slide1 n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
CIS 191 - Lesson 12 PowerPoint Presentation
Download Presentation
CIS 191 - Lesson 12

Loading in 2 Seconds...

play fullscreen
1 / 51

CIS 191 - Lesson 12 - PowerPoint PPT Presentation


  • 108 Views
  • Uploaded on

CIS 191 - Lesson 12. System Monitoring. CIS 191 - Lesson 12. System Monitoring. Monitoring Log Files /var/log Can be used as indication of systematic degradation log rotation logrotate /etc/logrotate.conf. CIS 191 - Lesson 12. System Monitoring. Many important logs (Red Hat family)

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'CIS 191 - Lesson 12' - winifred-buck


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
slide1

CIS 191 - Lesson 12

System

Monitoring

slide2

CIS 191 - Lesson 12

System Monitoring

  • Monitoring Log Files
  • /var/log
    • Can be used as indication of systematic degradation
  • log rotation
    • logrotate
    • /etc/logrotate.conf
slide3

CIS 191 - Lesson 12

System Monitoring

  • Many important logs (Red Hat family)
  • Kernel and system boot messages
    • dmesg
    • boot.log (broken – see bugzilla)
  • Security and authorization messages
    • secure, btmp, wtmp, lastlog, audit, …
  • System module messages
    • messages (a good catch-all log), cron, maillog, …
  • Key Log File Locations:
    • /var/log directory
    • /etc/syslog.conf
slide4

CIS 191 - Lesson 12

Logging

[root@opus ~]# ps -e | grep log

2152 ? 00:00:07 syslogd

2155 ? 00:00:00 klogd

[root@opus ~]#

The syslog daemon, controlled by /etc/syslog.conf, is a central clearing house for handling all the log messages sent by various system programs

The klogd daemon handles kernel log messages. klogd does not have a configuration file and is controlled by command line switches.

slide5

CIS 191 - Lesson 12

System Monitoring

[root@benji log]# file *

acpid: ASCII text

anaconda.log: ASCII text

anaconda.syslog: ASCII English text

anaconda.xlog: ASCII English text

audit: directory

boot.log: empty

boot.log.1: empty

boot.log.2: ASCII text

boot.log.3: empty

btmp: DBase 3 index file

conman: directory

conman.old: directory

cron: ASCII text

cron.1: ASCII text

cron.2: ASCII text

cron.3: ASCII text

cups: directory

dmesg: ASCII English text

faillog: data

gdm: directory

lastlog: data

mail: directory

maillog: ASCII text

maillog.1: ASCII text

maillog.2: ASCII text

maillog.3: ASCII text

messages: ASCII English text

messages.1: ASCII text

messages.2: ASCII English text

messages.3: ASCII English text

ppp: directory

prelink: directory

rpmpkgs: ASCII text

rpmpkgs.1: ASCII text

rpmpkgs.2: ASCII text

rpmpkgs.3: ASCII text

samba: directory

scrollkeeper.log: ASCII text

secure: ASCII text

secure.1: empty

secure.2: ASCII English text

secure.3: ASCII text

spooler: empty

spooler.1: empty

spooler.2: empty

spooler.3: empty

tallylog: empty

vbox: directory

wtmp: data

wtmp.1: data

Xorg.0.log: ASCII English text

Xorg.0.log.old: ASCII English text

yum.log: ASCII text

[root@benji log]#

Most log files are ascii text

slide6

CIS 191 - Lesson 12

System Monitoring

From observing /var/log ….

[root@opus ~]# ls -l /var/log

total 153572

-rw-r----- 1 root root 3665 Nov 11 13:36 acpid

-rw------- 1 root root 527440 Jun 16 15:47 anaconda.log

-rw------- 1 root root 22282 Jun 16 15:47 anaconda.syslog

-rw------- 1 root root 58040 Jun 16 15:47 anaconda.xlog

drwxr-x--- 2 root root 4096 Nov 24 02:03 audit

-rw------- 1 root root 0 Nov 23 04:02 boot.log

-rw------- 1 root root 0 Nov 16 04:02 boot.log.1

-rw------- 1 root root 0 Nov 9 04:02 boot.log.2

-rw------- 1 root root 0 Nov 2 04:02 boot.log.3

-rw------- 1 root root 0 Oct 26 04:03 boot.log.4

-rw------- 1 root utmp 136987008 Nov 29 15:16 btmp

drwxr-xr-x 2 root root 4096 Jun 28 2007 conman

drwxr-xr-x 2 root root 4096 Jun 28 2007 conman.old

-rw------- 1 root root 12817 Nov 29 16:01 cron

-rw------- 1 root root 13860 Nov 23 04:02 cron.1

-rw------- 1 root root 13706 Nov 16 04:02 cron.2

-rw------- 1 root root 13843 Nov 9 04:02 cron.3

-rw------- 1 root root 14117 Nov 2 04:02 cron.4

drwxr-xr-x 2 lp sys 4096 Nov 27 04:02 cups

-rw-r--r-- 1 root root 18903 Nov 11 13:35 dmesg

-rw------- 1 root root 29256 Nov 11 08:11 faillog

drwxr-xr-x 2 root root 4096 Mar 28 2008 gdm

drwx------ 2 root root 4096 Oct 19 04:02 httpd

-rw-r--r-- 1 root root 355948 Nov 29 16:34 lastlog

drwxr-xr-x 2 root root 4096 Jun 16 15:39 mail

-rw------- 1 root root 27520 Nov 29 08:51 maillog

-rw------- 1 root root 38980 Nov 23 04:02 maillog.1

-rw------- 1 root root 56964 Nov 16 04:02 maillog.2

-rw------- 1 root root 74842 Nov 9 04:02 maillog.3

-rw------- 1 root root 110136 Nov 2 04:02 maillog.4

-rw------- 1 root root 9165 Nov 29 15:35 messages

-rw------- 1 root root 11706 Nov 22 21:30 messages.1

-rw------- 1 root root 35986 Nov 16 03:22 messages.2

-rw------- 1 root root 12430 Nov 8 23:59 messages.3

-rw------- 1 root root 6224 Nov 1 16:21 messages.4

drwxr-xr-x 2 root root 4096 Jun 17 15:02 pm

drwx------ 2 root root 4096 Dec 1 2006 ppp

drwxr-xr-x 2 root root 4096 Jun 27 2007 prelink

-rw-r--r-- 1 root root 31559 Nov 29 04:03 rpmpkgs

-rw-r--r-- 1 root root 31559 Nov 22 04:03 rpmpkgs.1

-rw-r--r-- 1 root root 31559 Nov 15 04:03 rpmpkgs.2

-rw-r--r-- 1 root root 31559 Nov 8 04:02 rpmpkgs.3

-rw-r--r-- 1 root root 31559 Nov 1 04:02 rpmpkgs.4

drwx------ 2 root root 4096 May 20 2008 samba

-rw-r--r-- 1 root root 107169 Jun 17 15:07 scrollkeeper.log

-rw------- 1 root root 1702726 Nov 29 16:34 secure

-rw------- 1 root root 5069529 Nov 23 03:38 secure.1

-rw------- 1 root root 1196200 Nov 16 03:30 secure.2

-rw------- 1 root root 2404320 Nov 8 23:59 secure.3

-rw------- 1 root root 6374517 Nov 1 19:52 secure.4

drwxr-xr-x 2 root root 4096 Nov 23 04:02 setroubleshoot

-rw------- 1 root root 0 Nov 23 04:02 spooler

-rw------- 1 root root 0 Nov 16 04:02 spooler.1

-rw------- 1 root root 0 Nov 9 04:02 spooler.2

-rw------- 1 root root 0 Nov 2 04:02 spooler.3

-rw------- 1 root root 0 Oct 26 04:03 spooler.4

drwxr-x--- 2 squid squid 4096 Apr 1 2008 squid

-rw------- 1 root root 0 Jun 17 14:57 tallylog

-rw-r--r-- 1 root root 34140 Nov 29 16:34 up2date

-rw-r--r-- 1 root root 37324 Nov 23 03:34 up2date.1

-rw-r--r-- 1 root root 43305 Nov 16 03:34 up2date.2

-rw-r--r-- 1 root root 32088 Nov 9 03:49 up2date.3

-rw-r--r-- 1 root root 34650 Nov 2 03:49 up2date.4

drwxr-xr-x 2 root root 4096 Nov 20 2007 vbox

-rw-rw-r-- 1 root utmp 23040 Nov 29 16:34 wtmp

-rw-rw-r-- 1 root utmp 1093632 Nov 27 02:13 wtmp.1

-rw-rw-r-- 1 root cis90 59894 Oct 24 08:23 Xorg.0.log

-rw-rw-r-- 1 root cis90 59894 Sep 16 12:58 Xorg.0.log.old

-rw-r--r-- 1 root root 20546 Jun 17 19:32 yum.log

[root@opus ~]#

How many backups are there of each log? 4

How often are these log files rotated? weekly

Log files are owned by root and have restrictive permissions due to the sensitive information they contain

