Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


Is the auth.log file the only file to check for unauthorized user access (/hackers/crackers/up_to_no_gooders)?

Posted on 2006-05-07
Medium Priority
Last Modified: 2010-08-05
I have a multi-user Debian Linux System installed.

Is the auth.log file the only file I would need to check for unauthorized user access (/hackers/crackers/up_to_no_gooders)?

Question by:llvllar1on
  • 3
  • 2

Accepted Solution

AndyAelbrecht earned 100 total points
ID: 16624942
I'd also check /var/log/sshd.log for bad ssh login attempts (or brute-force attempts if you see a bunch of tries from the same host)

The command "lastlog" also shows you, for all accounts, who has logged on there for the last time (giving you the IP)
The command "faillog" gives you the amount of failed logins for each user

I'd also be using chkrootkit (http://www.chkrootkit.org/) to check if a rootkit has been installed, once you know (or think) your system has been compromised.

That's about all you can do afterwards

You can install something like SELinux (http://www.nsa.gov/selinux/) or an Intrusion Detection System (IDS) (http://www.linux.org/docs/ldp/howto/Security-Quickstart-HOWTO/index.html) to have your system harder to crack / be warned when it's happening.

Hope this helps,

LVL 16

Expert Comment

ID: 16625870

The best file to check is the /var/log/secure this file contains alot of information on failed activites such as
ssh failed logins

Author Comment

ID: 16627247
The command lastlog works.
The command faillog does not work.

I also checked /var/log/sshd.log.  The file does not exist.

NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!


Expert Comment

ID: 16628335
then you have no SSH Server Daemon installed, which is good.
if faillog doesn't work, try searching for the right package (can't do it right here) with "apt-cache search faillog"
if a package shows up, you can download it with "apt-get install packagename"

after it's installed, try again

Author Comment

ID: 16633648
Ok I tried CLI "apt-cache search faillog".  No results returned.

I try CLI "apt-get install faillog" and get the following response:

Reading Package Lists... Done
Building Dependency Tree... Done
E: Couldn't find package faillog

What's going on?

Expert Comment

ID: 16636883
in linux, the package (as far as i know) "coreutils" has this utility. it could also be the package "login" but I doubt it since your system is still able to login, right ? :-)

Featured Post

Receive 1:1 tech help

Solve your biggest tech problems alongside global tech experts with 1:1 help.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Hello EE, Today we will learn how to send all your network traffic through Tor which is useful to get around censorship and being tracked all together to a certain degree. This article assumes you will be using Linux, have a minimal knowledge of …
BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an anti-spam), the admin…
This lesson discusses how to use a Mainform + Subforms in Microsoft Access to find and enter data for payments on orders. The sample data comes from a custom shop that builds and sells movable storage structures that are delivered to your property. …
Suggested Courses

577 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question