Skip to main content
IBM  
Shop Support Downloads
IBM Home Products Consulting Industries News About IBM
IBM developerWorks : Linux : Education - Tutorials
LPI certification 102 exam prep, Part 3
ZIPPDF (letter)PDF (A4)e-mail
Main menuSection menuFeedbackPreviousNext
4. Security overview
  


Intrusion detection - syslogs page 16 of 21


Intrusion detection is often neglected by system administrators who trust in the intrusion prevention devices they have in place. Unfortunately, this means that when a hacker finds a crack through which to crawl, the system may be under their control for a long period of time before their presence is noticed.

The most basic form of intrusion detection is to pay attention to your syslogs. These usually appear in the /var/log directory, although the actual filenames will vary depending on your distribution and configuration.


# less /var/log/messages
Feb 17 21:21:38 [kernel]   Vendor: SONY      Model: CD-RW  CRX140E    Rev: 1.0n
Feb 17 21:21:39 [kernel] eth0: generic NE2100 found at 0xe800, Version 0x031243, 
DMA 3 (autodetected), IRQ 11 (autodetected).
Feb 17 21:21:39 [kernel] ne.c:v1.10 9/23/94 Donald Becker (becker@scyld.com)
Feb 17 21:22:11 [kernel] NVRM: AGPGART: VIA MVP3 chipset
Feb 17 21:22:11 [kernel] NVRM: AGPGART: allocated 16 pages
Feb 17 22:20:05 [PAM_pwdb] authentication failure; (uid=1000) 
  -> root for su service
Feb 17 22:20:06 [su] pam_authenticate: Authentication failure 
Feb 17 22:20:06 [su] - pts/3 chouser-root 

It can take some practice to understand all these messages, but most of the important ones are fairly clear. For example, at the end of this log we can see that user "chouser" tried to use su to become root and failed.


Main menuSection menuFeedbackPreviousNext
Privacy Legal Contact