slide8

CIS 191 - Lesson 12

/etc/syslog.conf

/etc/syslog.conf on Opus

[root@opus ~]# cat /etc/syslog.conf

# Log all kernel messages to the console.

# Logging much else clutters up the screen.

#kern.* /dev/console

# Log anything (except mail) of level info or higher.

# Don't log private authentication messages!

*.info;mail.none;authpriv.none;cron.none /var/log/messages

# The authpriv file has restricted access.

authpriv.* /var/log/secure

# Log all the mail messages in one place.

mail.* -/var/log/maillog

# Log cron stuff

cron.* /var/log/cron

# Everybody gets emergency messages

*.emerg *

# Save news errors of level crit and higher in a special file.

uucp,news.crit /var/log/spooler

# Save boot messages also to boot.log

local7.* /var/log/boot.log

[root@opus ~]#

Each entry is a selector followed by an action

slide9

CIS 191 - Lesson 12

/etc/syslog.conf

http://www.linode.com/wiki/index.php/Syslog_Howto

slide10

CIS 191 - Lesson 12

/etc/syslog.conf

http://www.linode.com/wiki/index.php/Syslog_Howto

slide11

CIS 191 - Lesson 12

/etc/syslog.conf

http://www.linode.com/wiki/index.php/Syslog_Howto

slide12

CIS 191 - Lesson 12

/etc/syslog.conf

http://www.linode.com/wiki/index.php/Syslog_Howto

slide13

CIS 191 - Lesson 12

Logging

Note: You can use the severity level to control where messages are sent, but you don't have control over the level a program assigns to a message.

slide14

CIS 191 - Lesson 12

/etc/syslog.conf

[root@benji ~]# cat /etc/syslog.conf

# Log all kernel messages to the console.

# Logging much else clutters up the screen.

#kern.* /dev/console

# Log anything (except mail) of level info or higher.

# Don't log private authentication messages!

*.info;mail.none;authpriv.none;cron.none /var/log/messages

# The authpriv file has restricted access.

authpriv.* /var/log/secure

# Log all the mail messages in one place.

mail.* -/var/log/maillog

# Log cron stuff

cron.* /var/log/cron

# Everybody gets emergency messages

*.emerg *

# Save news errors of level crit and higher in a special file.

uucp,news.crit /var/log/spooler

# Save boot messages also to boot.log

local7.* /var/log/boot.log

[root@benji ~]#

write messages to console

kernel facility (all messages) commented out

slide15

CIS 191 - Lesson 12

/etc/syslog.conf

[root@benji ~]# cat /etc/syslog.conf

# Log all kernel messages to the console.

# Logging much else clutters up the screen.

#kern.* /dev/console

# Log anything (except mail) of level info or higher.

# Don't log private authentication messages!

*.info;mail.none;authpriv.none;cron.none /var/log/messages

# The authpriv file has restricted access.

authpriv.* /var/log/secure

# Log all the mail messages in one place.

mail.* -/var/log/maillog

# Log cron stuff

cron.* /var/log/cron

# Everybody gets emergency messages

*.emerg *

# Save news errors of level crit and higher in a special file.

uucp,news.crit /var/log/spooler

# Save boot messages also to boot.log

local7.* /var/log/boot.log

[root@benji ~]#

All facilties with info (6) or higher priority except mail, authpriv or cron

write messages to this file

slide16

CIS 191 - Lesson 12

/etc/syslog.conf

[root@benji ~]# cat /etc/syslog.conf

# Log all kernel messages to the console.

# Logging much else clutters up the screen.

#kern.* /dev/console

# Log anything (except mail) of level info or higher.

# Don't log private authentication messages!

*.info;mail.none;authpriv.none;cron.none /var/log/messages

# The authpriv file has restricted access.

authpriv.* /var/log/secure

# Log all the mail messages in one place.

mail.* -/var/log/maillog

# Log cron stuff

cron.* /var/log/cron

# Everybody gets emergency messages

*.emerg *

# Save news errors of level crit and higher in a special file.

uucp,news.crit /var/log/spooler

# Save boot messages also to boot.log

local7.* /var/log/boot.log

[root@benji ~]#

write messages to this file

authpriv facility, any priority

slide17

CIS 191 - Lesson 12

/etc/syslog.conf

[root@benji ~]# cat /etc/syslog.conf

# Log all kernel messages to the console.

# Logging much else clutters up the screen.

#kern.* /dev/console

# Log anything (except mail) of level info or higher.

# Don't log private authentication messages!

*.info;mail.none;authpriv.none;cron.none /var/log/messages

# The authpriv file has restricted access.

authpriv.* /var/log/secure

# Log all the mail messages in one place.

mail.* -/var/log/maillog

# Log cron stuff

cron.* /var/log/cron

# Everybody gets emergency messages

*.emerg *

# Save news errors of level crit and higher in a special file.

uucp,news.crit /var/log/spooler

# Save boot messages also to boot.log

local7.* /var/log/boot.log

[root@benji ~]#

write messages to this file (- means don't flush file each time)

