Failed login attempts are logged to syslog with the user id or login id set to UNKNOWN_USER or UNSET.Anybody know if this is configurable. I would rather it just pass the actual id that the user used. Doesn't matter if it exist or not, just want to know if someone is guessing at user names and what those user names are
View 1 RepliesHow do I monitor who is ssh'ing into a box (SLES) as well as failed attempts? How can I log their IP addresses, even if they're not in DNS?/var/log/messages I see their hostname but no IP address
View 13 Replies View RelatedI have been trying to get pam_tally2 to block failed logins with ssh. No matter how many failed logins I do I can still log in with the correct password using SSH. Anyone have this working?
Here are the configuration I am using. I have put this in sshd and password-auth-ac.
auth required pam_tally2.so deny=3 file=/var/log/tallylog lock_time=180 unlock_time=1200 magic_root account required pam_tally2.so magic_root In the /var/log/secure I do see messages related pam_tally2 and the counter going up.
i have setup auto ssh login for my server. And it works, but only when i have a active connection. if i use "ssh server.com" it asks for my password. If i then open a new terminal and issue "ssh server.com" it logs right in. I really don*t understand whats wrong.
I have tried setting up 2 virtual machines on my local computer and with the same setup it works fine.
SOLVED: my home folder was encrypted, so when no users were logged in the home folder was unmounted
'readonly HISTFILE'
but the user could tamper with the histfile itself. Like:
rm -f $HISTFILE;
rm -f $HISTFILE; mkdir $HISTFILE;
rm -f $HISTFILE; ln -s /dev/null $HISTFILE;
I'm experimenting with PROMPT_COMMAND to execute a command each time the user executes a command and so log it somewhere else.This post was pruned from the 2009 Is there a way to prevent users from changing or unset their HISTFILE variable? thread. Please do not resurrect old threads but instead create your own (and maybe provide a link to the old one).
I tried posting this before and I'm not sure what happened but I don't think it worked, so if it did please forgive the double post.am very very new to centOS and linux in general. I just want to setup a test web server that more closely mirrors our actual web server that is hosted by rackspace. I've installed centOS and tried to setup Apache, PHP and MySQL from a guide on the web using Yum. When I go to localhost in the web browser I'm able to see the default apache page. However when I create a php page it's just blank.When I look at the apache error logs I get this: PHP Warning: Unknown: failed to open stream: Permission denied in Unknown on line 0
I've been searching alot on the internet and I know the issue is permission related, but I don't know how to fix it. I've seen some forum posts that say you need to use the chmod 775 command on the /var/www/html folder.Currently when I do ls -l /var/www/html it returns
-rw------- 1 root root 19 May 5 13:16 index.php
-rw------- 1 root root 19 May 5 13:15 index.php~
I'm sure that this isn't correct but like I said I don't know much about how to set permissions or who the owner needs to be. I've done alot of searching and seen similar posts, but no one seems to explain it clearly.
Does anyone know a method for setting the timeout period for failed logins on Linux RHEL5.x systems? Linux docs say to set the failed login delay paramter in /etc/login.defs to the desired seconds. I did this, but the settings have no effect, ie weather set to 2,4,10, etc, the actuall failed login timeout period(which I verified with a stopwatch), never changes.
View 1 Replies View RelatedI'm trying to lock an account after a number of failed login attempts in a RHEL5.
This is the relevant configuration in /etc/pam.d/system-auth
In the logs I can see how the count of failed logins increase and exceeds my deny option but the account isn't locked
Do I need any other option in the PAM file? Is there any other way to lock an account?
I keep getting hundreds of SSH failed logins per day. Is there a way with iptables, i can say if a user connects too to port 22 over 8 times in 10 minuntes, then block them for an hour?
View 7 Replies View RelatedI am trying to get OpenLDAP to authenticate user logins, but running around in circles. Are there any logs produced by either client and/or server that would indicate possible reasons why it was unable to login as a user?Below is an explanation, any ideas would be appreciated, as I think everything is setup as per the various articles on using LDAP.
I have a CentOS 5.5 OpenLDAP server, and several others, some host services, some are file shares (samba).So far I have been able to successfully configure OpenLDAP to carry out all the ldap* commands from both the local server and from any of the remote servers, either via non-ssl or ssl connections. However, as soon as I try connecting any services up to it, it doesn't play ball.Back to basics, having cleared off all previous attempts at this from all machines, I have gone through the following:
Installed OpenLDAP server/client on host (plus nss_ldap).
