how to simplify the info contained in /var/log/auth.log
my /var/log/auth.log contains quite some lines such as
"reverse mapping checking getaddrinfo for
224.51.174.61.dial.wz.zj.dynamic.163data.com.cn [61.174.51.224] failed -
POSSIBLE BREAK-IN ATTEMPT!"
"Failed password for root from 61.174.51.224 port 4227 ssh2"
"reverse mapping checking getaddrinfo for
187-101-166-232.dsl.telesp.net.br [187.101.166.232] failed -
POSSIBLE BREAK-IN ATTEMPT!"
"Invalid user Admin from 187.101.166.232"
These I can see that the hackers failed to break in.
But unfortunately I also see some logs such as
Successful su for xxxxxx (my username) by root
My dumb questions are:
- From the auth.log, how can I tell that the "successful su" was by me, not by hackers who may have gained my login info?
- How to filter the auth.log file so that it succinctly reports which user successfully logged in, for how long, and from where? The IP addresses were indeed in the auth.log file, but it is not easy to see if they actually succeeded in breaking in.
- Is there a log file to check what the hackers did?
Thank you for any enlightenment.
login log
edited Apr 4 '14 at 8:32
Rinzwind
207k28397528
asked Apr 4 '14 at 8:17
water stonewater stone
66128
add a comment |
my /var/log/auth.log contains quite some lines such as
"reverse mapping checking getaddrinfo for
224.51.174.61.dial.wz.zj.dynamic.163data.com.cn [61.174.51.224] failed -
POSSIBLE BREAK-IN ATTEMPT!"
"Failed password for root from 61.174.51.224 port 4227 ssh2"
"reverse mapping checking getaddrinfo for
187-101-166-232.dsl.telesp.net.br [187.101.166.232] failed -
POSSIBLE BREAK-IN ATTEMPT!"
"Invalid user Admin from 187.101.166.232"
These I can see that the hackers failed to break in.
But unfortunately I also see some logs such as
Successful su for xxxxxx (my username) by root
My dumb questions are:
- From the auth.log, how can I tell that the "successful su" was by me, not by hackers who may have gained my login info?
- How to filter the auth.log file so that it succinctly reports which user successfully logged in, for how long, and from where? The IP addresses were indeed in the auth.log file, but it is not easy to see if they actually succeeded in breaking in.
- Is there a log file to check what the hackers did?
Thank you for any enlightenment.
login log
edited Apr 4 '14 at 8:32
Rinzwind
207k28397528
asked Apr 4 '14 at 8:17
water stonewater stone
66128
add a comment |
my /var/log/auth.log contains quite some lines such as
"reverse mapping checking getaddrinfo for
224.51.174.61.dial.wz.zj.dynamic.163data.com.cn [61.174.51.224] failed -
POSSIBLE BREAK-IN ATTEMPT!"
"Failed password for root from 61.174.51.224 port 4227 ssh2"
"reverse mapping checking getaddrinfo for
187-101-166-232.dsl.telesp.net.br [187.101.166.232] failed -
POSSIBLE BREAK-IN ATTEMPT!"
"Invalid user Admin from 187.101.166.232"
These I can see that the hackers failed to break in.
But unfortunately I also see some logs such as
Successful su for xxxxxx (my username) by root
My dumb questions are:
- From the auth.log, how can I tell that the "successful su" was by me, not by hackers who may have gained my login info?
- How to filter the auth.log file so that it succinctly reports which user successfully logged in, for how long, and from where? The IP addresses were indeed in the auth.log file, but it is not easy to see if they actually succeeded in breaking in.
- Is there a log file to check what the hackers did?
Thank you for any enlightenment.
login log
edited Apr 4 '14 at 8:32
Rinzwind
207k28397528
asked Apr 4 '14 at 8:17
water stonewater stone
66128
my /var/log/auth.log contains quite some lines such as
"reverse mapping checking getaddrinfo for
224.51.174.61.dial.wz.zj.dynamic.163data.com.cn [61.174.51.224] failed -
POSSIBLE BREAK-IN ATTEMPT!"
"Failed password for root from 61.174.51.224 port 4227 ssh2"
"reverse mapping checking getaddrinfo for
187-101-166-232.dsl.telesp.net.br [187.101.166.232] failed -
POSSIBLE BREAK-IN ATTEMPT!"
"Invalid user Admin from 187.101.166.232"
These I can see that the hackers failed to break in.
