Okay Buddy,

I just installed sshguard and have been reading and re-reading the man page and can't figure out how to look at the log file. Can you help me out?

 I was wondering.... how could I tell if a hacker got into my box?

After looking around a little at https://help.ubuntu.com/community/SSH/OpenSSH/Configuring#Logging I found that for what I started this morning the log is:  /var/log/auth.log 
I just looked at that log and was wondering what it meant.
It starts on Feb 1st and seems to just be repeating:

Feb  1 07:39:01 c521 CRON[21882]: pam_unix(cron:session): session opened for user root by (uid=0)
Feb  1 07:39:01 c521 CRON[21882]: pam_unix(cron:session): session closed for user root
Feb  1 07:50:33 c521 sudo:   bmike1 : TTY=unknown ; PWD=/home/bmike1 ; USER=root ; COMMAND=/usr/lib/linuxmint/mintUpdate/checkAPT.py
Feb  1 07:50:33 c521 sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
Feb  1 07:50:55 c521 sudo: pam_unix(sudo:session): session closed for user root
Feb  1 08:09:01 c521 CRON[21985]: pam_unix(cron:session): session opened for user root by (uid=0)
Feb  1 08:09:01 c521 CRON[21985]: pam_unix(cron:session): session closed for user root
Feb  1 08:17:01 c521 CRON[22013]: pam_unix(cron:session): session opened for user root by (uid=0)
Feb  1 08:17:01 c521 CRON[22013]: pam_unix(cron:session): session closed for user root
Feb  1 08:20:33 c521 sudo:   bmike1 : TTY=unknown ; PWD=/home/bmike1 ; USER=root ; COMMAND=/usr/lib/linuxmint/mintUpdate/checkAPT.py
Feb  1 08:20:33 c521 sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
Feb  1 08:20:56 c521 sudo: pam_unix(sudo:session): session closed for user root
Feb  1 08:39:01 c521 CRON[22100]: pam_unix(cron:session): session opened for user root by (uid=0)
Feb  1 08:39:02 c521 CRON[22100]: pam_unix(cron:session): session closed for user root
Feb  1 08:50:33 c521 sudo:   bmike1 : TTY=unknown ; PWD=/home/bmike1 ; USER=root ; COMMAND=/usr/lib/linuxmint/mintUpdate/checkAPT.py
--etc--

I then looked at the other logs in /var/log and saw ufw.log and ufw.log.1 . ufw.log is empty while ufw.log.1 contains only stuff from JAN 26 & 27:

