LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 05-17-2009, 08:40 AM   #1
eng_mohammedmostafa
Member
 
Registered: Nov 2008
Location: Egypt
Posts: 110
Blog Entries: 1

Rep: Reputation: 16
How can i trace users in Linux ?


Dears,,

Please,If someone shutdown the server or make any abnormal command.
From where can i trace this user or trace the machine that connected to that Linux server and accessed it?

Thanks & Regards,,
 
Old 05-17-2009, 08:51 AM   #2
rikijpn
Member
 
Registered: Jun 2007
Location: Japan
Distribution: Debian lenny, DSL, Solaris 10
Posts: 157

Rep: Reputation: 33
How was the computer accessed? if ssh, you could just look the log file(that depends on your linux distribution, in debian we use /var/log/auth.log), and it will tell who did "sudo halt" from his account, or who used the "su" command (to become root and shut down the computer) last.
 
Old 05-17-2009, 09:04 AM   #3
eng_mohammedmostafa
Member
 
Registered: Nov 2008
Location: Egypt
Posts: 110

Original Poster
Blog Entries: 1

Rep: Reputation: 16
Dear,,


If the user access the Linux server by putty or by VNC
From where can i trace this user?
I used Red Hat Enterprise Linux
From where can i find auth.log ?

Dear..
I already knew which IP address that was connected to the server before shutting down.
From where can i know that this IP who made shutdown?


Regards,,

Last edited by eng_mohammedmostafa; 05-17-2009 at 09:10 AM.
 
Old 05-17-2009, 09:28 AM   #4
rikijpn
Member
 
Registered: Jun 2007
Location: Japan
Distribution: Debian lenny, DSL, Solaris 10
Posts: 157

Rep: Reputation: 33
"putty" is not a method, is a program for windows to use "ssh"/linux terminal. I've never used VNC so don't really know.

But you say you already have the IP of the person you want to find(?), right? Then the rest is simple. Go go an IP tracing/whois site like http://network-tools.com and type that IP address, select "whois" and click GO. It will tell you the country and every data possible from that IP. Probably some e-mail address to which you can contact to complain(the ISP's e-mail address), if in your country, you maybe can even go to the police and sue the guy or something.

Last edited by rikijpn; 05-17-2009 at 09:32 AM.
 
Old 05-17-2009, 09:41 AM   #5
eng_mohammedmostafa
Member
 
Registered: Nov 2008
Location: Egypt
Posts: 110

Original Poster
Blog Entries: 1

Rep: Reputation: 16
Dear,,

Let me explain more . . .
I used last command ( It give me this result )
root pts/5 :0.0 Sun May 17 16:26 - 16:26 (00:00)
root pts/5 :0.0 Sun May 17 16:23 - 16:24 (00:00)
root pts/4 150.150.101.16 Sun May 17 15:31 - down (00:56)

So 150.150.101.16 was the last one while server is shutting down
but i can not say that this IP who make shutdown for server
My question: How can i decide that this IP who make shutdown.

Thanks,,

Last edited by eng_mohammedmostafa; 05-17-2009 at 09:51 AM.
 
Old 05-17-2009, 09:55 AM   #6
rikijpn
Member
 
Registered: Jun 2007
Location: Japan
Distribution: Debian lenny, DSL, Solaris 10
Posts: 157

Rep: Reputation: 33
All right. If you have a Red Hat can't you just ask the guys who sold it to you where are the log files for that or something? Maybe someone who uses RH will answer you from here anyway.
In my case, as I told you, using Debian, if I wanted to do something like that, I'd check my /var/log/auth.log file. It gives an output like this:

"May 10 16:32:40 myserver sudo: user1 : TTY=pts/0 ; PWD=/home/user1 ; USER=root ; COMMAND=/sbin/halt"

Which clearly tells me everything I need to know. You may want to check you log fies (maybe somewhere on some /var directory?), or read the manuals of your distribution to check where they are[or try 'find / -name "*log" ' and pray you get lucky].
 
Old 05-17-2009, 03:36 PM   #7
namit
Member
 
Registered: Aug 2005
Distribution: Debian
Posts: 355

Rep: Reputation: 30
I would just allow users to use sudo and setup sudo to log everything that goes on so that you are able to track everything rather than just shutdowns.

Good sudo tutorial:
http://www.debianadmin.com/providing...sing-sudo.html
 
Old 05-17-2009, 08:29 PM   #8
rikijpn
Member
 
Registered: Jun 2007
Location: Japan
Distribution: Debian lenny, DSL, Solaris 10
Posts: 157

Rep: Reputation: 33
Quote:
Originally Posted by namit View Post
I would just allow users to use sudo and setup sudo to log everything that goes on so that you are able to track everything rather than just shutdowns.
Isnt' that what I'm showing to this guy? In my example I'm showing him how the actual log looks like (it's registering who run and what was run on sudo).
 
Old 05-18-2009, 02:57 AM   #9
namit
Member
 
Registered: Aug 2005
Distribution: Debian
Posts: 355

Rep: Reputation: 30
Quote:
Originally Posted by eng_mohammedmostafa View Post
Dear,,

Let me explain more . . .
I used last command ( It give me this result )
root pts/5 :0.0 Sun May 17 16:26 - 16:26 (00:00)
root pts/5 :0.0 Sun May 17 16:23 - 16:24 (00:00)
root pts/4 150.150.101.16 Sun May 17 15:31 - down (00:56)

So 150.150.101.16 was the last one while server is shutting down
but i can not say that this IP who make shutdown for server
My question: How can i decide that this IP who make shutdown.

Thanks,,
you mean this?

does not look like sudo, all my sudo logs look like
Code:
May 17 13:42:44 : namit : TTY=pts/1 ;
    PWD=/home/namit/ ; USER=root ; COMMAND=/bin/rm /usr/sbin/
May 17 13:42:53 : namit : TTY=pts/1 ;
    PWD=/home/namit/ ; USER=root ; COMMAND=/bin/rm /usr/bin/
May 17 13:42:54 : namit : TTY=pts/1 ;
    PWD=/home/namit/ ; USER=root ; COMMAND=/bin/rm /usr/bin/
May 18 08:55:46 : namit : TTY=pts/0 ; PWD=/home/namit ; USER=root ;
    COMMAND=/bin/cat /var/log/sudolog
May 18 08:55:57 : namit : TTY=pts/0 ; PWD=/home/namit ; USER=root ;
    COMMAND=/usr/bin/tail /var/log/sudolog
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Back trace linux prashantlpu Linux - Laptop and Netbook 3 11-19-2008 03:53 AM
How to trace and disable the HTTP TRACE method in Apache 1.3.33 with FreeBSD? SomnathG Linux - Security 1 11-11-2008 09:41 AM
"killed" Message - how to trace/back trace ebinjose Linux - Kernel 1 01-29-2008 06:12 AM
Linux Trace Toolkit tabish121 Programming 1 11-18-2005 09:27 PM
linux trace route won't work Red Squirrel Linux - Software 3 03-17-2004 02:20 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 08:07 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration