FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian User

 
 
LinkBack Thread Tools
 
Old 01-11-2009, 06:44 PM
Robert Brockway
 
Default Who is logged into this box?

On Sun, 11 Jan 2009, Dotan Cohen wrote:


On a machine that I have root access to, how can I see who is logged
into the machine? Specifically, I suspect that a malicious entity is
logging on in a compromised account over SSH, even while the account's
user is sitting at the machine and logged in, so if I can catch two
simultaneous login sessions (one on the physical hardware, one over
ssh) then I can be sure. Thanks.


w and who have been mentioned. I generally prefer finger (which runs
quite happily locally without a fingerd to connect to).


You probably also want to look at last[1] which will show a history of
when users were logged in.


But...

If you really think the a/c has been compromised then don't wait for the
baddie to log in again. Lock the account. Scan the box for anomalies
(eg, checkrootkit) and take a particular interest in that a/c.


If you don't find any evidence that the baddie broke root then may wish to
reset the a/c password and move on. If you find any evidence that the
baddie broke root then best practice is to restore the box from known good
backups. You can never guarantee that you found all of the backdoors that
a cracker may have left on a system.


I'll stop now as there is a lot more I could say on this topic but it
isn't necessary at this stage.


[1] I comment out the entry concerning wtmp in
/etc/logrotate.conf as this allows the login history to remain
indefinitely. Even for multi-user boxes that have been running for years
I haven't found a problem doing this. wtmp is tiny so disk space is
hardly an issue.


Cheers,

Rob

--
I tried to change the world but they had a no-return policy


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 01-11-2009, 09:13 PM
"Dotan Cohen"
 
Default Who is logged into this box?

2009/1/11 Michael Shuler <michael@pbandjelly.org>:
> Since it has not been mentioned in the other replies, I would certainly
> think that scrutiny of /var/log/auth.log is due. The logs should show
> you when the user has logged in, and from what remote IP addresses. it
> should be quite simple to correlate those times and locations with your
> user.
>

Thank you, that did give me the information that I needed.

> 'whois 11.22.33.44' on those IP addresses will get you an idea of the
> physical location (not precise in all cases, but an idea) the logins
> came from.
>

I did not realize that whois worked with IP addresses. Thanks.

> In any case - do not delay changing that user's password to a new strong
> one!
>

Done! Even though it was already strong (over 12 characters,
AlphaNumeric of varying case)

--
Dotan Cohen

http://what-is-what.com
http://gibberish.co.il

א-ב-ג-ד-ה-ו-ז-ח-ט-י-ך-כ-ל-ם-מ-ן-*-ס-ע-ף-פ-ץ-צ-ק-ר-ש-ת
ا-ب-ت-ث-ج-*-خ-د-ذ-ر-ز-س-ش-ص-ض-ط-ظ-ع-غ-ف-ق-ك-ل-م-ن-ه*-و-ي
А-Б-В-Г-Д-Е-Ё-Ж-З-И-Й-К-Л-М-Н-О-П-*-С-Т-У-Ф-Х-Ц-Ч-Ш-Щ-Ъ-Ы-Ь-*-Ю-Я
а-б-в-г-д-е-ё-ж-з-и-й-к-л-м-н-о-п-р-с-т-у-ф-х-ц-ч-ш-щ-ъ-ы-ь-э-ю-я
ä-ö-ü-ß-Ä-Ö-Ü
 
Old 01-11-2009, 09:16 PM
"Dotan Cohen"
 
Default Who is logged into this box?

2009/1/11 Robert Brockway <robert@timetraveller.org>:
> On Sun, 11 Jan 2009, Dotan Cohen wrote:
>
>> On a machine that I have root access to, how can I see who is logged
>> into the machine? Specifically, I suspect that a malicious entity is
>> logging on in a compromised account over SSH, even while the account's
>> user is sitting at the machine and logged in, so if I can catch two
>> simultaneous login sessions (one on the physical hardware, one over
>> ssh) then I can be sure. Thanks.
>
> w and who have been mentioned. I generally prefer finger (which runs quite
> happily locally without a fingerd to connect to).
>
> You probably also want to look at last[1] which will show a history of when
> users were logged in.
>
> But...
>
> If you really think the a/c has been compromised then don't wait for the
> baddie to log in again. Lock the account. Scan the box for anomalies (eg,
> checkrootkit) and take a particular interest in that a/c.
>
> If you don't find any evidence that the baddie broke root then may wish to
> reset the a/c password and move on. If you find any evidence that the
> baddie broke root then best practice is to restore the box from known good
> backups. You can never guarantee that you found all of the backdoors that a
> cracker may have left on a system.
>
> I'll stop now as there is a lot more I could say on this topic but it isn't
> necessary at this stage.
>
> [1] I comment out the entry concerning wtmp in /etc/logrotate.conf as this
> allows the login history to remain indefinitely. Even for multi-user boxes
> that have been running for years I haven't found a problem doing this. wtmp
> is tiny so disk space is hardly an issue.
>
> Cheers,
>
> Rob
>