mail facility, any priority

slide18

CIS 191 - Lesson 12

/etc/syslog.conf

[root@benji ~]# cat /etc/syslog.conf

# Log all kernel messages to the console.

# Logging much else clutters up the screen.

#kern.* /dev/console

# Log anything (except mail) of level info or higher.

# Don't log private authentication messages!

*.info;mail.none;authpriv.none;cron.none /var/log/messages

# The authpriv file has restricted access.

authpriv.* /var/log/secure

# Log all the mail messages in one place.

mail.* -/var/log/maillog

# Log cron stuff

cron.* /var/log/cron

# Everybody gets emergency messages

*.emerg *

# Save news errors of level crit and higher in a special file.

uucp,news.crit /var/log/spooler

# Save boot messages also to boot.log

local7.* /var/log/boot.log

[root@benji ~]#

write messages to this file

cron facility, any priority

slide19

CIS 191 - Lesson 12

/etc/syslog.conf

[root@benji ~]# cat /etc/syslog.conf

# Log all kernel messages to the console.

# Logging much else clutters up the screen.

#kern.* /dev/console

# Log anything (except mail) of level info or higher.

# Don't log private authentication messages!

*.info;mail.none;authpriv.none;cron.none /var/log/messages

# The authpriv file has restricted access.

authpriv.* /var/log/secure

# Log all the mail messages in one place.

mail.* -/var/log/maillog

# Log cron stuff

cron.* /var/log/cron

# Everybody gets emergency messages

*.emerg *

# Save news errors of level crit and higher in a special file.

uucp,news.crit /var/log/spooler

# Save boot messages also to boot.log

local7.* /var/log/boot.log

[root@benji ~]#

All logged in users get the message

All emergency level (0) messages from any facility

slide20

CIS 191 - Lesson 12

/etc/syslog.conf

[root@benji ~]# cat /etc/syslog.conf

# Log all kernel messages to the console.

# Logging much else clutters up the screen.

#kern.* /dev/console

# Log anything (except mail) of level info or higher.

# Don't log private authentication messages!

*.info;mail.none;authpriv.none;cron.none /var/log/messages

# The authpriv file has restricted access.

authpriv.* /var/log/secure

# Log all the mail messages in one place.

mail.* -/var/log/maillog

# Log cron stuff

cron.* /var/log/cron

# Everybody gets emergency messages

*.emerg *

# Save news errors of level crit and higher in a special file.

uucp,news.crit /var/log/spooler

# Save boot messages also to boot.log

local7.* /var/log/boot.log

[root@benji ~]#

Messages are written to this file

Critical (2) or higher messages from uucp or news facilities

slide21

CIS 191 - Lesson 12

/etc/syslog.conf

[root@benji ~]# cat /etc/syslog.conf

# Log all kernel messages to the console.

# Logging much else clutters up the screen.

#kern.* /dev/console

# Log anything (except mail) of level info or higher.

# Don't log private authentication messages!

*.info;mail.none;authpriv.none;cron.none /var/log/messages

# The authpriv file has restricted access.

authpriv.* /var/log/secure

# Log all the mail messages in one place.

mail.* -/var/log/maillog

# Log cron stuff

cron.* /var/log/cron

# Everybody gets emergency messages

*.emerg *

# Save news errors of level crit and higher in a special file.

uucp,news.crit /var/log/spooler

# Save boot messages also to boot.log

local7.* /var/log/boot.log

[root@benji ~]#

any messages from local7 (used by Red Hat family for boot messages)

Messages are written to this file

slide22

CIS 191 - Lesson 12

/etc/syslog.conf

For Lab 10

[root@benji ~]# cat /etc/syslog.conf

# Log all kernel messages to the console.

# Logging much else clutters up the screen.

#kern.* /dev/console

# Log anything (except mail) of level info or higher.

# Don't log private authentication messages!

*.info;mail.none;authpriv.none;cron.none /var/log/messages

# The authpriv file has restricted access.

authpriv.* /var/log/secure

# Log all the mail messages in one place.

mail.* -/var/log/maillog

# Log cron stuff

cron.* /var/log/cron

# Everybody gets emergency messages

*.emerg *

# Save news errors of level crit and higher in a special file.

uucp,news.crit /var/log/spooler

# Save boot messages also to boot.log

local7.* /var/log/boot.log

#Lab 10

*.=notice /var/log/notices

[root@benji ~]#

In Lab 10 a new entry is added to /etc/syslog.conf for a custom notices log

only notification level (5) messages from any facility

Messages are written to this file

slide23

CIS 191 - Lesson 12

/etc/syslog.conf

For Lab 10

Create a custom logfile

[root@benji log]# > notices

[root@benji log]# vi /etc/syslog.conf

[root@benji log]# cat syslog.conf

cat: syslog.conf: No such file or directory

[root@benji log]# cat /etc/syslog.conf

# Log all kernel messages to the console.

# Logging much else clutters up the screen.

#kern.* /dev/console

# Log anything (except mail) of level info or higher.

# Don't log private authentication messages!

*.info;mail.none;authpriv.none;cron.none /var/log/messages

# The authpriv file has restricted access.

authpriv.* /var/log/secure

# Log all the mail messages in one place.

mail.* -/var/log/maillog

# Log cron stuff

cron.* /var/log/cron

# Everybody gets emergency messages

*.emerg *

# Save news errors of level crit and higher in a special file.

uucp,news.crit /var/log/spooler

# Save boot messages also to boot.log

local7.* /var/log/boot.log

#Lab 10

*.=notice /var/log/notices

[root@benji log]# cat notices

[root@benji log]# service syslog restart

Shutting down kernel logger: [ OK ]

Shutting down system logger: [ OK ]

Starting system logger: [ OK ]

Starting kernel logger: [ OK ]

[root@benji log]#

Must restart the logging service for the change in /etc/syslog.conf to take effect.

slide24

CIS 191 - Lesson 12

/etc/syslog.conf

For Lab 10

Login as root on tty2

Login as cis191 on tty3, then su with bad password

[root@benji log]# cat notices

Nov 29 15:18:20 benji login: pam_selinux(login:session): Warning! Could not get new context for /dev/tty2, not relabeling: Invalid argument

Nov 29 15:18:20 benji login: pam_selinux(login:session): usercon=(null), prev_context=system_u:object_r:tty_device_t

Nov 29 15:18:20 benji login: ROOT LOGIN ON tty2

Nov 29 15:19:04 benji login: pam_selinux(login:session): Warning! Could not get new context for /dev/tty3, not relabeling: Invalid argument

Nov 29 15:19:04 benji login: pam_selinux(login:session): usercon=(null), prev_context=system_u:object_r:tty_device_t

Nov 29 15:19:13 benjisu: pam_unix(su-l:auth): authentication failure; logname=cis191 uid=500 euid=0 tty=tty3 ruser=cis191 rhost= user=root

[root@benji log]#

The new log will hold root logins and login failures

slide26

CIS 191 - Lesson 12

Log file rotation

logrotate is normally run out of cron once every day

[root@benji ~]# ls /etc/cron.daily/

0anacron cups makewhatis.cronprelinktmpwatch

0logwatch logrotatemlocate.cron rpm

[root@benji ~]#

[root@benji ~]# cat /etc/cron.daily/logrotate

#!/bin/sh

/usr/sbin/logrotate /etc/logrotate.conf

EXITVALUE=$?

if [ $EXITVALUE != 0 ]; then

/usr/bin/logger -t logrotate "ALERT exited abnormally with [$EXITVALUE]"