But unfortunately I also see some logs such as
Successful su for xxxxxx (my username) by root
My dumb questions are:
- From the auth.log, how can I tell that the "successful su" was by me, not by hackers who may have gained my login info?
- How to filter the auth.log file so that it succinctly reports which user successfully logged in, for how long, and from where? The IP addresses were indeed in the auth.log file, but it is not easy to see if they actually succeeded in breaking in.
- Is there a log file to check what the hackers did?
Thank you for any enlightenment.
login log
login log
edited Apr 4 '14 at 8:32
Rinzwind
207k28397528
asked Apr 4 '14 at 8:17
water stonewater stone
66128
edited Apr 4 '14 at 8:32
Rinzwind
207k28397528
asked Apr 4 '14 at 8:17
water stonewater stone
66128
edited Apr 4 '14 at 8:32
Rinzwind
207k28397528
edited Apr 4 '14 at 8:32
Rinzwind
207k28397528
edited Apr 4 '14 at 8:32
Rinzwind
207k28397528
207k28397528
asked Apr 4 '14 at 8:17
water stonewater stone
66128
asked Apr 4 '14 at 8:17
water stonewater stone
66128
asked Apr 4 '14 at 8:17
water stonewater stone
66128
66128
add a comment |
add a comment |
2 Answers
2
active
oldest
votes
1) from the auth.log, how can I tell that the "successful su" was by me,
not by hackers who may have gained my login info?
That would break the meaning of log files. How should your system know if it is a hacker, that did a succesfull su?
2) How to filter the auth.log file so that it succinctly reports which
user successfully logged in, for how long, and from where?
That's what the program last is for. It parses the files /var/log/wmtp and /var/log/utmp, that contain this information. See:
user@host:~$ last
root pts/0 1.2.3.4 Fri Apr 4 07:59 still logged in
root pts/5 1.2.3.4 Wed Apr 2 15:58 - 17:00 (01:02)
root pts/0 1.2.3.4 Wed Apr 2 07:39 - 16:15 (08:36)
root pts/0 1.2.3.4 Tue Apr 1 07:39 - 16:00 (08:20)
Additionally your can parse older wtmp and utmp files with the -f option: last -f /var/log/wtmp.1.
3) Is there a log file to check what the hackers did?
See question 1). When a hacker gains access to your system it IS a successful authentication. So the system does not know that it is a hacker. All you can do is searching in /var/log/* for traces.
answered Apr 4 '14 at 8:33
chaoschaos
19.4k85767
Thank you very much Chaos. The "last -iFf /var/log/wtmp.1" is what I was looking for. This "last log" does not seem to show any login from other IPs. All logins were from local 0.0.0.0, does this mean no hacker broke in?
– water stone
Apr 4 '14 at 8:48
That cannot be said 100%. The wtmp utmp files could also be manipulated. My recommendation with servers that are accessble via internet with ssh (if it is nessecary) is use strong passwords and certificates for authentication.
– chaos
Apr 4 '14 at 9:06
Also a delay at ssh login would be preferable. You will get hundrets of connections at port 22 of bots trying to brute force your passwords.
– chaos
Apr 4 '14 at 9:07
Hi Chaos, thank you again. I only manage my own laptop, it surprised me that even a laptop can get so many hack tries (could be because I linked via dhcp and left it stay up for too many hours). Could you inform how to set the "ssh login delay"? Thank you.
– water stone
Apr 4 '14 at 19:22
Just found a discussion page that discusses "delayed ssh login", paste it here in case it may be helpful to others: unix.stackexchange.com/questions/105553/…
– water stone
Apr 4 '14 at 21:29
add a comment |
You can simply analyze the file auth.log using:
cat /var/log/auth.log | grep "Successful"
for see successful attempts
The command above output all lines in /var/log/auth.log containing the word Successful, or you can change the expression, i.e. "Failed password" , to view the failed login attempts.
So now, you can check on the successful logins and see any different ip that its not yours.
answered Jan 26 at 22:00
João JoséJoão José
91
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "89"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f443219%2fhow-to-simplify-the-info-contained-in-var-log-auth-log%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
1) from the auth.log, how can I tell that the "successful su" was by me,
not by hackers who may have gained my login info?
That would break the meaning of log files. How should your system know if it is a hacker, that did a succesfull su?
2) How to filter the auth.log file so that it succinctly reports which
user successfully logged in, for how long, and from where?
That's what the program last is for. It parses the files /var/log/wmtp and /var/log/utmp, that contain this information. See:
user@host:~$ last
root pts/0 1.2.3.4 Fri Apr 4 07:59 still logged in
root pts/5 1.2.3.4 Wed Apr 2 15:58 - 17:00 (01:02)
root pts/0 1.2.3.4 Wed Apr 2 07:39 - 16:15 (08:36)
root pts/0 1.2.3.4 Tue Apr 1 07:39 - 16:00 (08:20)
Additionally your can parse older wtmp and utmp files with the -f option: last -f /var/log/wtmp.1.
3) Is there a log file to check what the hackers did?
See question 1). When a hacker gains access to your system it IS a successful authentication. So the system does not know that it is a hacker. All you can do is searching in /var/log/* for traces.
answered Apr 4 '14 at 8:33
chaoschaos
19.4k85767
Thank you very much Chaos. The "last -iFf /var/log/wtmp.1" is what I was looking for. This "last log" does not seem to show any login from other IPs. All logins were from local 0.0.0.0, does this mean no hacker broke in?
– water stone
Apr 4 '14 at 8:48
That cannot be said 100%. The wtmp utmp files could also be manipulated. My recommendation with servers that are accessble via internet with ssh (if it is nessecary) is use strong passwords and certificates for authentication.
– chaos
Apr 4 '14 at 9:06
Also a delay at ssh login would be preferable. You will get hundrets of connections at port 22 of bots trying to brute force your passwords.
– chaos
Apr 4 '14 at 9:07
Hi Chaos, thank you again. I only manage my own laptop, it surprised me that even a laptop can get so many hack tries (could be because I linked via dhcp and left it stay up for too many hours). Could you inform how to set the "ssh login delay"? Thank you.
– water stone
Apr 4 '14 at 19:22
Just found a discussion page that discusses "delayed ssh login", paste it here in case it may be helpful to others: unix.stackexchange.com/questions/105553/…
– water stone
Apr 4 '14 at 21:29
add a comment |
1) from the auth.log, how can I tell that the "successful su" was by me,
not by hackers who may have gained my login info?
That would break the meaning of log files. How should your system know if it is a hacker, that did a succesfull su?
2) How to filter the auth.log file so that it succinctly reports which
user successfully logged in, for how long, and from where?
That's what the program last is for. It parses the files /var/log/wmtp and /var/log/utmp, that contain this information. See:
user@host:~$ last
root pts/0 1.2.3.4 Fri Apr 4 07:59 still logged in
root pts/5 1.2.3.4 Wed Apr 2 15:58 - 17:00 (01:02)
root pts/0 1.2.3.4 Wed Apr 2 07:39 - 16:15 (08:36)
root pts/0 1.2.3.4 Tue Apr 1 07:39 - 16:00 (08:20)
Additionally your can parse older wtmp and utmp files with the -f option: last -f /var/log/wtmp.1.
3) Is there a log file to check what the hackers did?
See question 1). When a hacker gains access to your system it IS a successful authentication. So the system does not know that it is a hacker. All you can do is searching in /var/log/* for traces.
answered Apr 4 '14 at 8:33
chaoschaos
19.4k85767
Thank you very much Chaos. The "last -iFf /var/log/wtmp.1" is what I was looking for. This "last log" does not seem to show any login from other IPs. All logins were from local 0.0.0.0, does this mean no hacker broke in?
– water stone
Apr 4 '14 at 8:48
That cannot be said 100%. The wtmp utmp files could also be manipulated. My recommendation with servers that are accessble via internet with ssh (if it is nessecary) is use strong passwords and certificates for authentication.
– chaos
Apr 4 '14 at 9:06
Also a delay at ssh login would be preferable. You will get hundrets of connections at port 22 of bots trying to brute force your passwords.
– chaos
Apr 4 '14 at 9:07
Hi Chaos, thank you again. I only manage my own laptop, it surprised me that even a laptop can get so many hack tries (could be because I linked via dhcp and left it stay up for too many hours). Could you inform how to set the "ssh login delay"? Thank you.
– water stone
Apr 4 '14 at 19:22
Just found a discussion page that discusses "delayed ssh login", paste it here in case it may be helpful to others: unix.stackexchange.com/questions/105553/…
– water stone
Apr 4 '14 at 21:29
add a comment |
1) from the auth.log, how can I tell that the "successful su" was by me,
not by hackers who may have gained my login info?
That would break the meaning of log files. How should your system know if it is a hacker, that did a succesfull su?