Configured /etc/openldap/slapd.conf (see below)
Configured /etc/openldap/ldap.conf (see below)
[code]...
How do you configure proftpd so that once a user has failed to login and reached the MaxLoginAttempts. That they can not retry logging in for another 4 hours ?
View 6 Replies View RelatedA few minutes ago I was using google chrome when suddenly the scroll-lock indicator on my keyboard turned on... I pressed the scroll-lock key, but nothing happened, the light remained. I opened a terminal and ran "top" to find what processes were running when I was automatically logged out. I logged back and checked the logs and found the following entries in my auth.log:
Code:
CRON[2971]: pam_unix(cron:session): session opened for user root by (uid=0)
CRON[2971]: pam_unix(cron:session): session closed for user root
[code]....
I would like to detect every login on my server. Not only ssh logins (virtual terminals) but also physical logins.There is a way to use nagios or a script to watch log files.But I would like to know is there a way to catch that information one step before.I thought about watching /dev/pts for changes but that is not different than log watching and everything does not appear in /dev/pts like a ssh tunnel (ssh -N user@server). These are only visible in logs because ssh tunnels do not open terminals.But I would like to be able to catch these on login.
View 8 Replies View RelatedIs there a way to lock out logins at the console? I ask this because I can not login at the console but can remotely login to the system via ssh. I'm guessing I blindly implemented a security option and didn't know what I was doing when I did it.
View 2 Replies View RelatedI'm trying to secure the CentOS servers on our company network as the current situation is, shall we say, less-than-ideal: remote root logins with the same password across several servers (behind a firewall, on non-standard ports, but still) and several key processes running as root. My proposal to amend this consists of the following:
- setup a bare as possible SSH-gateway with only the normal user accounts to handle remote access
- disable the root login from anywhere else but LOCAL and create special accounts with root permissions for our ~4 system administrators, like admin.foo admin.bar that can only login from inside the company network, using SSH-keys.
So far my biggest obstacle seems to be creating the administrative users, how do I go about and do that? When I simply create a user adminfoo with uid=0 it will show on my shell as root, which makes it useless as a way to make our admins accountable for their actions. BTW, my initial proposal to use sudo unfortunately met with strong resistance, because it compromises usability.
Lastb often shows me a huge list of attempted ssh logins.Such as this excerpt:
Code:
admin ssh:notty Sat Sep 11 23:47 - 23:47 (00:00) 184-154-37-12.Huge-DNS.COM
root ssh:notty Sat Sep 11 23:47 - 23:47 (00:00) 184-154-37-12.Huge-DNS.COM
[code]....
I just installed debian 5.06 i386 130MB that I downloaded yesterday(Monday).My problem is that when an incoming ssh connection to this debian box is established, but nothing is being logged to /var/log/auth.log on this box. I've tail -f the auth.log which verified nothing is getting logged for ssh. The auth.log is showing activity, mostly root logins and logoffs, but no ssh activity.I understand that /etc/rsyslog.conf may control what gets logged. I had pastebinned this file on #debian but people noted that it looked fine.I have not made any changes to the system, like editing config files or anything. The system is essentially just out of the box.What else can I do to figure this out? Otherwise, I am pleased with how Debian installed on 2002 vintage machine, and is running in console mod
View 2 Replies View RelatedI'm tasked with creating a base image of ubuntu (one for server, one for workstation) that is locked down and has all the fluff taken out (naturally workstation will have more fluff left in it than server). Task list looks about like this:
1. Create list of deb packages "allowed", write script to list/uninstall everything else.
2. Hook the logins into either enterprise kerberos or Active Directory (yuck).
3. Write scripts to check things like setuid/setguid, disabling su, checking sudo permissions, configure iptables, etc.
4. Use a scanner to scan the system from outside the system (was thinking of using backtrace).
5. Custom-compile the kernel to strip out all the unneeded modules.
Before embarking on this awesome task I figured I'd check with you guys to see if you know of some resources that would make this task easier/quicker. I'm sure someone out there has already headed down this branch.
PS My boss *loves* ubuntu and isn't to keen on going with a deb (or other) distro that is already "security trimmed" without some serious convincing. I'm sure there are some out there, and if you want to pass along a couple for consideration, I'll check them out, but no guarantees he'll let me use it.
