I provide some remote backup services for a few clients. Nightly, their computers rsync data to my server.
Ok, one of my clients got broken into a few days ago and their computers were stolen. No problem, we have backups. Here's the interesting thing... they are TOO current!! The thieves were stupid enough to plug the thing in and connect it to the Internet without clearing anything, so the backups are continuing.
I'm not savvy enough with general Linux to know for certain... but could I find somewhere on my server a log showing the IP that they are connecting from? With that... and a cop that gives a crap... maybe its possible to locate them?
We'll leave the legal aspect to the appropriate folks, but can someone tell me what commands and/or locations to look at to see the IP address?
The server is a RedHat 9 machine stripped down to just the basics. No x-windows or anything like that. The incoming connections are done through rsync via OpenSSH.