16:32:40 myserver sudo: user1 : TTY=pts/0 ; PWD=/home/user1 ; USER=root ; COMMAND=/sbin/halt"
Which clearly tells me everything I need to know. You may want to check you log fies (maybe somewhere on some /var directory?), or read the manuals of your distribution to check where they are[or try 'find / -name "*log" ' and pray you get lucky].
|
|
|
05-17-2009, 03:36 PM
|
#7
|
Member
Registered: Aug 2005
Distribution: Debian
Posts: 355
Rep:
|
I would just allow users to use sudo and setup sudo to log everything that goes on so that you are able to track everything rather than just shutdowns.
Good sudo tutorial:
http://www.debianadmin.com/providing...sing-sudo.html
|
|
|
05-17-2009, 08:29 PM
|
#8
|
Member
Registered: Jun 2007
Location: Japan
Distribution: Debian lenny, DSL, Solaris 10
Posts: 157
Rep:
|
Quote:
Originally Posted by namit
I would just allow users to use sudo and setup sudo to log everything that goes on so that you are able to track everything rather than just shutdowns.
|
Isnt' that what I'm showing to this guy? In my example I'm showing him how the actual log looks like (it's registering who run and what was run on sudo).
|
|
|
05-18-2009, 02:57 AM
|
#9
|
Member
Registered: Aug 2005
Distribution: Debian
Posts: 355
Rep:
|
Quote:
Originally Posted by eng_mohammedmostafa
Dear,,
Let me explain more . . .
I used last command ( It give me this result )
root pts/5 :0.0 Sun May 17 16:26 - 16:26 (00:00)
root pts/5 :0.0 Sun May 17 16:23 - 16:24 (00:00)
root pts/4 150.150.101.16 Sun May 17 15:31 - down (00:56)
So 150.150.101.16 was the last one while server is shutting down
but i can not say that this IP who make shutdown for server
My question: How can i decide that this IP who make shutdown.
Thanks,,
|
you mean this?
does not look like sudo, all my sudo logs look like
Code:
May 17 13:42:44 : namit : TTY=pts/1 ;
PWD=/home/namit/ ; USER=root ; COMMAND=/bin/rm /usr/sbin/
May 17 13:42:53 : namit : TTY=pts/1 ;
PWD=/home/namit/ ; USER=root ; COMMAND=/bin/rm /usr/bin/
May 17 13:42:54 : namit : TTY=pts/1 ;
PWD=/home/namit/ ; USER=root ; COMMAND=/bin/rm /usr/bin/
May 18 08:55:46 : namit : TTY=pts/0 ; PWD=/home/namit ; USER=root ;
COMMAND=/bin/cat /var/log/sudolog
May 18 08:55:57 : namit : TTY=pts/0 ; PWD=/home/namit ; USER=root ;
COMMAND=/usr/bin/tail /var/log/sudolog
|
|
|
All times are GMT -5. The time now is 08:07 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|