Ubuntu Security :: SSH Server - Monitoring File Access
Oct 1, 2010
At our company we have a central server with client files. This server has a SSH server installed, and through Nautilus all employees can access the files. However, I have a few questions:
1. Most employees need access to all folders, because they might use them at some point in time. However, I want to make sure they are not accessing things they do not need. How can I do this? For instance, if somebody copies all of the folders to his/her computer, I want to be able to see this in some sort of log. Can this be done? Copying and accessing in general is what is of my concern.
2. Some employees only need access to specific folders. Can this be easily configured with SFTP?
3. Some also use SSH and type commands which I want to check every now and then (e.g. to make sure an intern is not again copying information or accessing folders they should not be in). What is a good way to do this?
View 7 Replies
ADVERTISEMENT
Sep 16, 2010
I'm running a Debian/Samba PDC on a Windows network. We desire to monitor a few network shares, so that whenever a change is made to a file in those, we have a log of who did it and when. Some capability of seeing what the change was, or a way of reverting it, would be nice luxuries. But username and timestamp are most important, if possible.
On the debian forums, someone advised using Tripwire for this purpose. didn't give much other advice about it so I kind of struck out on my own researching tripwire. got it installed, played wth it, and found it problematic, to say the least. It seems a bit much on the complexity and security side, and it seems more oriented towards maintaining system integrity, than monitoring documents. So far I've not managed to get a policy update working on account of a cascade of errors about a few hundred files under /proc disappearing, despite no changes to the system.so I'm wondering if anyone here has advice.
1. Does debian have this sort of functionality built in? is there a system log I can parse to get this information?
2. Is tripwire the right application for our purpose?
3. Is there anything better suited, more user-friendly or more parsimonious. I don't need something to monitor all system files, guard against intrusion, and make me cups of tea, just to monitor a few folders that I specify
View 4 Replies
View Related
Jun 25, 2011
I am looking for a file monitor to tell me when a file was attempted to be accessed, but was denied. A windows equivalent could be the auditing feature in server 2k3. I don't know which account or which file is attempting to access or be accessed, but I was hoping something built into Linux would support some sort of file auditing for security purposes.
View 2 Replies
View Related
Oct 15, 2010
I am striving to setup OSSEC to monitor some specific files for realtime changes! Is this possible? I can't really find a lot of info from their Documentation
Some Examples:
/etc/myfile.txt is deleted. I need this to be reported.
/etc/myfile.txt is created again so I need this to be reported again!
This has to happen instantly though, because the file might be deleted and created again many times in a short period of time.. Another one...
/etc/passwd is touched (accessed) even if there is no changes! Can this be reported as well?
View 2 Replies
View Related
Mar 24, 2011
I'm trying to find a file access honeypot for our Fedora server.That is, if a local file is accessed, it should notify someone. Plain and simple..
View 8 Replies
View Related
Feb 9, 2010
is someone can guide the best open source tools to monitor as webbase,gui,shell prompt
View 1 Replies
View Related
Jun 28, 2010
I used to have a log file monitoring script on my server but after an auto update recently it seems to have disapperaed.Can anyone think of some log file analyzers that send outputs of ssh, amount of disk space used etc. as I cannot remember the name of the program at all.
View 1 Replies
View Related
Apr 19, 2011
I've spent days trying to setup access properly from a public address to a monitoring server that works fine locally. Everything works from public access until I try to link to a CVS repository. The rancid CVS repository is set up as a separate server (virtualhost). It appears the referring link causes a DNS error (105: Server Not Found) when the CVS repository server is accessed from the public address. Things work fine when accessing via localhost.
Localhost link:
[URL]
Public link: (this results in 105 error caused by redirection (bold portion of link))
[URL]
Code:
Virtualhost config:
LoadModule jk_module /usr/lib/apache2/modules/mod_jk.so
JkWorkersFile /etc/apache2/workers.properties
JkLogFile /var/log/apache2/mod_jk.log
[code]....
View 2 Replies
View Related
May 21, 2011
I have an application which generate logs like this
Code:
2011-05-17 13:21:27 - Msg 2402
File loading terminated.
File information: 3 records in input file found
3 records processed
0 records skipped
Load statistics: 3 messages loaded correctly
0 messages ignored
0 messages with errors
Details:
Destination OK ignored errors correct incorrect not sel. other
house Server (def 3 0 0 0 2 1 0
2011-05-17 13:21:27 - Msg 2410
Archiving information: File /path/to/xxx.txt
was archived as /path/to/xxx.txt.
Now I want to monitor this "house Server (def" and send alert based on 3 0 0 0 2 1 0
say if [ $5 -gt 0 || $6 -gt 0 ]; then
<send email>
View 6 Replies
View Related
Mar 3, 2010
I am setting up a new ubuntu server, and I am quite new to linux. This server will be used as code repository for a project I am going to be working on. I plan to setup 3 groups for users: dev, test, doc
- for various developers, testers and documentation users.
