As part of server hardening process i would like to know the Best way of System Logging and Auditing.Following pointould be taken into consideration.Logging of critical eventsLogging access to critical accountsSecure storage and availability of logsReview of logsSecurity of logs
View 2 RepliesIn 2 weeks, I will be handed over 8 servers, each one hosts around ~3 virtual machines, which will make them a total of around ~24 servers. And part of my initial responsibility is to make sure that these servers are secured and ready for me to look after.My question is, what are the best procedures (or as I will call it "checklist") to assess and audit each server, and be 100% sure that the server doesn't have a rootkit and everything is secured.
View 1 Replies View RelatedI have in my hands a bunch of samba logs, about 24 different files and I was wondering if there was a tool that would go through them and organize them into something readable.I had a gander at Sawmill
View 2 Replies View RelatedAny body knows any security auditing tool in Linux except Snare..
View 3 Replies View RelatedI switched over to Fedora a couple of days ago. I'm using the built-in firewall shipped with it but I can't find out how to enable logging of dropped packets. Among others I'd like to use psad that needs firewall logging. Is there an easy way to do this? I'm not an iptables "expert".
View 6 Replies View RelatedI'm a linux newbie and scripting novice and I'm trying to pull auditing info and dump it into a file. I made some login changes so it would get audited but I don't want to have to sift through the log to see who the user was and what was done. This is what I have below here and I can't seem to get it to extract the info want using the event id. The "ausearch -a $10" from the script should get it from the 10th column but it's not working.If I can get this to work I would like to add additional aureport options.
#!/bin/bash
yyyy=`date "+%Y"`
mm=`date "+%m"`
[code]...
Is there a system admin tool for RHEL on montioring and logging system memory used and released that can dump to a log file?I'm having an issue with memory not being released when an application is closed. I need to have a tool monitor and log so I can troubleshoot to verify that it's an application not the OS.
View 2 Replies View RelatedWhere I work we have a lan, it is almost 100% windows machines except for 2 CentOS machines in which some clients connect to, via VPN. (very small network, <50 ip's used)
I would like to know if there is a way to block access from that machines to others in the network. I'm already logging traffic (with IPTraff) to see if they're accessing other machines in the network others than the ones they should connect.
I've enabled the root account on Ubuntu 9.10, however I want to stop it from being used to login via GDM. 9.10 seems to have a different GDM version, how can I carry this out under 9.10
View 9 Replies View RelatedA friend of mine has a private forum setup so he and I can communicate back and forth so we don't have to send emails. The link is a "https://" so I'm assuming it's secure. I'm a newbie to ubuntu and I have already switch 3 of my computers at home to ubuntu.
I'm using Ubuntu 10.04 and google chrome as my browser. When I log into his forum it pops up with a screen saying "The site's security certificate is not trusted" and I always click proceed anyways. I'm not worried about this because I'm 110% sure that it's his website that I'm trying to access. My question/problem is it also pops up with a little box telling me to enter my Username and Password every time. When I was using WindowsXP, I had to enter this info once and then I wouldn't have to enter it again.
Sitting at the console, I log in with any user name and NO PASSWORD IS REQUESTED. I get logged in automatically without entering the user's password.
I did:
passwd joeuser
To change his password and still he goes right in without being asked for a password!
Possibly related- 10 days ago, my smtp server was breached as a spam relay. The username they cracked was deleted. I added fail2ban for postfix. The logs show no further intrusion.
Brief overview of my current setup:
Code:
The ip_blacklist chain is used to immediately drop any traffic from specified address ranges, while the tcp_, udp_, and icmp_packets chains contain rules for further processing of those protocols. The last rule in each of the latter three chains drops all packets that didn't match any rules above it; so tcp, udp, and icmp packets should NOT get caught by the default INPUT policy (DROP). The goal of the last rule on the INPUT chain is to then log any packets that are picked up by the default policy. However, it's not working.
I can tell that there are packets being picked off by the default policy because the counters are being incremented, but nothing is logged by that last rule. My conclusion is that it's only looking for tcp, udp, and icmp packets and ignoring everything else.
How to get iptables to log all the other protocols (or whatever is being caught by the default policy)?
I'm going to start monitoring our Linux servers with a log management/correlation tool to take a proactive approach to the security of our systems.
Right now I'm going to search for log events that include the following:
Any other commands or logs that would be good to correlate or be alerted on when a potential breach or suspicous activity is happening on the box? Logging cleared, permission changes on accounts or particular files or directories? What would you want to see while monioring your servers?
I am wondering if it's possible to log the number of bytes a connection transfered when the connection is complete with iptables. I know I've seen this sort of information in Cisco FWSM logs, where the "Teardown" entry of the logs has the bytes transferred for that connection. Is it possible to have something similar to that with iptables? Where the initial connection attempt is logged (i.e. NEW, which I have logging fine) AND an entry for that connection that includes the bytes transferred?
View 6 Replies View RelatedI am trying to figure out what command to use to show the number of DROPPED and INVALID packets that the firewall is handling.I'm going to put these commands into a log analyzer script which will run every 15 minutes with cron. The firewall is running and operating the way I want it to. I'm running CentOS 5.4.
View 2 Replies View RelatedI need to login as root, or at least get root privileges, in a cron triggered backup run. The straight way to do this would be the backup server making an ssh connection to the server to be backed up (this way because I want to avoid many servers being backed up in parallel and the backup server itself would be managing this diversity), via the rsync command which would be performing the backup's synchronization step.
