- Author|Lu Mengyu
- Information Collection|Lu Mengyu
Source of some information in this article: "Linux Information Security Practical Tutorial"
table of Contents
0. Preface
To maintain the security of the Linux system, you must clearly know what the system has been busy. The Linux log is very important for security. It records various things that happen on the system every day. You can use the log to check the reason for the error or find out the traces left by the attacker when it is attacked.
1. Log classification
1.1 Connection time log
The connection time log is executed by multiple programs, and the log records are written to three files: /var/log/wtmp, /var/run/utmp, and /var/log/lastlog, so that the system administrator can track where the user is. Log in to the system at the time.
The utmp, wtmp, and lastlog log files record information about users logging in and logging out of the system. The contents of these three log files are as follows:
- The information of each user currently logged in is recorded in utmp;
- The information of each user login, logout and system startup and shutdown events are recorded in wtmp, and all records include a timestamp;
- The last login information of each user is recorded in the lastlog.
1.2 Process statistics log
Process statistics are performed by the system kernel. When a process terminates, a record is written to the process statistics file (pacct or acct) for each process. The purpose of process statistics is to count the execution of commands by the system. Linux can track every command run by every user, and analyzing the process statistics log is helpful for tracking an intruder. Unlike the connection time log, the process statistics subsystem is not activated by default, and it must be started first. The action command is used to start process statistics in the Linux system, which must be run as root.
1.3 Error log
The error log is executed by syslogd. Various system daemons, user programs and kernels report notable events to the file /var/log/messages through syslog. Servers that provide network services like HTTP and FTP also keep detailed logs.
2. Common log files and viewing methods
3. The level of the log message
According to the importance of the log information, it is divided into different levels:
4. Log security analysis example
Network administrators need to be vigilant at all times, pay attention to various suspicious conditions, and check various system log files on time, including general information logs, network connection logs, file transfer logs, and user login logs. When checking these logs, pay attention to whether there are unreasonable time records. E.g:
Here are some examples to learn how to analyze suspicious events :
The above lines are some suspicious records. System accounts such as bin, daemon, adm, uucp, mail, etc. should never be logged in. If these accounts are found to have been logged in, it means that the system may have been compromised. In the example, the source IP of the mail account appears. The foreign login record with the address of 200.1.1.1. In addition, if it is found that the recorded time is not the time of the user's last login, it means that the user's account has been obtained by others.
It was found that there was a message from the 192.168.2.5 host in the sshd service record that tried to log in with the hahalupa user name. Since there is no hahalupa user on this machine, it was recorded as an Illegal user.
