Thursday, January 21, 2010
Who is currently logged in? - linux
Who is currently logged in?
who: lists all users currently in the system.
last: list login/logout history
lastb: list all the bad / failed login attempts
lastlog: show the last time somebody logged into the system
who: lists all users currently in the system.
last: list login/logout history
lastb: list all the bad / failed login attempts
lastlog: show the last time somebody logged into the system
Harden Fedora box
1, patch your system
[root@testvm testvm.localdomain.Log]# yum update
2, Disable root ssh login
Make /etc/ssh/sshd_config contain the line:
PermitRootLogin no
and restart your SSH daemon:
# /etc/init.d/sshd restart
3, Prevent trivial root console break-in (Linux only)
Add the following line to the file /etc/inittab right after the line referencing /etc/rc.d/rc.sysinit
ss:S:respawn:/sbin/sulogin
4 Enable password aging on Linux systems
By editing /etc/login.defs, you can specify a few parameters to set the default settings for password aging:
PASS_MAX_DAYS 99999
PASS_MIN_DAYS 0
PASS_WARN_AGE 7
[root@testvm testvm.localdomain.Log]# yum update
2, Disable root ssh login
Make /etc/ssh/sshd_config contain the line:
PermitRootLogin no
and restart your SSH daemon:
# /etc/init.d/sshd restart
3, Prevent trivial root console break-in (Linux only)
Add the following line to the file /etc/inittab right after the line referencing /etc/rc.d/rc.sysinit
ss:S:respawn:/sbin/sulogin
4 Enable password aging on Linux systems
By editing /etc/login.defs, you can specify a few parameters to set the default settings for password aging:
PASS_MAX_DAYS 99999
PASS_MIN_DAYS 0
PASS_WARN_AGE 7
How to check if hacker try to hack your site - Ubuntu?
1, Check the log
less /var/log/auth.log
Here is part of this file
Jan 21 02:57:52 SS sshd[7749]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.73.68.164 user=root
Jan 21 02:57:54 SS sshd[7749]: Failed password for root from 222.73.68.164 port 47502 ssh2
Jan 21 02:57:57 SS sshd[7751]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.73.68.164 user=root
Jan 21 02:57:58 SS sshd[7751]: Failed password for root from 222.73.68.164 port 47809 ssh2
Jan 21 02:58:00 SS sshd[7753]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.73.68.164 user=root
Jan 21 02:58:02 SS sshd[7753]: Failed password for root from 222.73.68.164 port 48078 ssh2
Jan 21 02:58:05 SS sshd[7755]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.73.68.164 user=root
Jan 21 02:58:07 SS sshd[7755]: Failed password for root from 222.73.68.164 port 48385 ssh2
Jan 21 02:58:09 SS sshd[7757]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.73.68.164 user=root
Jan 21 02:58:11 SS sshd[7757]: Failed password for root from 222.73.68.164 port 48674 ssh2
Jan 21 02:58:13 SS sshd[7759]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.73.68.164 user=root
Jan 21 02:58:15 SS sshd[7759]: Failed password for root from 222.73.68.164 port 48969 ssh2
Jan 21 02:58:17 SS sshd[7761]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.73.68.164 user=root
Jan 21 02:58:19 SS sshd[7761]: Failed password for root from 222.73.68.164 port 49265 ssh2
Jan 21 02:58:21 SS sshd[7763]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.73.68.164 user=root
Jan 21 02:58:23 SS sshd[7763]: Failed password for root from 222.73.68.164 port 49572 ssh2
Jan 21 02:58:30 SS sshd[7765]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.73.68.164 user=root
Jan 21 02:58:32 SS sshd[7765]: Failed password for root from 222.73.68.164 port 49857 ssh2
Jan 21 02:58:34 SS sshd[7767]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.73.68.164 user=root
Jan 21 02:58:36 SS sshd[7767]: Failed password for root from 222.73.68.164 port 50415 ssh2
You can see this guy 222.73.68.164 try to logon to my server using ssh.
I am not going to blame this guy, because he mostly is a victim.
2, file system integrity check
Using linux command find to find which files have been changed in the past 24 hours
find /var/www/ -mmin -1440 | more
3, send this log to you
You may want to receive this log by email.