I would like to setup the following permissions on the main code repository directory:
dev - write permission
test - execute permission
doc - read permission
public (anyone outside these groups) - deny all access
I am unsure what chmod setting to use, or if this is even possible in ubuntu.
View 2 Replies
View Related
Aug 4, 2010
When I replace a drive in a RAID 1 and then resync it, why does the file access date (all the files) on the drive from which I am syncing not change? Shouldn't the file access date always change when I copy a file? Are there ways to overgo this?
View 3 Replies
View Related
Dec 7, 2010
I would like to know if it is possible to deny the access to a file for root? Would ACL's be a possibility? I have "googled" around but haven't found anything interesting (except SELinux). I should secure a password file to an important database.
View 6 Replies
View Related
Mar 12, 2011
it is possible to change the root directory for a single, particular program. For example, I have an executable, 'miscreant.bin' that has all of it's required libraries in a directory named "libraries", in the same directory as the said executable. I can launch the program and make it use the libraries included with the executable rather than the system with:
Code:
/lib/ld-linux.so.2 --library-path ~/miscreant/libraries ~/miscreant/miscreant.bin
...or...
Code:
env LD_LIBRARY_PATH=~/miscreant/libraries ~/miscreant/miscreant.bin
With either, miscreant can be portable. But, I would also like to change the root directory (like chroot) of miscreant, so that the directory "~/miscreant/sandbox" becomes the root ("/"). So, if miscreant created a file named "/home/bryan/miscreant", it will be redirected to "~/miscreant/sandbox/home/bryan/miscreant". I am running Crunchbang 10 (Statler) on a 32-bit Atom netbook.
View 5 Replies
View Related
Jan 31, 2010
Is there a program that monitors and displays 'who' is on your wireless Internet signal that one may not be aware of? Like, the ability to see when someone that you don't know is accessing your locked wireless?
View 9 Replies
View Related
Dec 15, 2010
I've firewall machine customers connect on it then connect to one of another 3 machines as root through ssh key , is there any way to know which user connect to which machine and what command that he has executed without using script command ?
View 1 Replies
View Related
Nov 30, 2010
How do I monitor who is ssh'ing into a box (SLES) as well as failed attempts? How can I log their IP addresses, even if they're not in DNS?/var/log/messages I see their hostname but no IP address
View 13 Replies
View Related
May 9, 2010
I was reading a magazine article today which was a discussion of internet detective work for tracking down ip addresses which attempt an ssh login to your machine. I have never really paid much attention to network security since I only run a small home network. I have WPA encryption and a firewall on my router. But while reading this article, I remembered that I myself has seen log files in the past that inidicated someone somewhere had attempted to log into my machine (attempts all failed). This had happened a few times, but I never really considered it a threat.
But, the more I read about home computers becoming "zombies" for criminals, I guess I am getting a little paranoid in my old age, particularly since my wife does quite a bit of business on the net with credit cards. I have four computers connected to the net and each other on this network, and would like to be able to easily detect attempted log ins and deal with them quickly.
So my reason for posting is to ask if someone could recommend a novice-friendly application for monitoring traffic to check this intermittently. I have read bodhi.zazen's excellent tutorial on snort, but I it appears to be written for large lan's or web servers and is over-kill for a small home network.
View 8 Replies
View Related
Sep 30, 2010
I'm going to start monitoring our Linux servers with a log management/correlation tool to take a proactive approach to the security of our systems.
Right now I'm going to search for log events that include the following:
Any other commands or logs that would be good to correlate or be alerted on when a potential breach or suspicous activity is happening on the box? Logging cleared, permission changes on accounts or particular files or directories? What would you want to see while monioring your servers?
View 3 Replies
View Related
Nov 7, 2010
have around 20-30 HP and Dell Hardware where we have attached Pen Drive. There is no Rack-lock facility. A misuse of Pen Drive is reported and it happens every alternative day that someone unplug and theft the drive attached.There is no camera facility to monitor.I have a plan to write a script which will login to every machine through ILO and watch the USB availability. In case anyone dettach the USB, a mail will be sent to the administrator and thereby the steps could be taken.Does this idea look feasible.
View 13 Replies
View Related
Nov 9, 2010
This might sound really stupid, so you'll all have to excuse my lacking knowledge. I read that USB attacks get more and more common, like putting in an USB stick with a malicious autorun script on it, and it's game over. Can AppArmor protect devices and limit their access to the file system?
View 5 Replies
View Related
Oct 11, 2010
On our webhosting servers, where is primary running apache, sometimes starts huge outgoing traffic to random IP addressess (each time of attack is it just one IP). It's always UDP,and according to my investigation tcpdump, it looks like p2p. The problem is in big outgoing traffic, and secondly in filling ip_conntract table /proc/net/ip_conntrack. I think, that one of our webhosting users has some virus uploaded on his FTP, which is time to time ran. I think, that if I can map outgoing traffic to particular process ID, it will be easy to find the PID in access log of webserver and than see what URL it causes.
