Is the auth.log file the only file to check for unauthorized user access (/hackers/crackers/up_to_no_gooders)?

Posted on 2006-05-07
Last Modified: 2010-08-05
I have a multi-user Debian Linux System installed.

Is the auth.log file the only file I would need to check for unauthorized user access (/hackers/crackers/up_to_no_gooders)?

Question by:llvllar1on
    LVL 4

    Accepted Solution

    I'd also check /var/log/sshd.log for bad ssh login attempts (or brute-force attempts if you see a bunch of tries from the same host)

    The command "lastlog" also shows you, for all accounts, who has logged on there for the last time (giving you the IP)
    The command "faillog" gives you the amount of failed logins for each user

    I'd also be using chkrootkit ( to check if a rootkit has been installed, once you know (or think) your system has been compromised.

    That's about all you can do afterwards

    You can install something like SELinux ( or an Intrusion Detection System (IDS) ( to have your system harder to crack / be warned when it's happening.

    Hope this helps,

    LVL 16

    Expert Comment


    The best file to check is the /var/log/secure this file contains alot of information on failed activites such as
    ssh failed logins

    Author Comment

    The command lastlog works.
    The command faillog does not work.

    I also checked /var/log/sshd.log.  The file does not exist.

    LVL 4

    Expert Comment

    then you have no SSH Server Daemon installed, which is good.
    if faillog doesn't work, try searching for the right package (can't do it right here) with "apt-cache search faillog"
    if a package shows up, you can download it with "apt-get install packagename"

    after it's installed, try again

    Author Comment

    Ok I tried CLI "apt-cache search faillog".  No results returned.

    I try CLI "apt-get install faillog" and get the following response:

    Reading Package Lists... Done
    Building Dependency Tree... Done
    E: Couldn't find package faillog

    What's going on?
    LVL 4

    Expert Comment

    in linux, the package (as far as i know) "coreutils" has this utility. it could also be the package "login" but I doubt it since your system is still able to login, right ? :-)

    Featured Post

    How to improve team productivity

    Quip adds documents, spreadsheets, and tasklists to your Slack experience
    - Elevate ideas to Quip docs
    - Share Quip docs in Slack
    - Get notified of changes to your docs
    - Available on iOS/Android/Desktop/Web
    - Online/Offline

    Join & Write a Comment

    Hello EE, Today we will learn how to send all your network traffic through Tor which is useful to get around censorship and being tracked all together to a certain degree. This article assumes you will be using Linux, have a minimal knowledge of …
    BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (, affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
    Internet Business Fax to Email Made Easy - With eFax Corporate (, you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
    This video discusses moving either the default database or any database to a new volume.

    733 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    21 Experts available now in Live!

    Get 1:1 Help Now