Intrusion detection is often neglected by system administrators who
trust in the intrusion prevention devices they have in place.
Unfortunately, this means that when a hacker finds a crack through which
to crawl, the system may be under their control for a long period of time
before their presence is noticed.
The most basic form of intrusion detection is to pay attention to your
syslogs. These usually appear in the /var/log directory, although the
actual filenames will vary depending on your distribution and
configuration.
# less /var/log/messages
Feb 17 21:21:38 [kernel] Vendor: SONY Model: CD-RW CRX140E Rev: 1.0n
Feb 17 21:21:39 [kernel] eth0: generic NE2100 found at 0xe800, Version 0x031243,
DMA 3 (autodetected), IRQ 11 (autodetected).
Feb 17 21:21:39 [kernel] ne.c:v1.10 9/23/94 Donald Becker (becker@scyld.com)
Feb 17 21:22:11 [kernel] NVRM: AGPGART: VIA MVP3 chipset
Feb 17 21:22:11 [kernel] NVRM: AGPGART: allocated 16 pages
Feb 17 22:20:05 [PAM_pwdb] authentication failure; (uid=1000)
-> root for su service
Feb 17 22:20:06 [su] pam_authenticate: Authentication failure
Feb 17 22:20:06 [su] - pts/3 chouser-root
It can take some practice to understand all these messages, but most of
the important ones are fairly clear. For example, at the end of this log
we can see that user "chouser" tried to use su to become
root and failed.