First, save find result to a file
find /var/www/ -mmin -1440 > file_changed
Second, email this log file to you
"/usr/sbin/sendmail -v 'xxxxxxxx@gmail.com' < file_changed"
less /var/log/auth.log
Here is part of this file
Jan 21 02:57:52 SS sshd[7749]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.73.68.164 user=root
Jan 21 02:57:54 SS sshd[7749]: Failed password for root from 222.73.68.164 port 47502 ssh2
Jan 21 02:57:57 SS sshd[7751]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.73.68.164 user=root
Jan 21 02:57:58 SS sshd[7751]: Failed password for root from 222.73.68.164 port 47809 ssh2
Jan 21 02:58:00 SS sshd[7753]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.73.68.164 user=root
Jan 21 02:58:02 SS sshd[7753]: Failed password for root from 222.73.68.164 port 48078 ssh2
Jan 21 02:58:05 SS sshd[7755]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.73.68.164 user=root
Jan 21 02:58:07 SS sshd[7755]: Failed password for root from 222.73.68.164 port 48385 ssh2
Jan 21 02:58:09 SS sshd[7757]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.73.68.164 user=root
Jan 21 02:58:11 SS sshd[7757]: Failed password for root from 222.73.68.164 port 48674 ssh2
Jan 21 02:58:13 SS sshd[7759]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.73.68.164 user=root
Jan 21 02:58:15 SS sshd[7759]: Failed password for root from 222.73.68.164 port 48969 ssh2
Jan 21 02:58:17 SS sshd[7761]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.73.68.164 user=root
Jan 21 02:58:19 SS sshd[7761]: Failed password for root from 222.73.68.164 port 49265 ssh2
Jan 21 02:58:21 SS sshd[7763]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.73.68.164 user=root
Jan 21 02:58:23 SS sshd[7763]: Failed password for root from 222.73.68.164 port 49572 ssh2
Jan 21 02:58:30 SS sshd[7765]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.73.68.164 user=root
Jan 21 02:58:32 SS sshd[7765]: Failed password for root from 222.73.68.164 port 49857 ssh2
Jan 21 02:58:34 SS sshd[7767]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.73.68.164 user=root
Jan 21 02:58:36 SS sshd[7767]: Failed password for root from 222.73.68.164 port 50415 ssh2
You can see this guy 222.73.68.164 try to logon to my server using ssh.
I am not going to blame this guy, because he mostly is a victim.
2, file system integrity check
Using linux command find to find which files have been changed in the past 24 hours
find /var/www/ -mmin -1440 | more
3, send this log to you
You may want to receive this log by email.
First, save find result to a file
find /var/www/ -mmin -1440 > file_changed
Second, email this log file to you
"/usr/sbin/sendmail -v 'xxxxxxxx@gmail.com' < file_changed"
Cent OS Sendmail issue
Issue:Connection refused by [127.0.0.1]
less /var/log/maillog
ctladdr=root (0/0), delay=00:00:00, xdelay=00:00:00, mailer=relay, pri=35380, relay=[127.0.0.1] [127.0.0.1], dsn=4.0.0, stat=Deferred: Connection refused by
lass=0, nrcpts=1, msgid=<201001202215.o0kmf2gf024136@localhost.localdomain>, relay=root@localhost
(0/0), delay=00:00:02, xdelay=00:00:00, mailer=relay, pri=30705, relay=[127.0.0.1] [127.0.0.1], dsn=4.0.0, stat=Deferred: Connection refused by [127.0.0.1]
Test:
/usr/sbin/sendmail -v 'xxxxxxx@gmail.com' < anytextfile.txt
Solution:
modify under /etc/mail/sendmail.mc and check.
comment out the line below by prepending it with 'dnl", like so:
dnl DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')
restart the services with 'service sendmail restart' and check.
less /var/log/maillog
ctladdr=root (0/0), delay=00:00:00, xdelay=00:00:00, mailer=relay, pri=35380, relay=[127.0.0.1] [127.0.0.1], dsn=4.0.0, stat=Deferred: Connection refused by
lass=0, nrcpts=1, msgid=<201001202215.o0kmf2gf024136@localhost.localdomain>, relay=root@localhost
(0/0), delay=00:00:02, xdelay=00:00:00, mailer=relay, pri=30705, relay=[127.0.0.1] [127.0.0.1], dsn=4.0.0, stat=Deferred: Connection refused by [127.0.0.1]
Test:
/usr/sbin/sendmail -v 'xxxxxxx@gmail.com' < anytextfile.txt
Solution:
modify under /etc/mail/sendmail.mc and check.
comment out the line below by prepending it with 'dnl", like so:
dnl DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')
restart the services with 'service sendmail restart' and check.
Subscribe to:
Comments (Atom)