|
Logs
As A Security Tool I used to hear it all the time -
"Linux is as secure as they come, nearly crack proof." Sounds too
good to be true, doesn't it? And, like most things that sound too good to be
true, the statement is far from gospel. While Linux is inherently more secure
than Windows, it's certainly not crack proof. If, like me, you've got a Linux
box that's connected to the Internet full time, there will always be a
necessary set of precautions to take in order to prevent or detect intrusions
into your system. While there are several very strong
tools for securing your machine, detecting and tracing intrusions, sometimes
the first line of defense is the simplest - you log files. When concerned with
the security of an Internet-connected machine , there really are four log files
to monitor regularly: �
/var/log/messages
�
/var/log/secure
�
/var/log/maillog
�
/var/log/xferlog
The
first, /var/log/messages, contains the broadest range of messages; everything
from user logins to service messages. The second, /var/log/secure, focuses on
such services as in.telnetd and in.ftpd, both of which serve files to and
accept files from the Internet. The third, /var/log/maillog, tracks messages
from sendmail. Finally,
/var/log/xferlog is a record of all FTP transfers. You'll need some comfort
with a text editor to view these logs. In the case of vi, use the -R option to
prevent accidental alteration or eradication of these crucial files. The first and most obvious log item to
review on a regular basis is attempted connections from unknown hosts. These
connection attempts often occur with the help of port scanners. For example, a
typical entry in /var/log/secure might look like: Feb 08 Two items in this example are crucial.
First is the START: ftp entry. This is an attempted FTP connection. The
"pid" is the process id number, a number that will be logged in
/var/log/messages. This second item gives you the ability to check whether the
connection attempt was successful by grepping the pid number from the messages
log in the /var/log/ directory: cd /var/log/ The resulting output will show the
success or failure of the FTP connection attempt, including the user name used.
In the same fashion, you can check for
suspicious or unusual entries in the other log files. Above all else, practical
experience in checking your logs can indicate the security of your system. In
other words, it's essential to become familiar with these logs and to check
them regularly. It's the first line of defense -
knowing what you're up against. |
