Linux Help
guides forums blogs
Home Desktops Distributions ISO Images Logos Newbies Reviews Software Support & Resources Linuxhelp Wiki

Welcome Guest ( Log In | Register )



Advanced DNS Management
New ZoneEdit. New Managment.

FREE DNS Is Back

Sign Up Now
 
Reply to this topicStart new topic
> Ssh/sshd Log, Problem, need to see log
Termina
post Feb 26 2004, 10:18 PM
Post #1


RMS is my Hero
******

Group: Support Specialist
Posts: 862
Joined: 18-February 04
From: Wisconsin
Member No.: 2,404



Recently someone logged in via SSH on my server and removed everything in the folder they had access to. Sadly they didn't do this with ftp (Proftpd = logs), but I'd like to know who done it.

Anyone have any idea how I can find out? (Happened between 5:30pm and 6:30pm it seems)


--------------------
*Points finger at the author above him* They're a witch! Burn them!
---
Vist my website!
Join me in IRC! Server: st0rage.org Channel: #UnhandledExceptions
Go to the top of the page
 
+Quote Post
Robert83
post Feb 27 2004, 01:25 AM
Post #2


Its GNU/Linuxhelp.net
*******

Group: Support Specialist
Posts: 1,439
Joined: 3-January 04
From: Germany
Member No.: 2,069



Hi,

/var/log/messages [note:you can find SSH logs here, who logged in, when from what IP, but it also contains other kernel messages...]


Sincerely
Robert B


--------------------
Robert Becskei
robert83@linuxhelp.net
--------------------
May the source be with us!
--------------------
AMD X2-3800 @ 2400Mhz
2048MB DDR 400Mhz
DFI Lanparty UT4 NF4 ULTRA-D
GeForce 7800GT
250GB+250GB
Pioneer DVD-RW
17inch Samsung Syncmaster 757NF
WinXP Pro (SP2)/ CentOS 4.3
--------------------
Go to the top of the page
 
+Quote Post
hughesjr
post Feb 27 2004, 09:19 AM
Post #3


Its GNU/Linuxhelp.net
*******

Group: Admin
Posts: 3,433
Joined: 25-July 03
From: Corpus Chrsiti, TX, USA
Member No.: 1,151



Termina ...

I would recommend a chrooted sftp setup ... see this link .

If you do this though, you would need to maintain the security patches on the ssh you build for the chroot yourself. (building new ssh with the chroot patch when necessary).

You could then write a cron that would copy the files from the chrooted directory to where you really want them to go (then remove them from the chroot directory on sucessful copy) ... and the individual users, that you set to the chroot, can't mess with the files outside the chroot.


--------------------
Johnny Hughes
hughesjr@linuxhelp.net
Enterprise Alternatives: CentOS, WhiteBoxEL
Favorite Workstation Distros (in order): CentOS, Gentoo, Debian Sarge, Ubuntu, Mandrake, FedoraCore, Slackware, SUSE
Favorite Server Distros (in order): CentOS, WhiteBoxEL, Debian Sarge, Slackware, Mandrake, FedoraCore, Gentoo, SUSE
Go to the top of the page
 
+Quote Post
Termina
post Feb 27 2004, 09:21 AM
Post #4


RMS is my Hero
******

Group: Support Specialist
Posts: 862
Joined: 18-February 04
From: Wisconsin
Member No.: 2,404



I don't see any SSH logs in there (I use SSH all the time, so I should atleast see me in there). =/

It happened againt his morning as well, after I changed all the passwords to FTP/SSH. =/

Any idea what I should do to find out who did this? (Hey, I'll give you SSH to help me find out) happy.gif

Or is there a way to limit which accounts can be used with proftpd and SSH?


--------------------
*Points finger at the author above him* They're a witch! Burn them!
---
Vist my website!
Join me in IRC! Server: st0rage.org Channel: #UnhandledExceptions
Go to the top of the page
 
+Quote Post
hughesjr
post Feb 27 2004, 11:46 AM
Post #5


Its GNU/Linuxhelp.net
*******

Group: Admin
Posts: 3,433
Joined: 25-July 03
From: Corpus Chrsiti, TX, USA
Member No.: 1,151



In my debian SID install, it is in a log called /var/log/auth.log ...

If it's not there, go into the file /etc/syslog.conf and look for the name of the log for:

auth, authpriv


--------------------
Johnny Hughes
hughesjr@linuxhelp.net
Enterprise Alternatives: CentOS, WhiteBoxEL
Favorite Workstation Distros (in order): CentOS, Gentoo, Debian Sarge, Ubuntu, Mandrake, FedoraCore, Slackware, SUSE
Favorite Server Distros (in order): CentOS, WhiteBoxEL, Debian Sarge, Slackware, Mandrake, FedoraCore, Gentoo, SUSE
Go to the top of the page
 
+Quote Post

Reply to this topicStart new topic
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:

 



RSS Lo-Fi Version Time is now: 22nd October 2017 - 11:25 PM