Help - Search - Members - Calendar
Full Version: Ssh/sshd Log
Linuxhelp > Support > Technical Support
Termina
Recently someone logged in via SSH on my server and removed everything in the folder they had access to. Sadly they didn't do this with ftp (Proftpd = logs), but I'd like to know who done it.

Anyone have any idea how I can find out? (Happened between 5:30pm and 6:30pm it seems)
Robert83
Hi,

/var/log/messages [note:you can find SSH logs here, who logged in, when from what IP, but it also contains other kernel messages...]


Sincerely
Robert B
hughesjr
Termina ...

I would recommend a chrooted sftp setup ... see this link .

If you do this though, you would need to maintain the security patches on the ssh you build for the chroot yourself. (building new ssh with the chroot patch when necessary).

You could then write a cron that would copy the files from the chrooted directory to where you really want them to go (then remove them from the chroot directory on sucessful copy) ... and the individual users, that you set to the chroot, can't mess with the files outside the chroot.
Termina
I don't see any SSH logs in there (I use SSH all the time, so I should atleast see me in there). =/

It happened againt his morning as well, after I changed all the passwords to FTP/SSH. =/

Any idea what I should do to find out who did this? (Hey, I'll give you SSH to help me find out) happy.gif

Or is there a way to limit which accounts can be used with proftpd and SSH?
hughesjr
In my debian SID install, it is in a log called /var/log/auth.log ...

If it's not there, go into the file /etc/syslog.conf and look for the name of the log for:

auth, authpriv
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2017 Invision Power Services, Inc.