Chris H wrote:
On Tue, December 22, 2009 8:35 am, Andresen, Jason R. wrote:
Squirrel wrote:
most likely could be some kind of remote code execution or SQLi executed in
the context of some php scripts, you should audit php code of your web
interface and of the websites you host. also consider the strenght of your
passwords, lots of login attempts to ssh/ftp may mean a he has tried a
bruteforce (or a dictionary attack maybe). you should also check webmin logs,
there are a few bruteforcer for webmin out there, (*hint*) consider the lenght
of your average password if it's more than 7-8 characters aplhanumeric with
simbols most likely this isn't the case.
While it's true that it's a good idea to check your password strength, pretty
much any host connected to the internet is going to be hit daily by bots
looking for weak passwords. It's one area where you logs don't help much
because there is too much noise.
That's why there's GREP(1), AWK(1), FIND(1), TAIL(1), and CAT(1)
Consider the following...
adding the following to your /etc/rc.conf:
# SECURITY RELATED
####################################
syslogd_flags="-ss"
log_in_vain="YES"
tcp_keepalive="YES"
now your log file will /really/ sing (log_in_vain="YES").
Of course, unless you have a great deal of time on your hands, visually parsing
that "noisy" log will be quite tedious, and time consuming. So you have a few
options...
If your running X11, simply run tail in a root window - there are quite a few
utilities in ports for doing just this - some that'll only write messages you
want to see.
You could also create a script out of cron that will only produce messages you
are interested in, for example:
~# cat /var/log/messages | ssh
will emit any attempt to ssh into your box
you can also redirect the messages to a file:
~# cat /var/log/messages | ssh >>~/EVIL_DOERS
You could also add en entry to PERIODIC(8) that will
provide a daily report on any attempts you are interested in.
HTH
--Chris H
I use security/logcheck: Mails anomalies in the system logfiles to the
administrator.
Logcheck helps spot problems, anomalies and security violations
in your logfiles automatically and will send the summaries to you
via e-mail. Logcheck is run as a cron job.
_______________________________________________
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