fi

exit 0

[root@benji ~]#

[root@benji ~]# type logrotate

logrotate is /usr/sbin/logrotate

[root@benji ~]#

This is actually a script that calls the logrotate program

The actual program lives in /usr/sbin

slide27

CIS 191 - Lesson 12

/etc/logrotate.conf

[root@opus ~]# cat /etc/logrotate.conf

# see "man logrotate" for details

# rotate log files weekly

weekly

# keep 4 weeks worth of backlogs

rotate 4

# create new (empty) log files after rotating old ones

create

# uncomment this if you want your log files compressed

#compress

# RPM packages drop log rotation information into this directory

include /etc/logrotate.d

# no packages own wtmp -- we'll rotate them here

/var/log/wtmp {

monthly

minsize 1M

create 0664 root utmp

rotate 1

}

# system-specific logs may be also be configured here.

[root@opus ~]#

logrotate.conf on Opus

applies to all files

for specific files

slide28

CIS 191 - Lesson 12

/etc/logrotate.conf

[root@benji ~]# cat /etc/logrotate.conf

# see "man logrotate" for details

# rotate log files weekly

weekly

# keep 4 weeks worth of backlogs

rotate 4

# create new (empty) log files after rotating old ones

create

# uncomment this if you want your log files compressed

#compress

# RPM packages drop log rotation information into this directory

include /etc/logrotate.d

# no packages own wtmp -- we'll rotate them here

/var/log/wtmp {

monthly

create 0664 root utmp

rotate 1

}

# system-specific logs may be also be configured here.

[root@benji ~]#

logrotate.conf on Benji

slide30

CIS 191 - Lesson 12

/var/log/wtmp and var/log/btmp

[root@opus log]# ls -l /var/log

total 153576

-rw-r----- 1 root root 3665 Nov 11 13:36 acpid

-rw------- 1 root root 527440 Jun 16 15:47 anaconda.log

-rw------- 1 root root 22282 Jun 16 15:47 anaconda.syslog

-rw------- 1 root root 58040 Jun 16 15:47 anaconda.xlog

drwxr-x--- 2 root root 4096 Nov 24 02:03 audit

-rw------- 1 root root 0 Nov 23 04:02 boot.log

-rw------- 1 root root 0 Nov 16 04:02 boot.log.1

-rw------- 1 root root 0 Nov 9 04:02 boot.log.2

-rw------- 1 root root 0 Nov 2 04:02 boot.log.3

-rw------- 1 root root 0 Oct 26 04:03 boot.log.4

-rw------- 1 root utmp 136987008 Nov 29 15:16 btmp

drwxr-xr-x 2 root root 4096 Jun 28 2007 conman

drwxr-xr-x 2 root root 4096 Jun 28 2007 conman.old

-rw------- 1 root root 13117 Nov 29 20:01 cron

-rw------- 1 root root 13860 Nov 23 04:02 cron.1

-rw------- 1 root root 13706 Nov 16 04:02 cron.2

-rw------- 1 root root 13843 Nov 9 04:02 cron.3

-rw------- 1 root root 14117 Nov 2 04:02 cron.4

drwxr-xr-x 2 lp sys 4096 Nov 27 04:02 cups

-rw-r--r-- 1 root root 18903 Nov 11 13:35 dmesg

-rw------- 1 root root 29256 Nov 11 08:11 faillog

drwxr-xr-x 2 root root 4096 Mar 28 2008 gdm

drwx------ 2 root root 4096 Oct 19 04:02 httpd

-rw-r--r-- 1 root root 355948 Nov 29 18:39 lastlog

drwxr-xr-x 2 root root 4096 Jun 16 15:39 mail

-rw------- 1 root root 28085 Nov 29 19:56 maillog

-rw------- 1 root root 38980 Nov 23 04:02 maillog.1

-rw------- 1 root root 56964 Nov 16 04:02 maillog.2

-rw------- 1 root root 74842 Nov 9 04:02 maillog.3

-rw------- 1 root root 110136 Nov 2 04:02 maillog.4

-rw------- 1 root root 9165 Nov 29 15:35 messages

-rw------- 1 root root 11706 Nov 22 21:30 messages.1

-rw------- 1 root root 35986 Nov 16 03:22 messages.2

-rw------- 1 root root 12430 Nov 8 23:59 messages.3

-rw------- 1 root root 6224 Nov 1 16:21 messages.4

drwxr-xr-x 2 root root 4096 Jun 17 15:02 pm

drwx------ 2 root root 4096 Dec 1 2006 ppp

drwxr-xr-x 2 root root 4096 Jun 27 2007 prelink

-rw-r--r-- 1 root root 31559 Nov 29 04:03 rpmpkgs

-rw-r--r-- 1 root root 31559 Nov 22 04:03 rpmpkgs.1

-rw-r--r-- 1 root root 31559 Nov 15 04:03 rpmpkgs.2

-rw-r--r-- 1 root root 31559 Nov 8 04:02 rpmpkgs.3

-rw-r--r-- 1 root root 31559 Nov 1 04:02 rpmpkgs.4

drwx------ 2 root root 4096 May 20 2008 samba

-rw-r--r-- 1 root root 107169 Jun 17 15:07 scrollkeeper.log

-rw------- 1 root root 1703877 Nov 29 19:59 secure

-rw------- 1 root root 5069529 Nov 23 03:38 secure.1

-rw------- 1 root root 1196200 Nov 16 03:30 secure.2

-rw------- 1 root root 2404320 Nov 8 23:59 secure.3

-rw------- 1 root root 6374517 Nov 1 19:52 secure.4

drwxr-xr-x 2 root root 4096 Nov 23 04:02 setroubleshoot

-rw------- 1 root root 0 Nov 23 04:02 spooler

-rw------- 1 root root 0 Nov 16 04:02 spooler.1

-rw------- 1 root root 0 Nov 9 04:02 spooler.2

-rw------- 1 root root 0 Nov 2 04:02 spooler.3

-rw------- 1 root root 0 Oct 26 04:03 spooler.4

drwxr-x--- 2 squid squid 4096 Apr 1 2008 squid

-rw------- 1 root root 0 Jun 17 14:57 tallylog

-rw-r--r-- 1 root root 34818 Nov 29 19:34 up2date

-rw-r--r-- 1 root root 37324 Nov 23 03:34 up2date.1

-rw-r--r-- 1 root root 43305 Nov 16 03:34 up2date.2

-rw-r--r-- 1 root root 32088 Nov 9 03:49 up2date.3

-rw-r--r-- 1 root root 34650 Nov 2 03:49 up2date.4

drwxr-xr-x 2 root root 4096 Nov 20 2007 vbox

-rw-rw-r-- 1 root utmp 26112 Nov 29 19:02 wtmp

-rw-rw-r-- 1 root utmp 1093632 Nov 27 02:13 wtmp.1

-rw-rw-r-- 1 root cis90 59894 Oct 24 08:23 Xorg.0.log

-rw-rw-r-- 1 root cis90 59894 Sep 16 12:58 Xorg.0.log.old

-rw-r--r-- 1 root root 20546 Jun 17 19:32 yum.log

[root@opus log]#

bad login attempts

good login attempts

slide31

CIS 191 - Lesson 12

/var/log/wtmp and var/log/btmp

[root@opus ~]# lastb | grep "cool.nju.edu.cn" | head

bind ssh:notty cool.nju.edu.cn Sun Nov 30 06:35 - 06:35 (00:00)

bind ssh:notty cool.nju.edu.cn Sun Nov 30 06:35 - 06:35 (00:00)

bind ssh:notty cool.nju.edu.cn Sun Nov 30 06:35 - 06:35 (00:00)

bind ssh:notty cool.nju.edu.cn Sun Nov 30 06:35 - 06:35 (00:00)

bind ssh:notty cool.nju.edu.cn Sun Nov 30 06:35 - 06:35 (00:00)

bind ssh:notty cool.nju.edu.cn Sun Nov 30 06:35 - 06:35 (00:00)

bind ssh:notty cool.nju.edu.cn Sun Nov 30 06:35 - 06:35 (00:00)

bind ssh:notty cool.nju.edu.cn Sun Nov 30 06:35 - 06:35 (00:00)

bind ssh:notty cool.nju.edu.cn Sun Nov 30 06:35 - 06:35 (00:00)

bind ssh:notty cool.nju.edu.cn Sun Nov 30 06:35 - 06:35 (00:00)

[root@opus ~]# lastb | grep "cool.nju.edu.cn" | wc -l

3104

[root@opus ~]#

Shows break in attempt on 11/30/2008

slide32

CIS 191 - Lesson 12

/var/log/wtmp and var/log/btmp

[root@opus ~]# lastb | grep "Nov 2 17:45"

webadmin ssh:notty 211.96.97.179 Sun Nov 2 17:45 - 17:45 (00:00)

webadmin ssh:notty 211.96.97.179 Sun Nov 2 17:45 - 17:45 (00:00)

retsu ssh:notty 211.96.97.179 Sun Nov 2 17:45 - 17:45 (00:00)

retsu ssh:notty 211.96.97.179 Sun Nov 2 17:45 - 17:45 (00:00)

sbear ssh:notty 211.96.97.179 Sun Nov 2 17:45 - 17:45 (00:00)

sbear ssh:notty 211.96.97.179 Sun Nov 2 17:45 - 17:45 (00:00)

sky ssh:notty 211.96.97.179 Sun Nov 2 17:45 - 17:45 (00:00)

sky ssh:notty 211.96.97.179 Sun Nov 2 17:45 - 17:45 (00:00)

harvey ssh:notty 211.96.97.179 Sun Nov 2 17:45 - 17:45 (00:00)

harvey ssh:notty 211.96.97.179 Sun Nov 2 17:45 - 17:45 (00:00)

harvey ssh:notty 211.96.97.179 Sun Nov 2 17:45 - 17:45 (00:00)