Is there a way to send syslog messages through SNMP? I'm not finding much info online around this. A co-worker said it was easy to do. RHEL5.5
View 1 Replies View RelatedCentOS 5.6 Server patched to latest, multiple name-based apache virtual hosts. SELinux OFF Everything was working fine until the other day. I've been making quite a lot of changes so it may well be something I've done, but I can't find out what! Last night I got the following in my logwatch : -
Requests with error response codes
404 Not Found
/admin/phpmyadmin/scripts/setup.php: 1 Time(s)
/admin/pma/scripts/setup.php: 1 Time(s)
/admin/scripts/setup.php: 1 Time(s)
/db/scripts/setup.php: 1 Time(s)
/dbadmin/scripts/setup.php: 1 Time(s)
[Code]...
The problem is that NONE of my logs, secure, httpd, messages, NONE of them, show any trace of these hacking attempts. They used to show up in secure and apache error logs, but no longer.
I setup logging in through putty client with keys, and password disabled, could log in from all machines on my network (xp and 7) with putty.When I finished hut down the server.Today I turned on the server box and thought I'd try logging in through putty. It kept telling me the server was rejecting my key.I plugged in a monitor and keyboard into the server and logged in via password then had no problem logging in through putty client.Question is, every time I shut the server down do I have to plug in the monitor and keyboard, then login, to be able to login remotely?
View 8 Replies View RelatedI was just looking around and did a tail on my syslog and some strange entries came up:
[Code].....
I'm a Verizon customer in Maryland, USA running Linux at my home and I don't understand why named is looking at servers in France and Saudi Arabia. Am I just being paranoid?
I have my system set up to where the router(dd-wrt) will send it's syslog messages to my Linux PC system. I am using shorewall as my firewall. I have two questions: How can I configure shorewall to allow the messages from my router? If I use my router IP address to allow the messages to come through the firewall, will this be a great security risk as anything from the internet can come through on that router ipaddress?
View 1 Replies View RelatedIn order to mitigate risks linked to the use of the classic syslog protocol (spoof, replay, tampering, lost messages...) I am looking for a product implementing the syslog-sign capability: [URL] which is still a draft in the IETF for the moment. On NetBSD, the sylog daemon is able to run this feature: [URL]. Did anybody tried this feature on a Linux system?
View 1 Replies View RelatedI am using Fedora 10 .Generally to update I open a virtual console by pressing Ctrl-Alt-F2,login as root and give the "yum update" command.Then I continue using my graphical terminal for other tasks from the 'non-root' account..Now my room-mate comes uses my 'non-root' account to browse web for few minutes and then opens a terminal types "halt", ENTER and viola...! My root account seems to be insulted by a 'non-root' user!.When I am doing updates or other important work as root any silly user can just 'halt' my computer. Can somebody tell me how to set up my computer so that when root is logged in no other user can simply halt the computer.
View 3 Replies View RelatedI just installed F12 (live cd version with gnome), fully updated & rebooted but my lastlog says that I never logged in...(I know the DVD Install would probably be better but I'm trying to save space)
View 2 Replies View RelatedI have 2 servers, web server & mail server. they show 2 users in the summary area when I run w or top commands. But the actual list of users logged in (using either w or who) shows only 1 user.
ps -ef |grep username only shows my current login as a running sshd process.
So I can find no trace of this other user except in the summary line for w or top. I have no shells or other logins left running elsewhere or abruptly terminated, no gui sessions (these are servers), no tty logins. Do I have another user logged in? Has someone hacked me & covered up most of their trail? Why do these commands show 2 users when everything else points to 1 user?
I read the log
Code:
I found this print out:
Code:
The line in bold is the security issue. There is only 1 user account on the system. There should only be 1 user logged in, not 2 users logged in. The remainder of the log file lists 1 user logged in, for similar log output. 2 users logged in does not appear again in the log file.
Does the second line of bold indicate that an attempt was made to log in to the system using SSH?
There was an internet connection interruption (no service) around the time of the log file event. The service did return, later.
Does that line indicate that an unauthorized user logged in to the system?
Just noticed this, when I am logged into OpenSuse 11.3 under my default user (autologin) I have 3 of the same user logged in, eg when I run top it shows 3 users and when I run the users command it shows the same user 3 times. Is there any reason for this? Do I need to investigate this at all?
View 1 Replies View RelatedHow i would find out who has logged in to my server using the root login, does it store a log anywhere. im running fedora core 4.
View 5 Replies View Related