I have in my hands a bunch of samba logs, about 24 different files and I was wondering if there was a tool that would go through them and organize them into something readable.I had a gander at Sawmill
View 2 RepliesI have a (headless) Debian (Linux debian 2.6.26-2-486) system running on an old Pentium machine in our home network. I use it as a Samba share, among other things. I recently noticed some Samba log files that I cannot explain the origin of. In /var/log/samba there are a couple of files like this one:/var/log/samba/log.istvan (Note: there is no machine named 'istvan' in my local network)
Code:
[2011/01/04 21:15:34, 1] smbd/service.c:make_connection_snum(1198)
istvan (::ffff:78.92.155.185) connect to service boeken initially as user nobody
[code]...
In 2 weeks, I will be handed over 8 servers, each one hosts around ~3 virtual machines, which will make them a total of around ~24 servers. And part of my initial responsibility is to make sure that these servers are secured and ready for me to look after.My question is, what are the best procedures (or as I will call it "checklist") to assess and audit each server, and be 100% sure that the server doesn't have a rootkit and everything is secured.
View 1 Replies View RelatedAs part of server hardening process i would like to know the Best way of System Logging and Auditing.Following pointould be taken into consideration.Logging of critical eventsLogging access to critical accountsSecure storage and availability of logsReview of logsSecurity of logs
View 2 Replies View RelatedAny body knows any security auditing tool in Linux except Snare..
View 3 Replies View RelatedI just putup the fedora15 on my PC. there are several msg coming up from selinux saying permission denied, though I am not doing any administrative activity. the PC being a workstation for reaserch. how can I know the denial is for an security intrusion attempt. how can I set conditions to see the logs of all security intrusions. how can I set exclusive msg-ing from selinux that the denial is for a security intrusion attempt.
View 5 Replies View RelatedI'm running a set of virtual machines (most in ESXi, one in VirtualBox on my desktop) to try and replicate an existing physical network structure with a Samba domain operating across multiple subnets. The layout is:
(ESXi)
* Router - Ubuntu 8.04, running dnsmasq, bridging my 2 virtual subnets (10.10.4.1/24 & 10.10.5.1/24) and my physical network
* PDC - Ubuntu 8.04, configured as a Samba PDC with PAM configured to use LDAP, SMBLDAP etc. on 10.10.4.11
* LDAP - Ubuntu 8.04, running Zimbra 5 mail server, acting as the LDAP backend for Samba on 10.10.4.12
* BDC - Ubuntu 8.04, configured as a Samba BDC with PAM LDAP etc.
* Client1 - Windows XP, joined to domain on 10.10.5.100
(Virtualbox)
* Client2 - Windows XP, joined to domain on 10.10.5.99
Watching /var/log/daemon.log, /var/log/samba/*, smbstatus -bd0 shows that Client1 successfully logs on to the BDC (10.10.5.2) but Client2 logs on to the PDC (10.10.4.11) instead. Both clients have the same subnet, DNS, WINS settings etc. I've seen the issue happen in our physical setup too but very infrequently and usually when there's been a network interruption between the BDC(s) and the LDAP server.
I was just checking some of the generated logs from Samba.
Code:
Quote:
I've looked over my smb.conf and it doesn't look like I even have any printer sharing enabled.
Quote:
How PC1 was refused a connection when it looks like I don't have any printers being shared throught Samba?
This is just on a home LAN.
wants some sort of logging capability on the system. to have a log of every change to every file, although that might be a bit unwieldy. perhaps a simpler compromise would be some way of monitoring a few specific folders, and tracking all changes to them, including the user that did so. Particularly important is that it should be possible to work with access through samba, as we want to track what users on the network are creating or changing files. Is there functionality like this already built into debian or samba? is there a useful additional app to gather this information? or am I going to need to be grep'ing log files to present something useable?
View 2 Replies View Relatedhow to find USB enteries/ logs in linux
View 5 Replies View RelatedI have connected to my friends machine, for some reason . all the logs are wiped out . ?
CentOS .
There is nothing there? is this a unusual to Linux systems?
I cannot find one single UFW event anywhere. I have researched this and see that others have trouble finding these logs too. I have looked in every /var/log there is and I can't find one event. I have UFW enabled, default deny and logging set to medium from a previous logging low(in hopes this would create more events to be seen). In terminal, UFW is shown as active. I have been using Ubuntu for more than a year now and I recall seeing UFW events with every session in some /var/logs in Ubuntu 9.04 - I'm running 9.10 now. I have also tried looking throughout the system files and have found nothing. Is UFW not working properly or could I just not be experiencing any firewall events(not likely)?
View 9 Replies View RelatedIf anyone knows where does ZEIGEIST put its logs. Is it in my home folder, or is it somewhere else. I have my home folder enrypted and this is really not very secure if someone can see those logs...So. Does ZEITGEIST put logs in my HOME folder or not?
View 7 Replies View RelatedIam looking security specific event ID on Linux .hear are thousnds of event ID in Microsoft Windows/XP and VISTA etc. Similar way looking for Linux,unix ,Solaries,AIX etc event ID. I would to correlate and implement with Arcsight.
View 2 Replies View RelatedPlease let me know:1. What LDAP logs are typically available2. How to find them3. How to Parse them
View 3 Replies View RelatedWhat the following means?
Code:
Does this mean that connections from those IP's have been blocked or what?
CentOS 5.6 Server patched to latest, multiple name-based apache virtual hosts. SELinux OFF Everything was working fine until the other day. I've been making quite a lot of changes so it may well be something I've done, but I can't find out what! Last night I got the following in my logwatch : -
Requests with error response codes
404 Not Found
/admin/phpmyadmin/scripts/setup.php: 1 Time(s)
/admin/pma/scripts/setup.php: 1 Time(s)
/admin/scripts/setup.php: 1 Time(s)
/db/scripts/setup.php: 1 Time(s)
/dbadmin/scripts/setup.php: 1 Time(s)
[Code]...
The problem is that NONE of my logs, secure, httpd, messages, NONE of them, show any trace of these hacking attempts. They used to show up in secure and apache error logs, but no longer.
These files seem to contain browsing history:
~/.mozilla/firefox/xxxxx.default/cookies.sqlite ~/.mozilla/firefox/xxxxx.default/formhistory.sqlite ~/.mozilla/firefox/xxxxx.default/downloads.sqlite ~/.mozilla/firefox/xxxxx.default/places.sqlite ~/.mozilla/firefox/xxxxx.default/places.sqlite-journal
~/.mozilla/firefox/xxxxx.default/Cache/
Therefore I have cleared these files using an erasing program. I am wondering if there are other locations where such log files are stored for Internet browsing. I have looked in the /var/log directory and cannot see anything - for example doing a grep on http:// after browsing in Firefox does not reveal anything obvious.
whether iptables logs can be set to automatically resolve IP addresses? I am running the firewall on a network with DDNS/DHCP, and this ability would really help quickly identify hosts with suspect traffic.Failing this, I guess the simplest solution will be to simply set static addresses!
View 1 Replies View RelatedDoes anyone know of any software that can monitor the Apache logs for certain phrases or keywords then send an alert when found? For example I know an attempt to hack has been made when I see log entries like this....
/admin/
/admin/phpadmin/
/phpadmin/
But by the time I see it, the attempt has long since failed or succeeded. What I need is a way for my server to alert me WHILE someone is entering these phrases. I realize there may be a "hit" to performance but my server is not that busy anyway (except for hackers).
What is happening when I log in to my Ubuntu server machine via ssh and putty. trying to understand everything, primarily securing my server.
I have specified the ssh server to listen on port 5525, and can login without a problem.
When I look at the logs though it says I connected from xxx.xx.xx.xx on port 53602.
What is happening here and why is the logged connection a different port to the one specified in the config file?
In an effort to learn more about firewalls and iptables I have left behind gui set-up tools and have setup a firewall using iptables that logs to its own file. The firewall is as follows:
Code:
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:TCP - [0:0]
[Code]...
Has anybody else seen this kind of attack? I see those messages on 2 exim mailservers. Looks as if someone sends a 50MB big mail header :S What is their goal except from increasing my traffic?
Code:
2011-02-12 07:48:53 SMTP protocol synchronization error (input sent without waiting for greeting): rejected connection from H=ns33.medialook.net [91.121.108.5] input="GET / HTTP/1.1
Accept: */*
Accept-Language: en-us
[Code].....
I am trying to get OpenLDAP to authenticate user logins, but running around in circles. Are there any logs produced by either client and/or server that would indicate possible reasons why it was unable to login as a user?Below is an explanation, any ideas would be appreciated, as I think everything is setup as per the various articles on using LDAP.
I have a CentOS 5.5 OpenLDAP server, and several others, some host services, some are file shares (samba).So far I have been able to successfully configure OpenLDAP to carry out all the ldap* commands from both the local server and from any of the remote servers, either via non-ssl or ssl connections. However, as soon as I try connecting any services up to it, it doesn't play ball.Back to basics, having cleared off all previous attempts at this from all machines, I have gone through the following:
Installed OpenLDAP server/client on host (plus nss_ldap).
Configured /etc/openldap/slapd.conf (see below)
Configured /etc/openldap/ldap.conf (see below)
[code]...
I have a batch job which logs in to the server every 10 minutes via windows rsh. The job checks to see is there are any files that need to be send via a EDI serverto a supplier.The following logwatch report is swamped with the login messages and would like to either suppress the logging in PAM? or suppress the entry in the logwatch report?But I still want logging id the username is not username1.Connections (secure-log) Begin rshd[1754]: pam_rhosts_auth(rsh:auth): allowed to username1@10.0.0.1 as myedi
View 2 Replies View RelatedI am searching that how i can configure syslogs/rsyslog to receive third party tools or softwares logs. For example i have a program that generates logs like when it is started and logs about its services, alerts if there are any alarms etc. I want to forward these logs using syslogs/rsyslog. Is their any possibility how can i achieve that
View 2 Replies View RelatedI've got a samba share on a linux server, connecting to it with a windows 2k3 server via tools > map network drive. The goal is to be able to use windows to change the security of the samba share. The good news is it works! The bad news is it's not QUITE perfect:
The share is called /company. I started with the following to give everyone access to everything, set the owner of the share to administrator (my domain admin on the Windows domain), and set the group owner to domain users (group that everyone on the domain is part of):
Code:
chmod -R 777 /company
chown -R administrator /company
chgrp -R domain users /company
I then mapped the drive as a regular user, and of course, can access/modify/delete/rename/create anything I want. Then I picked a folder to lock down. Let's call it /company/myFolder. I did this on the Windows server by mapping the drive as administrator (the owner), right click > properties > security tab > advanced > highlight "domain users" and "everyone" and click edit > clear all (i.e. remove all access). Go back to Linux and
[Code]..
The only issue that remains is that I am able to rename/delete "myFolder" as a regular user. I thought this was coming from the "acl map full control = true" parameter in smb.conf, but I changed it to false and verified the change and it still happens. If I remove group and world write access to /company, I am no longer allowed to rename/delete myFolder, but then I can't create a new folder. If I add group write access back in I can create files but can also rename/delete folders within /company that have --- specified for group access. Any ideas what I need to tweak to make this right?
I have my router configured so that it drops outgoing telnet connections (and other protocols I don't use). It's a 2wire gateway. 192.168.1.65 is the internal IP of my ubuntu box.I'm trying to figure out what normal network traffic looks like and whether I should be worried by this log entry. At the time this happened I was testing out TOR (just navigating to a few sites (dell, ubuntu forums, etc.) nothing all that interesting.)
View 2 Replies View RelatedI have a rhel5 as my file server with active directory intergeration and using samba for folder sharing ,webmin to manage the shares.We haveany folders and subfolders and files.We are facing the following issue.We had given a folder called yardworklist which is shared by 8 people with full access.The yardworklist will have more than 80 folders which represents each ship.The problem we are facing is some user copy a folder or file from a specific ship folder say SEA HERON to another ship's folder say BOW CLIPPER.The next day the person who wants to work on SEA HERON found the file or folder was missing and use his search tool to get the folder or file. I dont know who is the person did this.Basically a event log will also be enough like which file has been copied by whom to which place.
View 2 Replies View RelatedI have been out of the UNIX world for some time preoccupied with real life problems. I'm interested in getting a home system up and running, but having difficulties deciding on a base platform.I am leaning towards a Linux, versus a BSD due to the tremendous amount of employers seeking people with that technology. However, I am attracted to the auditing performed on packages on the BSD end, particularly NetBSD/OpenBSD.Is there a Linux distribution that performs auditing of third party packages? I understand there are some commercial distributions, but wonder if they are more reactive than proactive
View 5 Replies View Related