2) How to filter the auth.log file so that it succinctly reports which
user successfully logged in, for how long, and from where?
That's what the program last is for. It parses the files /var/log/wmtp and /var/log/utmp, that contain this information. See:
user@host:~$ last
root pts/0 1.2.3.4 Fri Apr 4 07:59 still logged in
root pts/5 1.2.3.4 Wed Apr 2 15:58 - 17:00 (01:02)
root pts/0 1.2.3.4 Wed Apr 2 07:39 - 16:15 (08:36)
root pts/0 1.2.3.4 Tue Apr 1 07:39 - 16:00 (08:20)
Additionally your can parse older wtmp and utmp files with the -f option: last -f /var/log/wtmp.1.
3) Is there a log file to check what the hackers did?
See question 1). When a hacker gains access to your system it IS a successful authentication. So the system does not know that it is a hacker. All you can do is searching in /var/log/* for traces.
answered Apr 4 '14 at 8:33
chaoschaos
19.4k85767
1) from the auth.log, how can I tell that the "successful su" was by me,
not by hackers who may have gained my login info?
That would break the meaning of log files. How should your system know if it is a hacker, that did a succesfull su?
2) How to filter the auth.log file so that it succinctly reports which
user successfully logged in, for how long, and from where?
That's what the program last is for. It parses the files /var/log/wmtp and /var/log/utmp, that contain this information. See:
user@host:~$ last
root pts/0 1.2.3.4 Fri Apr 4 07:59 still logged in
root pts/5 1.2.3.4 Wed Apr 2 15:58 - 17:00 (01:02)
root pts/0 1.2.3.4 Wed Apr 2 07:39 - 16:15 (08:36)
root pts/0 1.2.3.4 Tue Apr 1 07:39 - 16:00 (08:20)
Additionally your can parse older wtmp and utmp files with the -f option: last -f /var/log/wtmp.1.
3) Is there a log file to check what the hackers did?
See question 1). When a hacker gains access to your system it IS a successful authentication. So the system does not know that it is a hacker. All you can do is searching in /var/log/* for traces.
answered Apr 4 '14 at 8:33
chaoschaos
19.4k85767
answered Apr 4 '14 at 8:33
chaoschaos
19.4k85767
answered Apr 4 '14 at 8:33
chaoschaos
19.4k85767
answered Apr 4 '14 at 8:33
chaoschaos
19.4k85767
19.4k85767
Thank you very much Chaos. The "last -iFf /var/log/wtmp.1" is what I was looking for. This "last log" does not seem to show any login from other IPs. All logins were from local 0.0.0.0, does this mean no hacker broke in?
– water stone
Apr 4 '14 at 8:48
That cannot be said 100%. The wtmp utmp files could also be manipulated. My recommendation with servers that are accessble via internet with ssh (if it is nessecary) is use strong passwords and certificates for authentication.
– chaos
Apr 4 '14 at 9:06
Also a delay at ssh login would be preferable. You will get hundrets of connections at port 22 of bots trying to brute force your passwords.
– chaos
Apr 4 '14 at 9:07
Hi Chaos, thank you again. I only manage my own laptop, it surprised me that even a laptop can get so many hack tries (could be because I linked via dhcp and left it stay up for too many hours). Could you inform how to set the "ssh login delay"? Thank you.
– water stone
Apr 4 '14 at 19:22
Just found a discussion page that discusses "delayed ssh login", paste it here in case it may be helpful to others: unix.stackexchange.com/questions/105553/…
– water stone
Apr 4 '14 at 21:29
add a comment |
Thank you very much Chaos. The "last -iFf /var/log/wtmp.1" is what I was looking for. This "last log" does not seem to show any login from other IPs. All logins were from local 0.0.0.0, does this mean no hacker broke in?
– water stone
Apr 4 '14 at 8:48
That cannot be said 100%. The wtmp utmp files could also be manipulated. My recommendation with servers that are accessble via internet with ssh (if it is nessecary) is use strong passwords and certificates for authentication.
– chaos
Apr 4 '14 at 9:06
Also a delay at ssh login would be preferable. You will get hundrets of connections at port 22 of bots trying to brute force your passwords.
– chaos
Apr 4 '14 at 9:07
Hi Chaos, thank you again. I only manage my own laptop, it surprised me that even a laptop can get so many hack tries (could be because I linked via dhcp and left it stay up for too many hours). Could you inform how to set the "ssh login delay"? Thank you.
