1

Background:

i am running a Dedicated Server with WHM/cPanel and i would like to know what to backup. My old VPS was hacked into using a security vulnerability in TimThumb and i was unable to track back who had done it because the logs were being deleted once in a while and some time had passed before i could analyze it, the logs were gone.

On my new (and hopefully secure:) server i would like to regularly backup logs and everything i should need to track down someone who executed malicious commands and web request on my server.

Question:

  • What do i need to backup to track stuff like http events, SSH connections & etc?
  • Where exactly are those files located?
  • Is there an automated way of copying the files or doing this backup?

Please advise me on this task.

Thank you

1 Answers1

1

For the httpd service Apache, you can backup the log files, typically found in /var/log/httpd or /var/log/apache.

For SSH logins you can check the log files: /var/log/auth(.log), /var/log/secure(.log) and you can dump the command last to a "log" file for backing up as well by doing last > /var/log/ssh_logins.

You can automate backing up these files via cron and a custom backup script, or using something like rsync or dervish

Tim
  • 3,017
  • 17
  • 15
  • Or better yet, use syslog-ng or rsyslog to push them immediately to a different server. You can also change how long logs are kept for, how often they are rotated and when and whether they are compressed by editing the files in `/etc/logroatate.d/`. – Ladadadada Jan 26 '12 at 16:21