Thanks, Rob. Although I found no evidence of the breakin that I had
suspected, I changed the password anyway. Like fine underwear,
passwords should be changed every few months for good measure.

--
Dotan Cohen

http://what-is-what.com
http://gibberish.co.il

א-ב-ג-ד-ה-ו-ז-ח-ט-י-ך-כ-ל-ם-מ-ן-*-ס-ע-ף-פ-ץ-צ-ק-ר-ש-ת
ا-ب-ت-ث-ج-*-خ-د-ذ-ر-ز-س-ش-ص-ض-ط-ظ-ع-غ-ف-ق-ك-ل-م-ن-ه*-و-ي
А-Б-В-Г-Д-Е-Ё-Ж-З-И-Й-К-Л-М-Н-О-П-*-С-Т-У-Ф-Х-Ц-Ч-Ш-Щ-Ъ-Ы-Ь-*-Ю-Я
а-б-в-г-д-е-ё-ж-з-и-й-к-л-м-н-о-п-р-с-т-у-ф-х-ц-ч-ш-щ-ъ-ы-ь-э-ю-я
ä-ö-ü-ß-Ä-Ö-Ü
 
Old 01-11-2009, 10:32 PM
Chris Jones
 
Default Who is logged into this box?

On Sun, Jan 11, 2009 at 05:16:14PM EST, Dotan Cohen wrote:
> 2009/1/11 Robert Brockway <robert@timetraveller.org>:
> > On Sun, 11 Jan 2009, Dotan Cohen wrote:

> Like fine underwear, passwords should be changed every few months for good
> measure.

What? You recommend changing underwear every few months..??

I certainly envy you for the tolerant disposition of your relatives, friends,
or fellow workers.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 01-11-2009, 11:07 PM
"Dotan Cohen"
 
Default Who is logged into this box?

2009/1/12 Chris Jones <cjns1989@gmail.com>:
> On Sun, Jan 11, 2009 at 05:16:14PM EST, Dotan Cohen wrote:
>> 2009/1/11 Robert Brockway <robert@timetraveller.org>:
>> > On Sun, 11 Jan 2009, Dotan Cohen wrote:
>
>> Like fine underwear, passwords should be changed every few months for good
>> measure.
>
> What? You recommend changing underwear every few months..??
>
> I certainly envy you for the tolerant disposition of your relatives, friends,
> or fellow workers.
>

I've heard it said once that passwords are like underwear: you don't
share them with your friends, you don't hang them on your monitor, and
you change them twice yearly. I only wish that I could take credit for
that poetic quote.

(it's an ingenious quote, because of the humour users tend to remember it)

--
Dotan Cohen

http://what-is-what.com
http://gibberish.co.il

א-ב-ג-ד-ה-ו-ז-ח-ט-י-ך-כ-ל-ם-מ-ן-*-ס-ע-ף-פ-ץ-צ-ק-ר-ש-ת
ا-ب-ت-ث-ج-*-خ-د-ذ-ر-ز-س-ش-ص-ض-ط-ظ-ع-غ-ف-ق-ك-ل-م-ن-ه*-و-ي
А-Б-В-Г-Д-Е-Ё-Ж-З-И-Й-К-Л-М-Н-О-П-*-С-Т-У-Ф-Х-Ц-Ч-Ш-Щ-Ъ-Ы-Ь-*-Ю-Я
а-б-в-г-д-е-ё-ж-з-и-й-к-л-м-н-о-п-р-с-т-у-ф-х-ц-ч-ш-щ-ъ-ы-ь-э-ю-я
ä-ö-ü-ß-Ä-Ö-Ü
 

Thread Tools




All times are GMT. The time now is 04:23 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org