Check Logs for Suspicious Activity
Security - Server Security

Check Log Files for Suspicious Activity


There are a number of log files that provide information as to the status of the server. Three of the most important are /var/log/messages,
/var/log/syslog and /var/log/secure. Attempting to scroll through these on a daily basis is very time consuming so it is important to use a egrep or grep command to access the important information that is contained in these logs.

egrep is a powerful command that searches test for patterns. It is similar to grep. There are several options that may be used to check log files.

-e pattern searches for patterns
-f file searches a pattern that is in a file
-i ignore case
-n list matching lines and number of the lines
-v list lines that do not match

This command will examine the log file /var/log/messages for a pattern “fail” which may indicate a failed login or a failed attempt to connect on a given port.
egrep -e fail /var/log/messages

This command will list all of the attempted connections with UDP instead of TCP.
egrep -n UDP /var/log/messages

This command will look for any messages that refer to the root user and then pipe them to the more command so you can scroll through them.
egrep -e root /var/log/messages | more


Key words to look for are: Authentication, root, failed, refused connections, login, any words that may present security issues. Note that Linux is case sensitive.

It is important that the successful logins are evaluated. This may reveal that a user account is being used when it should not be. The last logins can be listed with this command:

last | more

Again it is piped to more so it is easier to scroll through. Here is a sample:
mike pts/2 Sun Apr 4 03:05 - 03:13 (00:08)
mike pts/1 Sat Apr 3 20:31 still logged in
mike pts/1 Sat Apr 3 11:14 - 11:15 (00:01)
mike pts/1 Sat Apr 3 08:41 - 09:38 (00:56)
mike pts/1 Sat Apr 3 04:58 - 08:40 (03:42)
mike pts/1 Fri Apr 2 23:25 - 23:25 (00:00)
mike pts/0 Fri Apr 2 07:42 still logged in
mike :0 console Fri Apr 2 07:42 still logged in
reboot system boot 2.4.21-192-defau Fri Apr 2 07:41 (2+00:41)
mike pts/0 Fri Apr 2 07:21 - crash (00:20)
mike :0 console Fri Apr 2 07:20 - crash (00:20)
reboot system boot 2.4.21-192-defau Fri Apr 2 07:19 (2+01:03)
mike pts/1 Thu Apr 1 11:19 - 00:45 (13:26)
mike pts/1 Thu Apr 1 10:45 - 10:45 (00:00)
mike pts/0 Thu Apr 1 09:35 - 00:45 (15:09)
mike :0 console Thu Apr 1 09:35 - 00:45 (15:10)

Copyright CyberMontana Inc. and BeginLinux.com

All rights reserved. Cannot be reproduced without written permission. Box 1262 Trout Creek, MT 59874