What I have checked already:
- outgoing UDP connections are not listed in netstat - so cannot get PID from there
- Apache with PHP is in safe mode - cannot exec binaries, cgi is disabled
- I can see tons of records in tcpdump, but from the dump I'm not able to get PID
- In time of attack I was trying to run `lsof`, but nothing to see - didn't found the attacker
- I went through apache access log - I took time of attack -i.e. 02:22 am - grep from access log all hits between 02:20 and 02:29 am and try to call all them again - problem didn't occured
- checked the POST records from access log - nothing
- grepped all php files for keyword 'fsockopen' and 'torrent'
- from iptables --log-uid I have found user nobody (under apache is ran)
I think that the key is able to match outgoing connection to PID, than it will be easy.
View 1 Replies
View Related
Jan 25, 2011
Is anyone aware of a detailed "flow chart" -- arrows and decision diamonds, etc -- that describes the file access and permissions processing? I would love to see that diagram. Years ago on a platform far away (Digitial VAX/VMS) their manuals had such a flow chart that covered not only the user-group-owner and read-write-execute permissions decision making but also include "access control list" processing at a superficial level. If someone has access to the VAX/VMS flow chart, that might be a start toward sorting what linux does.
View 4 Replies
View Related
Feb 17, 2010
When creating 10 samba users I also created Linux users. I do not want these Samba users to be able to use putty, winscp etc to access the server.
Do you know how I can restrict ssh access to specific users?
View 6 Replies
View Related
Feb 9, 2011
I am currently running a 64-bit Fedora 14 server which hosts a game server, a voice server, and remote desktop functionality, each on a distinct TCP port. I am currently using the built-in firewall to deny all traffic other than ICMP ping/pong and TCP traffic on those specific ports.I am looking for a graphical application which will let me monitor any connections being made to my server in order to keep an eye out for possible security concerns. To be more specific, I'd like to be able to see the source IP addresses, TCP/UDP ports, and individual bandwidth in use by external connections being made to the server, along with any other information that might be helpful in identifying a possible intrusion attempt.
View 3 Replies
View Related
Feb 10, 2011
I'm new in UNIX & trying to access the server using SSH but I encounter this error PAM Authentication Error. I use edit /etc/ssh/sshd_login & set the PermitRootLogin to yes. But didn't work. I used this command ps -ef | grep sshd & saying Process environment requires procfs(5). I don't know what to do now. What I want is access it by SSH but I got Access Denied. [MOD]Pruned from [URL]. create your own thread instead of resurrecting a five year old one.[/MOD]
View 1 Replies
View Related
Feb 12, 2011
I have been trying to use my DS2490 USB to serial device with a Maxim .DG1921G thermocron with owfs. It is supposed to give me access to a virtual file system for the thermocrom without needing to launch owfs as root.
Code:
/var/log/messages gives:
Feb 8 16:22:45 norman-HP-G56-Notebook-PC kernel: [ 236.140141] usb 5-1: new full speed USB device using ohci_hcd and address 2[code]....
but if ds2490 module is loaded it works when run sudo.It seems from this that it is a lack of permissions to USB but I have tried all the methods on at http://owfs.org/index.php?page=udev etc. to overcome this and a few others but none work.I am running Ubuntu 10.10 kernel 2.6.35-22-generic #33-Ubuntu SMP
View 1 Replies
View Related
Sep 27, 2010
In one of our network we are using one firewall which works as gateway. All machines are able to access internet through this gateway. There is no filtering and any internet restriction. I would like to setup monitoring system which monitor and log bandwidth and sites access by client machine. Is there any tool which monitor internet access as well as sites which are access from client machines.
View 12 Replies
View Related
Feb 3, 2011
on the following link [URL] section 2 says
Quote:
The following directories need to be readable, writeable and executable for everyone:
* dokeos/main/inc/conf/
* dokeos/main/upload/users/
* dokeos/main/default_course_document/
* dokeos/archive/
[Code].....
I am not at all convinced by the idea of giving permissions to read,write and execute as these Learning Management Systems say. Let me know what you people have to say? What is the best practise in such situations? I have to get all these LMS run on same web server.
View 2 Replies
View Related
Feb 13, 2011
I want to access files on my ubuntu server wireless. Is there a way I can do that? I'm sorry if this is a stupid question, but I'm kind of new at this whole server thing.
View 5 Replies
View Related
Jun 9, 2011
We want to set up a Linux server (hosting Git or later SVN repositories) which should have all stored data strongly encrypted, so that if one steals the server the data cannot be read. For example, our notebooks have all important data stored on a "true-crypted" partition.
We plan to access it with SSH private keys and only after successful login should the data be readable. The server would be located in our office, shut down at night and not be connected to the Internet directly, but only accessible in our intranet.
View 1 Replies
View Related