[root@opus ~]#

[root@opus ~]# lastb -i | grep "211.96.97.179" | wc -l

598

[root@opus ~]#

Shows break in attempt by 211.96.97.179 on 11/2/2008

slide33

CIS 191 - Lesson 12

/var/log/lastlog

[rsimms@opus ~]$ lastlog

Username Port From Latest

< smipped >

jimg pts/0 adsl-70-132-6-20 Fri Nov 28 19:04:08 -0800 2008

vmware pts/2 dsl-63-249-86-11 Wed Aug 27 15:41:35 -0700 2008

cis191 pts/0 cm0-136-131.rezn Sat Nov 29 11:00:24 -0800 2008

simmsmar pts/2 dsl-63-249-103-1 Fri Oct 31 18:59:55 -0700 2008

roddyduk pts/1 dsl-63-249-103-1 Thu Nov 27 08:57:33 -0800 2008

simmsben pts/0 risimms-1.cabril Wed Nov 26 20:12:04 -0800 2008

guest191 pts/0 dsl-63-249-103-1 Sun Oct 19 11:22:53 -0700 2008

woolahen pts/0 65-98-148-143-di Wed Nov 26 21:26:48 -0800 2008

stanlcha pts/0 svx23-1.cabrillo Wed Nov 26 17:29:31 -0800 2008

bolasale pts/1 svx11-1.cabrillo Wed Nov 26 20:18:05 -0800 2008

seatocol pts/2 c-67-182-48-70.h Sun Nov 30 10:11:47 -0800 2008

wrigholi pts/0 c-98-207-42-232. Sun Nov 30 16:12:47 -0800 2008

dymesdia pts/2 c-24-5-147-76.hs Fri Nov 28 18:23:20 -0800 2008

barrecol pts/1 207.62.186.30 Tue Sep 9 18:38:10 -0700 2008

gantden pts/1 207.62.186.30 Tue Oct 7 19:01:30 -0700 2008

deakifre pts/0 207.62.186.30 Tue Oct 14 19:15:22 -0700 2008

bellhil pts/1 714x09-1.cabrill Thu Nov 20 12:59:33 -0800 2008

chaffjan pts/2 207.62.186.30 Tue Nov 18 19:03:34 -0800 2008

clarkjef pts/0 dsl-63-249-97-24 Mon Nov 24 23:45:27 -0800 2008

lemiejoh pts/11 207.62.186.30 Tue Sep 9 18:42:13 -0700 2008

simmsjon pts/3 dsl-63-249-97-18 Sun Nov 30 00:14:48 -0800 2008

bobisjoe pts/2 207.62.186.30 Mon Nov 17 20:34:07 -0800 2008

smithkay pts/0 207.62.186.30 Mon Nov 3 20:06:11 -0800 2008

< snipped >

[rsimms@opus ~]$

slide34

CIS 191 - Lesson 12

/var/log/lastlog

[rsimms@opus log]$ lastlog

Username Port From Latest

root tty1 Wed Sep 10 21:49:40 -0700 2008

daemon **Never logged in**

adm **Never logged in**

lp **Never logged in**

sync **Never logged in**

shutdown **Never logged in**

halt **Never logged in**

mail **Never logged in**

news **Never logged in**

uucp **Never logged in**

operator **Never logged in**

games **Never logged in**

gopher **Never logged in**

squid **Never logged in**

easter **Never logged in**

named **Never logged in**

ntp **Never logged in**

gdm **Never logged in**

xfs **Never logged in**

ftp **Never logged in**

nobody **Never logged in**

rpm **Never logged in**

vcsa **Never logged in**

nscd **Never logged in**

sshd **Never logged in**

rpc **Never logged in**

rpcuser **Never logged in**

pcap **Never logged in**

mailnull **Never logged in**

smmsp **Never logged in**

apache **Never logged in**

dbus **Never logged in**

sabayon **Never logged in**

haldaemon **Never logged in**

dovecot **Never logged in**

cis192 **Never logged in**

rsimms pts/0 dsl-63-249-103-1 Sun Nov 30 16:46:46 -0800 2008

ryan **Never logged in**

gerlinde **Never logged in**

dbc **Never logged in**

brian **Never logged in**

rhea **Never logged in**

guest pts/4 207.62.186.30 Wed Nov 26 12:39:03 -0800 2008

guest90 pts/1 stu-wireless-gw- Wed Nov 12 14:17:07 -0800 2008

guest130 **Never logged in**

jimg pts/0 adsl-70-132-6-20 Fri Nov 28 19:04:08 -0800 2008

vmware pts/2 dsl-63-249-86-11 Wed Aug 27 15:41:35 -0700 2008

timc **Never logged in**

cis191 pts/0 cm0-136-131.rezn Sat Nov 29 11:00:24 -0800 2008

simmsmar pts/2 dsl-63-249-103-1 Fri Oct 31 18:59:55 -0700 2008

roddyduk pts/1 dsl-63-249-103-1 Thu Nov 27 08:57:33 -0800 2008

simmsben pts/0 risimms-1.cabril Wed Nov 26 20:12:04 -0800 2008

guest191 pts/0 dsl-63-249-103-1 Sun Oct 19 11:22:53 -0700 2008

woolahen pts/0 65-98-148-143-di Wed Nov 26 21:26:48 -0800 2008

stanlcha pts/0 svx23-1.cabrillo Wed Nov 26 17:29:31 -0800 2008

bolasale pts/1 svx11-1.cabrillo Wed Nov 26 20:18:05 -0800 2008

seatocol pts/2 c-67-182-48-70.h Sun Nov 30 10:11:47 -0800 2008

wrigholi pts/0 c-98-207-42-232. Sun Nov 30 16:12:47 -0800 2008

dymesdia pts/2 c-24-5-147-76.hs Fri Nov 28 18:23:20 -0800 2008

barrecol pts/1 207.62.186.30 Tue Sep 9 18:38:10 -0700 2008

gantden pts/1 207.62.186.30 Tue Oct 7 19:01:30 -0700 2008

deakifre pts/0 207.62.186.30 Tue Oct 14 19:15:22 -0700 2008

bellhil pts/1 714x09-1.cabrill Thu Nov 20 12:59:33 -0800 2008

chaffjan pts/2 207.62.186.30 Tue Nov 18 19:03:34 -0800 2008

clarkjef pts/0 dsl-63-249-97-24 Mon Nov 24 23:45:27 -0800 2008

lemiejoh pts/11 207.62.186.30 Tue Sep 9 18:42:13 -0700 2008

simmsjon pts/3 dsl-63-249-97-18 Sun Nov 30 00:14:48 -0800 2008

bobisjoe pts/2 207.62.186.30 Mon Nov 17 20:34:07 -0800 2008

smithkay pts/0 207.62.186.30 Mon Nov 3 20:06:11 -0800 2008

talpamar pts/1 207.62.186.30 Tue Oct 21 20:52:13 -0700 2008

weavepat pts/0 207.62.186.30 Mon Oct 13 16:06:11 -0700 2008

scalenoa pts/1 207.62.186.30 Sat Nov 1 16:27:29 -0700 2008

childtim pts/3 207.62.186.30 Tue Nov 25 20:01:45 -0800 2008

husmalei pts/0 c-67-180-94-200. Sat Sep 20 22:24:42 -0700 2008

doddkev pts/2 207.62.186.30 Tue Nov 25 16:51:34 -0800 2008

lyonsrob pts/2 dsl253-002-169.s Wed Nov 26 12:48:37 -0800 2008

ybarrser pts/9 stu-wireless-gw- Wed Nov 26 18:31:05 -0800 2008

valdemar pts/0 adsl-99-170-150- Fri Nov 28 22:17:15 -0800 2008

elliokat pts/13 svx07-1.cabrillo Wed Nov 26 18:01:17 -0800 2008

jessuwes pts/12 svx06-1.cabrillo Wed Nov 26 17:58:40 -0800 2008

luisjus pts/4 svx16-1.cabrillo Wed Nov 19 17:29:18 -0800 2008

thrascat pts/16 svx17-2.cabrillo Wed Sep 10 19:01:25 -0700 2008

meyerjas pts/7 10.177.1.152 Wed Nov 26 17:20:58 -0800 2008

bergelyl pts/4 svx15-1.cabrillo Wed Nov 26 18:50:53 -0800 2008

hutmabry pts/3 c-76-21-35-117.h Tue Nov 25 21:01:53 -0800 2008

gardnnic pts/1 c-67-180-95-187. Wed Nov 26 23:55:40 -0800 2008

mohanchi pts/6 59.92.58.158 Wed Nov 26 19:37:18 -0800 2008

whitfbob pts/6 svx18-1.cabrillo Wed Nov 26 19:07:52 -0800 2008

wichemic pts/1 netblock-68-183- Fri Nov 28 18:23:04 -0800 2008

crivejoh pts/0 c-24-5-147-18.hs Wed Nov 26 23:58:38 -0800 2008

earthgre pts/3 207.62.186.30 Tue Nov 25 20:03:20 -0800 2008

foregdyl **Never logged in**

romanmar pts/0 c-98-210-240-176 Tue Nov 18 17:17:09 -0800 2008

sanchden pts/2 70.134.64.172 Sun Nov 30 02:07:59 -0800 2008

tiagolaw pts/0 207.62.186.30 Thu Nov 13 18:00:12 -0800 2008

[rsimms@opus log]$

login as: rsimms

rsimms@opus.cabrillo.edu's password:

Last login: Sun Nov 30 16:46:46 2008 from dsl-63-249-103-107.cruzio.com

_

('v')

//-=-\\

(\_=_/)

~~ ~~

Welcome to Opus

Serving Cabrillo College

[rsimms@opus ~]$

slide35

CIS 191 - Lesson 12

/var/log/wtmp and var/log/btmp

[rsimms@opus log]$ ls -l *tmp*

-rw------- 1 root utmp 137583360 Nov 30 06:35 btmp

-rw-rw-r-- 1 root utmp 35712 Nov 30 16:57 wtmp

-rw-rw-r-- 1 root utmp 1093632 Nov 27 02:13 wtmp.1

[rsimms@opus log]$

[root@opus ~]# lastb | head -5

bind ssh:notty cool.nju.edu.cn Sun Nov 30 06:35 - 06:35 (00:00)

bind ssh:notty cool.nju.edu.cn Sun Nov 30 06:35 - 06:35 (00:00)

bind ssh:notty cool.nju.edu.cn Sun Nov 30 06:35 - 06:35 (00:00)

bind ssh:notty cool.nju.edu.cn Sun Nov 30 06:35 - 06:35 (00:00)

bind ssh:notty cool.nju.edu.cn Sun Nov 30 06:35 - 06:35 (00:00)

[root@opus ~]# last | head -5

rsimms pts/0 dsl-63-249-103-1 Sun Nov 30 16:57 still logged in

rsimms pts/0 dsl-63-249-103-1 Sun Nov 30 16:46 - 16:57 (00:10)

rsimms pts/0 dsl-63-249-103-1 Sun Nov 30 16:35 - 16:41 (00:06)

wrigholi pts/0 c-98-207-42-232. Sun Nov 30 16:12 - 16:18 (00:06)

wrigholi pts/0 c-98-207-42-232. Sun Nov 30 13:12 - 15:07 (01:54)

[root@opus ~]#

failed logins

successful logins

slide36

CIS 191 - Lesson 12

/var/log/wtmp and var/log/btmp

Either way prints successful login history

[root@opus log]# who wtmp | tail -10

sanchden pts/2 2008-11-30 00:33 (70.134.64.172)

sanchden pts/2 2008-11-30 02:04 (70.134.64.172)

sanchden pts/2 2008-11-30 02:07 (70.134.64.172)

seatocol pts/2 2008-11-30 10:11 (c-67-182-48-70.hsd1.ca.comcast.net)

wrigholi pts/2 2008-11-30 11:23 (c-98-207-42-232.hsd1.ca.comcast.net)

wrigholi pts/0 2008-11-30 13:12 (c-98-207-42-232.hsd1.ca.comcast.net)

wrigholi pts/0 2008-11-30 16:12 (c-98-207-42-232.hsd1.ca.comcast.net)

rsimms pts/0 2008-11-30 16:35 (dsl-63-249-103-107.cruzio.com)

rsimms pts/0 2008-11-30 16:46 (dsl-63-249-103-107.cruzio.com)

rsimms pts/0 2008-11-30 16:57 (dsl-63-249-103-107.cruzio.com)

[root@opus log]# last | head -10

rsimms pts/0 dsl-63-249-103-1 Sun Nov 30 16:57 still logged in

rsimms pts/0 dsl-63-249-103-1 Sun Nov 30 16:46 - 16:57 (00:10)

rsimms pts/0 dsl-63-249-103-1 Sun Nov 30 16:35 - 16:41 (00:06)

wrigholi pts/0 c-98-207-42-232. Sun Nov 30 16:12 - 16:18 (00:06)

wrigholi pts/0 c-98-207-42-232. Sun Nov 30 13:12 - 15:07 (01:54)

wrigholi pts/2 c-98-207-42-232. Sun Nov 30 11:23 - 12:40 (01:17)

seatocol pts/2 c-67-182-48-70.h Sun Nov 30 10:11 - 10:17 (00:05)

sanchden pts/2 70.134.64.172 Sun Nov 30 02:07 - 02:14 (00:06)

sanchden pts/2 70.134.64.172 Sun Nov 30 02:04 - 02:07 (00:03)

sanchden pts/2 70.134.64.172 Sun Nov 30 00:33 - 02:03 (01:29)

[root@opus log]#

slide37

CIS 191 - Lesson 12

/var/log/wtmp and var/log/btmp

[root@opus log]# lastb | sort | cut -f1 -d' ' | grep -v ^$ | uniq –c > bad

[root@opus log]# sort –g bad > bad.sort

[root@opus log]# [root@opus log]# cat bad.sort | tail -50

471 ftp

472 public

490 test

490 tomcat

498 user

506 service

508 mike

508 username

524 cyrus

530 pgsql

532 test1

544 master

554 linux

554 toor

576 paul

584 support

590 testuser

604 irc

610 test

656 noc

686 www

690 postfix

723 john

734 testing

738 adam

746 alex

754 info

798 tester

832 library

935 guest

990 admin

1002 office

1022 temp

1070 ftpuser

1138 webadmin

1298 nagios

1332 web

1374 a

1384 student

1416 postgres

1690 user

1858 oracle

1944 mysql

2086 webmaste

5324 test

10803 root

10824 admin

18679 root

24064 root

[root@opus log]#

Top 50 usernames used by the bad guys

slide38

CIS 191 - Lesson 12

/var/log/wtmp and var/log/btmp

22128 usernames used and failed

[root@opus log]# lastb | sort | cut -f1 -d' ' | grep -v ^$| uniq -c | wc -l

22128

[root@opus log]#

[root@opus log]# lastb | grep root | wc -l 54117

[root@opus log]#

53117 failed root logins

Now you know why you need a strong password!

slide40

CIS 191 - Lesson 12

logwatch

You have mail … from logwatch

[root@opus ~]# mail

Mail version 8.1 6/6/93. Type ? for help.

"/var/spool/mail/root": 349 messages 349 new

>N 1 logwatch@opus.cabril Mon Jun 16 17:04 43/1587 "Logwatch for opus.cabrillo.edu (Linux)"

N 2 root@opus.cabrillo.e Mon Jun 16 17:12 18/795 "Anacron job for 'opus.cabrillo.edu' cron."

N 3 logwatch@opus.cabril Tue Jun 17 16:14 141/3966 "Logwatch for opus.cabrillo.edu (Linux)"

N 4 logwatch@opus.cabril Wed Jun 18 04:02 728/32707 "Logwatch for opus.cabrillo.edu (Linux)"

N 5 root@opus.cabrillo.e Wed Jun 18 04:05 47/1877 "Cron <root@opus> run-parts /etc/cron.dail"

N 6 logwatch@opus.cabril Thu Jun 19 04:02 1007/61932 "Logwatch for opus.cabrillo.edu (Linux)"

N 7 root@opus.cabrillo.e Thu Jun 19 04:02 47/1889 "Cron <root@opus> run-parts /etc/cron.dail"

N 8 logwatch@opus.cabril Fri Jun 20 04:02 168/5533 "Logwatch for opus.cabrillo.edu (Linux)"

N 9 root@opus.cabrillo.e Fri Jun 20 04:02 47/1891 "Cron <root@opus> run-parts /etc/cron.dail"

N 10 logwatch@opus.cabril Sat Jun 21 04:02 274/8886 "Logwatch for opus.cabrillo.edu (Linux)"

N 11 root@opus.cabrillo.e Sat Jun 21 04:02 47/1894 "Cron <root@opus> run-parts /etc/cron.dail"

N 12 logwatch@opus.cabril Sun Jun 22 04:02 156/4722 "Logwatch for opus.cabrillo.edu (Linux)"

