I had an unexpected (and unexplained) crash in the early hours of this morning, and when I restarted the machine, began to look through /var/log/messages to see if there were any clues. There weren't: it just went from routine messages to rebooting ones without anything in between. But, scrolling back, I discovered connections to sshd (the only service on the machine that's open to the internet) from South Korea, Russia, China, Germany ... So far as I know, none of these people succeeded in logging on. But I thought there ought to be some file which recorded attempts to log on, and I con't find it. What should it be, and do I need to turn it on? -- Andrew Brown What I do: www.darwinwars.com What I'm up to: www.thewormbook.com/helmintholog/
Andrew Brown writes:
I had an unexpected (and unexplained) crash in the early hours of this morning, and when I restarted the machine, began to look through /var/log/messages to see if there were any clues. There weren't: it just went from routine messages to rebooting ones without anything in between. But, scrolling back, I discovered connections to sshd (the only service on the machine that's open to the internet) from South Korea, Russia, China, Germany ... So far as I know, none of these people succeeded in logging on. But I thought there ought to be some file which recorded attempts to log on, and I con't find it. What should it be, and do I need to turn it on?
$ man last -Ti
On Sunday 05 September 2004 11:10, Andrew Brown wrote:
I had an unexpected (and unexplained) crash in the early hours of this morning, and when I restarted the machine, began to look through /var/log/messages to see if there were any clues. There weren't: it just went from routine messages to rebooting ones without anything in between. But, scrolling back, I discovered connections to sshd (the only service on the machine that's open to the internet) from South Korea, Russia, China, Germany ... So far as I know, none of these people succeeded in logging on. But I thought there ought to be some file which recorded attempts to log on, and I con't find it. What should it be, and do I need to turn it on?
Unsuccessful login attempts through sshd are recorded in /var/log/messages, try it and see. Successful logins are also recorded there, as well as in utmp and wtmp Note that most cracks rely on crashing the daemon somehow, or overwriting parts of it with code that open shells, or some other such trick, and that usually won't be logged anywhere
Anders Johansson wrote:
Note that most cracks rely on crashing the daemon somehow, or overwriting parts of it with code that open shells, or some other such trick, and that usually won't be logged anywhere So what then? Is this where something like tripwire is useful?
Damon Register
On Tuesday 07 September 2004 14:34, Damon Register wrote:
Anders Johansson wrote:
Note that most cracks rely on crashing the daemon somehow, or overwriting parts of it with code that open shells, or some other such trick, and that usually won't be logged anywhere
So what then? Is this where something like tripwire is useful?
Tripwire (or similar) is always useful, but it won't prevent breakins. Only help you detect them after the fact
Tripwire (or similar) is always useful, but it won't prevent breakins. Only help you detect them after the fact So are you saying the best one can do is find they have been hacked but
Anders Johansson wrote: prevention is not possible? Damon Register
On Tuesday 07 September 2004 15:14, Damon Register wrote:
Anders Johansson wrote:
Tripwire (or similar) is always useful, but it won't prevent breakins. Only help you detect them after the fact
So are you saying the best one can do is find they have been hacked but prevention is not possible?
With the current state-of-the-art programming, no it isn't, short of turning off all services. If you are offering a service to the internet, and that service contains a bug that lets someone crack it, then there is no fool proof way to prevent someone from doing it. The best you can ever hope for is to make it so hard that the effort required to crack it isn't worth whatever is found on the machine. And history teaches us that with any service, no matter how well audited, always has odds > 0 that it contains as yet undiscovered security problems If you stay up to date with all the security patches released, if you only have services available that you really need to have available and turn off everything else, and if you use the various security patches such as the non-executable stack patch and others like it (Solar Designer, grsecurity etc) then you still won't have a 100% crack proof system, but chances are that you will defeat the "casual cracker" (read: script kiddie), and if you don't have anything on your machine that makes it worth the while of someone who really knows what he's doing, then you will probably be fine. This isn't to say that a system can't ever be secure, a well programmed system that has no bugs in it will be. But with current technology, we can't ever trust it, it will be an act of faith. Some day, someone may come up with a way to make it practical to produce mathematical proof that a given program is correct and secure, but to date all efforts that I'm aware of have failed. This is why, in "real" situations, you should physically separate all services connected to the internet from any internal machines where your valuable data is.
On Tuesday 07 September 2004 08:14, Damon Register wrote:
Anders Johansson wrote:
Tripwire (or similar) is always useful, but it won't prevent breakins. Only help you detect them after the fact
So are you saying the best one can do is find they have been hacked but prevention is not possible?
Damon Register Prevention is completely possible. I use portsentry for that --'anal' mode. Yesterday it even shut down my ISP probing one of my ports ...but the connection still works.
HTAYQ... -- ..."Yogi" CH Namasté Yoga Studio "If music be the food of love, why can't rabbits sing?"
On Tuesday 07 September 2004 16:01, C Hamel wrote:
On Tuesday 07 September 2004 08:14, Damon Register wrote:
Anders Johansson wrote:
Tripwire (or similar) is always useful, but it won't prevent breakins. Only help you detect them after the fact
So are you saying the best one can do is find they have been hacked but prevention is not possible?
Damon Register
Prevention is completely possible. I use portsentry for that --'anal' mode. Yesterday it even shut down my ISP probing one of my ports ...but the connection still works.
PortSentry is a tool for detecting portscans. It's certainly useful, but it's hardly a cure against all cracks.
-----Original Message-----
From: Andrew Brown
I had an unexpected (and unexplained) crash in the early hours of this morning, and when I restarted the machine, began to look through /var/log/messages to see if there were any clues. There weren't: it just went from routine messages to rebooting ones without anything in between. But, scrolling back, I discovered connections to sshd (the only service on the machine that's open to the internet) from South Korea, Russia, China, Germany ... So far as I know, none of these people succeeded in logging on. But I thought there ought to be some file which recorded attempts to log on, and I con't find it. What should it be, and do I need to turn it on?
last would be the command. If, as root, you touch /var/log/btmp you can also run lastb to check for failed login attempts. wtmp and btmp are binary files that cannot be edited. Ken
On Sun, 05 Sep 2004 05:35:17 -0400, Ken Schneider
last would be the command. If, as root, you
touch /var/log/btmp you can also run lastb to check for failed login attempts.
wtmp and btmp are binary files that cannot be edited.
Thanks. Very helpful and ultimately reassuring -- Andrew Brown What I do: www.darwinwars.com What I'm up to: www.thewormbook.com/helmintholog/
participants (6)
-
Anders Johansson
-
Andrew Brown
-
C Hamel
-
Damon Register
-
Ken Schneider
-
ti@amb.org