2

I have been running Ubuntu Server for about four months and I learn something new everyday. Today I learned that there are many logs that i didnt know existed. When I examined these logs I was blown away. For example auth.log listed what I think are hacking attempts and failed ssh login attempts from many IP addresses.

My question is this. I am running Apache and I am connecting with ssh. What logs should I be most familiar with in order to monitor failed login attempts and what can I do to make ssh more secure and still be able to manage my server with it?

Also, I have noticed a crazy amount of traffic at two different times when no one should have been connected to the server (using vnstat -l), but still havent figured out why. Where can I get started tracking this down.

I realize this is many questions packed into one and i apologize for that. I still a little stunned at what I have discovered so far.

cop1152
  • 2,656
  • 3
  • 21
  • 32

2 Answers2

4

I suggest you look at the logcheck-package - it monitors most (if not all) relevant logs and sends you hourly summaries of any and all suspect entries. Note it sends e-mail, so you have to set up a server for that too...

As to failed SSH logins, I suggest you look at using a firewall to block all access by unknown hosts - try looking at Ubuntu's "Uncomplicated FireWall", ufw.

Finally, I suggest you go look at the official Ubuntu Server Guide.

(For good measure, I usually install these on all servers; munin for monitoring, backupninja (name says all), etckeeper for keeping track of /etc and, as mentioned, logcheck.)

Morten Siebuhr
  • 639
  • 1
  • 6
  • 16
4

I'd tend to use logwatch, rather than logcheck (although, that's a matter of taste more than anything). For securing ssh, I'd start by installing fail2ban, which will block those who continually fail to login. I wouldn't bother changing the ssh port, it's still trivial to find, due to ssh's connection string, and is really more trouble than it is a benefit. Also, you should forbid root logins over ssh, by changing PermitRootLogins in /etc/ssh/sshd_config to 'no'.

I can't tell you how to track down previous large amounts of traffic, but netstat/lsof -i would give you lists of connections, which may help if you see it again.

Cian
  • 5,838
  • 1
  • 28
  • 40
  • +1 for 'forbid root logins over ssh' I cant beleive I havent done that yet.... – cop1152 Aug 19 '09 at 13:18
  • "I'd start by installing fail2ban, which will block those who continually fail to login." Fail2Ban and the likes do NOT increase security, only reduce log spam. – The Pixel Developer Aug 19 '09 at 13:44
  • How does fail2ban not increase security? It makes brute forcing ssh pretty much impossible. That may not be a large issue, but it is a possibility. – Cian Aug 19 '09 at 19:47
  • @The Pixel Developer eh, wtf? Fail2ban on ubuntu will by default begin to drop ssh from addreses after 6 auth failures. Since this makes a brute force attack *MUCH* harder i'd say this is a pretty big security benefit. – theotherreceive Aug 19 '09 at 19:48
  • I would agree on logwatch. Tools that email you like logwatch, apticron etc., are useful for very small numbers of servers. When it sends more email then you're bothered to read regularly then it's time to look into something smarter. – theotherreceive Aug 19 '09 at 19:58