N 13 root@opus.cabrillo.e Sun Jun 22 04:02 47/1894 "Cron <root@opus> run-parts /etc/cron.dail"

N 14 logwatch@opus.cabril Mon Jun 23 04:02 241/10770 "Logwatch for opus.cabrillo.edu (Linux)"

N 15 root@opus.cabrillo.e Mon Jun 23 04:02 47/1894 "Cron <root@opus> run-parts /etc/cron.dail"

N 16 logwatch@opus.cabril Tue Jun 24 04:02 3768/316984 "Logwatch for opus.cabrillo.edu (Linux)"

N 17 root@opus.cabrillo.e Tue Jun 24 04:02 47/1894 "Cron <root@opus> run-parts /etc/cron.dail"

N 18 logwatch@opus.cabril Wed Jun 25 04:02 3246/274685 "Logwatch for opus.cabrillo.edu (Linux)"

N 19 root@opus.cabrillo.e Wed Jun 25 04:02 47/1894 "Cron <root@opus> run-parts /etc/cron.dail"

N 20 logwatch@opus.cabril Thu Jun 26 04:02 1390/112446 "Logwatch for opus.cabrillo.edu (Linux)"

N 21 root@opus.cabrillo.e Thu Jun 26 04:02 47/1894 "Cron <root@opus> run-parts /etc/cron.dail"

N 22 logwatch@opus.cabril Fri Jun 27 04:02 72/2185 "Logwatch for opus.cabrillo.edu (Linux)"

N 23 root@opus.cabrillo.e Fri Jun 27 04:02 47/1894 "Cron <root@opus> run-parts /etc/cron.dail"

N 24 logwatch@opus.cabril Sat Jun 28 04:02 91/3228 "Logwatch for opus.cabrillo.edu (Linux)"

N 25 root@opus.cabrillo.e Sat Jun 28 04:02 47/1894 "Cron <root@opus> run-parts /etc/cron.dail"

N 26 logwatch@opus.cabril Sun Jun 29 04:02 150/6673 "Logwatch for opus.cabrillo.edu (Linux)"

N 27 root@opus.cabrillo.e Sun Jun 29 04:02 47/1894 "Cron <root@opus> run-parts /etc/cron.dail"

N 28 logwatch@opus.cabril Mon Jun 30 04:02 247/14351 "Logwatch for opus.cabrillo.edu (Linux)"

N 29 root@opus.cabrillo.e Mon Jun 30 04:02 47/1894 "Cron <root@opus> run-parts /etc/cron.dail"

N 30 logwatch@opus.cabril Tue Jul 1 04:02 395/20660 "Logwatch for opus.cabrillo.edu (Linux)"

N 31 root@opus.cabrillo.e Tue Jul 1 04:02 47/1891 "Cron <root@opus> run-parts /etc/cron.dail"

N 32 logwatch@opus.cabril Wed Jul 2 04:02 481/32664 "Logwatch for opus.cabrillo.edu (Linux)"

N 33 root@opus.cabrillo.e Wed Jul 2 04:02 47/1891 "Cron <root@opus> run-parts /etc/cron.dail"

N 34 logwatch@opus.cabril Thu Jul 3 04:02 102/3197 "Logwatch for opus.cabrillo.edu (Linux)"

N 35 root@opus.cabrillo.e Thu Jul 3 04:02 47/1891 "Cron <root@opus> run-parts /etc/cron.dail"

& 29

slide41

CIS 191 - Lesson 12

logwatch

& 11

Message 11:

From root@benji.localdomain Tue Dec 2 10:47:06 2008

Date: Tue, 2 Dec 2008 10:47:06 -0800

To: root@benji.localdomain

From: logwatch@benji.localdomain

Subject: Logwatch for benji.localdomain (Linux)

MIME-Version: 1.0

Content-Transfer-Encoding: 7bit

Content-Type: text/plain; charset="iso-8859-1"

################### Logwatch 7.3 (03/24/06) ####################

Processing Initiated: Tue Dec 2 10:47:06 2008

Date Range Processed: yesterday

( 2008-Dec-01 )

Period is day.

Detail Level of Output: 0

Type of Output: unformatted

Logfiles for Host: benji.localdomain

##################################################################

--------------------- Disk Space Begin ------------------------

Filesystem Size Used Avail Use% Mounted on

/dev/sda1 2.9G 2.5G 272M 91% /

/dev/sda5 289M 234M 41M 86% /opt

/dev/sda3 487M 77M 385M 17% /var

/dev/sda7 196M 5.6M 181M 3% /home

---------------------- Disk Space End -------------------------

###################### Logwatch End #########################

example email message from logwatch

slide42

CIS 191 - Lesson 12

Configuring logwatch

# cat /usr/share/logwatch/default.conf/logwatch.conf

########################################################

# This was written and is maintained by:

# Kirk Bauer <kirk@kaybee.org>

#

# Please send all comments, suggestions, bug reports,

# etc, to kirk@kaybee.org.

#

########################################################

# NOTE:

# All these options are the defaults if you run logwatch with no

# command-line arguments. You can override all of these on the

# command-line.

# You can put comments anywhere you want to. They are effective for the

# rest of the line.

# this is in the format of <name> = <value>. Whitespace at the beginning

# and end of the lines is removed. Whitespace before and after the = sign

# is removed. Everything is case *insensitive*.

# Yes = True = On = 1

# No = False = Off = 0

# Default Log Directory

# All log-files are assumed to be given relative to this directory.

LogDir = /var/log

# You can override the default temp directory (/tmp) here

TmpDir = /var/cache/logwatch

# Default person to mail reports to. Can be a local account or a

# complete email address.

MailTo = root

# Default person to mail reports from. Can be a local account or a

# complete email address.

MailFrom = Logwatch

# If set to 'Yes', the report will be sent to stdout instead of being

# mailed to above person.

Print = No

# if set, the results will be saved in <filename> instead of mailed

# or displayed.

#Save = /tmp/logwatch

# Use archives? If set to 'Yes', the archives of logfiles

# (i.e. /var/log/messages.1 or /var/log/messages.1.gz) will

# be searched in addition to the /var/log/messages file.

# This usually will not do much if your range is set to just

# 'Yesterday' or 'Today'... it is probably best used with

# Archives = Yes

# Range = All

# The default time range for the report...

# The current choices are All, Today, Yesterday

Range = yesterday

# The default detail level for the report.

# This can either be Low, Med, High or a number.

# Low = 0

# Med = 5

# High = 10

Detail = Low

< rest snipped >

This file shows all the defaults being used by logwatch

Level of detail is Low by default

slide43

CIS 191 - Lesson 12

Configuring logwatch

Edit /etc/logwatch/conf/logwatch.conf to modify defaults

Read this for all options to set

This line was added to override the default level of Low

slide44

CIS 191 - Lesson 12

logwatch

Message 14:

From root@benji.localdomain Tue Dec 2 10:53:22 2008

Date: Tue, 2 Dec 2008 10:53:21 -0800

To: root@benji.localdomain

From: logwatch@benji.localdomain

Subject: Logwatch for benji.localdomain (Linux)

MIME-Version: 1.0

Content-Transfer-Encoding: 7bit

Content-Type: text/plain; charset="iso-8859-1"

################### Logwatch 7.3 (03/24/06) ####################

Processing Initiated: Tue Dec 2 10:53:21 2008

Date Range Processed: yesterday

( 2008-Dec-01 )

Period is day.