I'm looking for alternatives to this in some form. I'd like to disallow direct root login to my ssh port (not 22One idea I have is to have the backup server initiate an ssh login as a non-root user, to either the actual source server, or to a server that can reach the source server ... and set up port forwarding. Over the forwarded port, then initiate the rsync that logs in as root via another port that allows direct root, but cannot be reached from the internet at all (because the border firewall doesn't include this port as allowed in).FYI, these logins will be using ssh keys, not passwords. I do need to keep ownership metadata for files being backed up, so this is why I am using root. Also, rsync is needed to get the incremental updates to keep bandwidth usage lower (otherwise I could just transfer a tarball each day).Anyone have any other ideas or comments, for security issues, based on experience doing things like this (backups, routine data replication, etc)?
Just had ModSecurity with CRS installed for me on my hosted website, which I'm hardening after a recent hack. My site is a php-based user community with MySQL back end, so people register as members via php.
First, I'd like to properly log malicious activity Then I'd like to deny access where an attack looks likely Thing is, I'm not sure which /etc/apache2/modsecurity_crs modsecurity config files to tweak.then I can't even see my login page because I'm forbidden from the .php file it loads.I'm guessing I need to change rules individually but I have no idea how or which to change to stop attacks. The CRS documentation is just a bit too heavy to give me the basics.
I wanted to disable root logins in console, so I searched for that. I found that if I change root's bash to "/sbin/nologin" in "/etc/passwd", root user will not be able to login. So I did that. But when I wanted to use sudo command, it didn't show me root bash, but it only do the same thing as logging in as root in single user mode (shows message that this account is disabled). So, how I can disable root logins, but keep enabled sudo command for standard users?
View 6 Replies View RelatedI have a program that generates large amounts of apparmor log messages. I'm happy to enforce restrictions on the program but I really don't want it to fill my log with messages every time it attempts to read a file.
Is there a way to let it enforce restrictions but not log denials?
On April 10, 2010, I upgraded some packages on my Ubuntu 9.04 server. This included an upgrade to "ufw 0.27-0ubuntu2". I rebooted the server, and all appeared to be fine.
Now I've noticed that UFW is not logging blocked packets since that reboot. It used to do this. It is still logging the allowed packets that I've configured it to log.
Here's what a "ufw status verbose" says code...
I have just complied Snort 2.9.0.4 under Ubuntu 10.10 x86_64 installed with all Lamp package.The syntax i used to compile Snort as follows below
[Code]...
I have tried to not allow root access and have created a wheel user.
Now I can not logged in as root.
Its okay but when am logging as wheel user and trying to access root then it says:
Code:
I am using Lucid lynx, 1 partition, Linux is the only OS, and I am the only user. Everything is working fine until I click on "Places> File Browser" the system ask for root password.
Then I enter the Root password and I can then go where ever I want. ( It does not do this every time, just most of the time.)
When I open File Browser the first things listed in the left pane are ROOT, DESKTOP, (which is the root desktop), then FILE SYSTEMS, etc.
I think all the little differences I am experiencing are a result of logging on as ROOT user. I think that when I open File Browser (I use this a lot) and it ask for the ROOT password I am then ROOT and remain ROOT until I log off (I never do, because I am the only user). When I am root, things will look and feel different than when I am logged on as Wayne, but there are some things that I cannot do as Wayne (such as open File Browser). I opened K3b to burn a disk and a window poped up saying "it is not wise to run K3b as root..."
How to enable system logging in linux. can i check the logfile remotely of another system on same network
View 2 Replies View RelatedI have a rhel5 as my file server with active directory intergeration and using samba for folder sharing ,webmin to manage the shares.We haveany folders and subfolders and files.We are facing the following issue.We had given a folder called yardworklist which is shared by 8 people with full access.The yardworklist will have more than 80 folders which represents each ship.The problem we are facing is some user copy a folder or file from a specific ship folder say SEA HERON to another ship's folder say BOW CLIPPER.The next day the person who wants to work on SEA HERON found the file or folder was missing and use his search tool to get the folder or file. I dont know who is the person did this.Basically a event log will also be enough like which file has been copied by whom to which place.
View 2 Replies View RelatedI have been out of the UNIX world for some time preoccupied with real life problems. I'm interested in getting a home system up and running, but having difficulties deciding on a base platform.I am leaning towards a Linux, versus a BSD due to the tremendous amount of employers seeking people with that technology. However, I am attracted to the auditing performed on packages on the BSD end, particularly NetBSD/OpenBSD.Is there a Linux distribution that performs auditing of third party packages? I understand there are some commercial distributions, but wonder if they are more reactive than proactive
View 5 Replies View RelatedI am trying to initilaize auditing on a Red Hat 5.2 enterprise server. Things like:
/sbin/chkconfig audit on
/etc/audit/audit.rules
/var/log/audit/audit.log
are what I am looking at, but I need to know where things go to start the audit service. A simple example with all of the pieces set to audit, then I can add rules to match requirements.
I recently installed ubuntu 10.10 and am completely new to linux. Something I recently noticed is that my whole system will freeze 2 times after logging back in, but after that it works fine. I will log in, then it will work fine, but shortly after it will completely freeze. After about a minute, it will unfreeze and everything will work fine. Then after a little longer, the exact same thing will occur. After the second freeze and unfreeze, it never occurs again until I log out and log back in. I do not believe this occurs when first starting the computer.
View 1 Replies View RelatedCan someone tell me what is the default system logging daemon in Natty, and what other support packages should also be installed?
Since the upgrade to Natty from Maverick none of my system logs are being updated and I need to determine if the correct logging daemon is present.
I am having issues loggin into Ubuntu 10.04 Lucid GUI. The system Stucks after entering username and passwords.
View 5 Replies View Related