– water stone
Apr 4 '14 at 19:22
Just found a discussion page that discusses "delayed ssh login", paste it here in case it may be helpful to others: unix.stackexchange.com/questions/105553/…
– water stone
Apr 4 '14 at 21:29
Thank you very much Chaos. The "last -iFf /var/log/wtmp.1" is what I was looking for. This "last log" does not seem to show any login from other IPs. All logins were from local 0.0.0.0, does this mean no hacker broke in?
– water stone
Apr 4 '14 at 8:48
Thank you very much Chaos. The "last -iFf /var/log/wtmp.1" is what I was looking for. This "last log" does not seem to show any login from other IPs. All logins were from local 0.0.0.0, does this mean no hacker broke in?
– water stone
Apr 4 '14 at 8:48
That cannot be said 100%. The wtmp utmp files could also be manipulated. My recommendation with servers that are accessble via internet with ssh (if it is nessecary) is use strong passwords and certificates for authentication.
– chaos
Apr 4 '14 at 9:06
That cannot be said 100%. The wtmp utmp files could also be manipulated. My recommendation with servers that are accessble via internet with ssh (if it is nessecary) is use strong passwords and certificates for authentication.
– chaos
Apr 4 '14 at 9:06
Also a delay at ssh login would be preferable. You will get hundrets of connections at port 22 of bots trying to brute force your passwords.
– chaos
Apr 4 '14 at 9:07
Also a delay at ssh login would be preferable. You will get hundrets of connections at port 22 of bots trying to brute force your passwords.
– chaos
Apr 4 '14 at 9:07
Hi Chaos, thank you again. I only manage my own laptop, it surprised me that even a laptop can get so many hack tries (could be because I linked via dhcp and left it stay up for too many hours). Could you inform how to set the "ssh login delay"? Thank you.
– water stone
Apr 4 '14 at 19:22
Hi Chaos, thank you again. I only manage my own laptop, it surprised me that even a laptop can get so many hack tries (could be because I linked via dhcp and left it stay up for too many hours). Could you inform how to set the "ssh login delay"? Thank you.
– water stone
Apr 4 '14 at 19:22
Just found a discussion page that discusses "delayed ssh login", paste it here in case it may be helpful to others: unix.stackexchange.com/questions/105553/…
– water stone
Apr 4 '14 at 21:29
Just found a discussion page that discusses "delayed ssh login", paste it here in case it may be helpful to others: unix.stackexchange.com/questions/105553/…
– water stone
Apr 4 '14 at 21:29
add a comment |
You can simply analyze the file auth.log using:
cat /var/log/auth.log | grep "Successful"
for see successful attempts
The command above output all lines in /var/log/auth.log containing the word Successful, or you can change the expression, i.e. "Failed password" , to view the failed login attempts.
So now, you can check on the successful logins and see any different ip that its not yours.
answered Jan 26 at 22:00
João JoséJoão José
91
add a comment |
You can simply analyze the file auth.log using:
cat /var/log/auth.log | grep "Successful"
for see successful attempts
The command above output all lines in /var/log/auth.log containing the word Successful, or you can change the expression, i.e. "Failed password" , to view the failed login attempts.
So now, you can check on the successful logins and see any different ip that its not yours.
answered Jan 26 at 22:00
João JoséJoão José
91
add a comment |
You can simply analyze the file auth.log using:
cat /var/log/auth.log | grep "Successful"
for see successful attempts
The command above output all lines in /var/log/auth.log containing the word Successful, or you can change the expression, i.e. "Failed password" , to view the failed login attempts.
So now, you can check on the successful logins and see any different ip that its not yours.
answered Jan 26 at 22:00
João JoséJoão José
91
You can simply analyze the file auth.log using:
cat /var/log/auth.log | grep "Successful"
for see successful attempts
The command above output all lines in /var/log/auth.log containing the word Successful, or you can change the expression, i.e. "Failed password" , to view the failed login attempts.
So now, you can check on the successful logins and see any different ip that its not yours.
answered Jan 26 at 22:00
João JoséJoão José
91
answered Jan 26 at 22:00
João JoséJoão José
91
answered Jan 26 at 22:00
João JoséJoão José
91
answered Jan 26 at 22:00
João JoséJoão José
91
91
add a comment |
add a comment |
Thanks for contributing an answer to Ask Ubuntu!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f443219%2fhow-to-simplify-the-info-contained-in-var-log-auth-log%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