Detail Level of Output: 10

Type of Output: unformatted

Logfiles for Host: benji.localdomain

##################################################################

--------------------- Cron Begin ------------------------

Commands Run:

User root:

/sbin/dump 0uf /backup/level0/backup-L0-`date +%Y-%d-%m`.dmp /home: 2 Time(s)

/sbin/dump 1uf /backup/level1/backup-L1-`date +%Y-%d-%m`.dmp /home: 5 Time(s)

/sbin/dump 2uf /backup/level2/backup-L2-`date '+: 4 Time(s)

/sbin/dump 2uf /backup/level2/backup-L2-`date +: 5 Time(s)

/sbin/dump 2uf /backup/level2/backup-L2-`date +%Y-%d-%m`.dmp /home: 14 Time(s)

/sbin/dump 2uf /backup/level2/backup-L2.dmp /home: 2 Time(s)

dump 1uf /backup/level1/backup-daily-$(date +: 1 Time(s)

dump 2uf /backup/level2/backup-L2.dmp /home: 2 Time(s)

dump 2uf /backup/level2/backup-daily-$(date +: 9 Time(s)

logwatch report using High level of detail

slide45

CIS 191 - Lesson 12

logwatch

personal crontab deleted: 3 Time(s)

personal crontab edited: 6 Time(s)

personal crontab listed: 7 Time(s)

personal crontab reloaded: 7 Time(s)

personal crontab replaced: 11 Time(s)

run-parts /etc/cron.daily: 1 Time(s)

run-parts /etc/cron.hourly: 24 Time(s)

run-parts /etc/cron.monthly: 1 Time(s)

---------------------- Cron End -------------------------

--------------------- sendmail Begin ------------------------

STATISTICS

----------

Bytes Transferred: 90737

Messages Processed: 92

Addressed Recipients: 92

Message recipients per delivery agent:

Name # Rcpts

local 46

---------------------

TOTAL: 46

in addition to 46 relay

submission(s) from MSP

logwatch report using High level of detail continued

slide46

CIS 191 - Lesson 12

logwatch

Message Size Distribution:

Range # Msgs KBytes

0 - 10k 92 88

----------------------------------

TOTAL 92 88

Avg. Size 0

Top 10 Email Recipients

----------------------------------

root@benji.localdomain : 46 emails

Top relays (recipients/connections - min 10 rcpts, max 25 lines):

46/46: benji.localdomain [127.0.0.1]

46/46: root@localhost

---------------------- sendmail End -------------------------

--------------------- Syslogd Begin ------------------------

Syslogd started 1 Time(s)

---------------------- Syslogd End -------------------------

logwatch report using High level of detail continued

slide47

CIS 191 - Lesson 12

logwatch

logwatch report using High level of detail continued

--------------------- Disk Space Begin ------------------------

Filesystem Size Used Avail Use% Mounted on

/dev/sda1 2.9G 2.5G 272M 91% /

/dev/sda5 289M 234M 41M 86% /opt

/dev/sda3 487M 77M 385M 17% /var

/dev/sda7 196M 5.6M 181M 3% /home

---------------------- Disk Space End -------------------------

###################### Logwatch End #########################

&

slide48

CIS 191 - Lesson 12

logwatch

the bad boys trying to break in …

this is why you need strong passwords

--------------------- SSHD Begin ------------------------

SSHD Killed: 1 Time(s)

SSHD Started: 1 Time(s)

Disconnecting after too many authentication failures for user:

guest90 : 1 Time(s)

Failed logins from:

76.254.22.196 (adsl-76-254-22-196.dsl.pltn13.sbcglobal.net): 2 times

201.7.115.194 (201-7-115-194.spopa302.ipd.brasiltelecom.net.br): 2135 times

210.240.12.14: 20 times

Illegal users from:

201.7.115.194 (201-7-115-194.spopa302.ipd.brasiltelecom.net.br): 564 times

210.240.12.14: 42 times

Users logging in through sshd:

guest:

76.254.22.196 (adsl-76-254-22-196.dsl.pltn13.sbcglobal.net): 2 times

jimg:

70.132.20.25 (adsl-70-132-20-25.dsl.snfc21.sbcglobal.net): 7 times

ordazedw:

76.254.22.196 (adsl-76-254-22-196.dsl.pltn13.sbcglobal.net): 1 time

root:

63.249.86.11 (dsl-63-249-86-11.cruzio.com): 3 times

70.132.20.25 (adsl-70-132-20-25.dsl.snfc21.sbcglobal.net): 1 time

rsimms:

63.249.86.11 (dsl-63-249-86-11.cruzio.com): 2 times

slide49

CIS 191 - Lesson 12

logwatch

http://ws.arin.net/whois/?queryinput=201.7.115.194

slide50

CIS 191 - Lesson 12

/var/log/secure

Nov 30 06:02:24 opus sshd[27486]: Failed password for root from 202.119.60.132 port 36322 ssh2

Nov 30 06:02:24 opus sshd[27487]: Received disconnect from 202.119.60.132: 11: Bye Bye

Nov 30 06:02:27 opus sshd[27488]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=cool.nju.edu.cn user=root

Nov 30 06:02:29 opus sshd[27488]: Failed password for root from 202.119.60.132 port 36846 ssh2

Nov 30 06:02:29 opus sshd[27489]: Received disconnect from 202.119.60.132: 11: Bye Bye

Nov 30 06:02:32 opus sshd[27490]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=cool.nju.edu.cn user=root

Nov 30 06:02:33 opus sshd[27490]: Failed password for root from 202.119.60.132 port 37480 ssh2

Nov 30 06:02:34 opus sshd[27491]: Received disconnect from 202.119.60.132: 11: Bye Bye

Nov 30 06:02:36 opus sshd[27492]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=cool.nju.edu.cn user=root

Nov 30 06:02:38 opus sshd[27492]: Failed password for root from 202.119.60.132 port 38030 ssh2

Nov 30 06:02:39 opus sshd[27493]: Received disconnect from 202.119.60.132: 11: Bye Bye

Nov 30 06:02:42 opus sshd[27494]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=cool.nju.edu.cn user=root

Nov 30 06:02:43 opus sshd[27494]: Failed password for root from 202.119.60.132 port 38679 ssh2

Nov 30 06:02:43 opus sshd[27495]: Received disconnect from 202.119.60.132: 11: Bye Bye

Nov 30 06:02:46 opus sshd[27496]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=cool.nju.edu.cn user=root

Nov 30 06:02:48 opus sshd[27496]: Failed password for root from 202.119.60.132 port 39448 ssh2

Nov 30 06:02:48 opus sshd[27497]: Received disconnect from 202.119.60.132: 11: Bye Bye

Nov 30 06:02:50 opus sshd[27498]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=cool.nju.edu.cn user=root

The bad boys trying to break in as root

… this is why you need strong passwords

slide51

CIS 191 - Lesson 12

/var/log/secure

Nov 30 06:27:20 opus sshd[28166]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=cool.nju.edu.cn

Nov 30 06:27:20 opus sshd[28166]: pam_succeed_if(sshd:auth): error retrieving information about user shop

Nov 30 06:27:23 opus sshd[28166]: Failed password for invalid user shop from 202.119.60.132 port 40634 ssh2

Nov 30 06:27:23 opus sshd[28167]: Received disconnect from 202.119.60.132: 11: Bye Bye

Nov 30 06:27:25 opus sshd[28168]: Invalid user lady from 202.119.60.132

Nov 30 06:27:25 opus sshd[28169]: input_userauth_request: invalid user lady

Nov 30 06:27:25 opus sshd[28168]: pam_unix(sshd:auth): check pass; user unknown

Nov 30 06:27:25 opus sshd[28168]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=cool.nju.edu.cn

Nov 30 06:27:25 opus sshd[28168]: pam_succeed_if(sshd:auth): error retrieving information about user lady

Nov 30 06:27:28 opus sshd[28168]: Failed password for invalid user lady from 202.119.60.132 port 41408 ssh2

Nov 30 06:27:28 opus sshd[28169]: Received disconnect from 202.119.60.132: 11: Bye Bye

Nov 30 06:27:30 opus sshd[28170]: Invalid user lady from 202.119.60.132

Nov 30 06:27:30 opus sshd[28171]: input_userauth_request: invalid user lady

Nov 30 06:27:30 opus sshd[28170]: pam_unix(sshd:auth): check pass; user unknown

Nov 30 06:27:30 opus sshd[28170]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=cool.nju.edu.cn

Nov 30 06:27:30 opus sshd[28170]: pam_succeed_if(sshd:auth): error retrieving information about user lady

The bad boys trying to break in, guessing usernames

… this is why you need strong passwords