Jan 26 14:22:52 c521 kernel: [  175.220626] [UFW BLOCK] IN=eth0 OUT= MAC=01:00:5e:00:00:fb:00:1c:c4:b4:d7:19:08:00 SRC=192.168.0.10 DST=224.0.0.251 LEN=32 TOS=0x00 PREC=0x00 TTL=1 ID=11536 PROTO=2 
Jan 26 14:22:55 c521 kernel: [  178.348404] [UFW BLOCK] IN=eth0 OUT= MAC=01:00:5e:00:00:fb:00:1c:c4:b4:d7:19:08:00 SRC=192.168.0.10 DST=224.0.0.251 LEN=32 TOS=0x00 PREC=0x00 TTL=1 ID=11553 PROTO=2 
Jan 27 10:30:43 c521 kernel: [72646.275669] [UFW BLOCK] IN=eth0 OUT= MAC=00:18:8b:73:ab:fd:00:24:7b:2c:e9:3a:08:00 SRC=91.189.91.24 DST=192.168.0.14 LEN=52 TOS=0x00 PREC=0x00 TTL=54 ID=54164 DF PROTO=TCP SPT=80 DPT=59252 WINDOW=235 RES=0x00 ACK URGP=0 
Jan 27 10:30:44 c521 kernel: [72647.435192] [UFW BLOCK] IN=eth0 OUT= MAC=00:18:8b:73:ab:fd:00:24:7b:2c:e9:3a:08:00 SRC=91.189.91.24 DST=192.168.0.14 LEN=52 TOS=0x00 PREC=0x00 TTL=54 ID=54362 DF PROTO=TCP SPT=80 DPT=59252 WINDOW=235 RES=0x00 ACK URGP=0 
Jan 27 10:30:46 c521 kernel: [72648.723882] [UFW BLOCK] IN=eth0 OUT= MAC=00:18:8b:73:ab:fd:00:24:7b:2c:e9:3a:08:00 SRC=91.189.91.24 DST=192.168.0.14 LEN=52 TOS=0x00 PREC=0x00 TTL=54 ID=54637 DF PROTO=TCP SPT=80 DPT=59252 WINDOW=235 RES=0x00 ACK URGP=0 
Jan 27 10:30:48 c521 kernel: [72651.308359] [UFW BLOCK] IN=eth0 OUT= MAC=00:18:8b:73:ab:fd:00:24:7b:2c:e9:3a:08:00 SRC=91.189.91.24 DST=192.168.0.14 LEN=52 TOS=0x00 PREC=0x00 TTL=54 ID=54687 DF PROTO=TCP SPT=80 DPT=59252 WINDOW=235 RES=0x00 ACK URGP=0 
Jan 27 10:30:53 c521 kernel: [72656.476479] [UFW BLOCK] IN=eth0 OUT= MAC=00:18:8b:73:ab:fd:00:24:7b:2c:e9:3a:08:00 SRC=91.189.91.24 DST=192.168.0.14 LEN=52 TOS=0x00 PREC=0x00 TTL=54 ID=55145 DF PROTO=TCP SPT=80 DPT=59252 WINDOW=235 RES=0x00 ACK URGP=0 
Jan 27 10:31:04 c521 kernel: [72666.796199] [UFW BLOCK] IN=eth0 OUT= MAC=00:18:8b:73:ab:fd:00:24:7b:2c:e9:3a:08:00 SRC=91.189.91.24 DST=192.168.0.14 LEN=52 TOS=0x00 PREC=0x00 TTL=54 ID=55407 DF PROTO=TCP SPT=80 DPT=59252 WINDOW=235 RES=0x00 ACK URGP=0 
Jan 27 10:31:24 c521 kernel: [72687.436850] [UFW BLOCK] IN=eth0 OUT= MAC=00:18:8b:73:ab:fd:00:24:7b:2c:e9:3a:08:00 SRC=91.189.91.24 DST=192.168.0.14 LEN=52 TOS=0x00 PREC=0x00 TTL=54 ID=58810 DF PROTO=TCP SPT=80 DPT=59252 WINDOW=235 RES=0x00 ACK URGP=0 
Jan 27 10:32:06 c521 kernel: [72728.780502] [UFW BLOCK] IN=eth0 OUT= MAC=00:18:8b:73:ab:fd:00:24:7b:2c:e9:3a:08:00 SRC=91.189.91.24 DST=192.168.0.14 LEN=52 TOS=0x00 PREC=0x00 TTL=54 ID=63010 DF PROTO=TCP SPT=80 DPT=59252 WINDOW=235 RES=0x00 ACK URGP=0 

I just looked at the log. On the 26th it was blocking something from 192.168.0.10 . That is my home network! I haven't had 192.168.0.10 for at least a year.

:-)~MIKE~(-:

On Wed, Feb 4, 2015 at 2:44 PM, Todd Millecam <tyggna@gmail.com> wrote:
ufw should keep the rule permanent.

There's a program/service that will keep track of this for you automatically (and do the limit brute force, and block multiple failed attempts) called sshguard.  If you use that, you can see how many unique IPs attempted to break into your system by reading your /etc/hosts.deny file.

For my public-facing servers, I get about 13 unique new attackers per day.



On Wed, Feb 4, 2015 at 2:32 PM, Michael Havens <bmike1@gmail.com> wrote:
I was wondering.... I was playing bandit and on level 13 they say some suggested reading is https://help.ubuntu.com/community/SSH/OpenSSH/Keys . I was reasing that page and followed a link to https://help.ubuntu.com/community/SSH/OpenSSH/Configuring#Logging because I always wondered how I could see how many log in attempts were made to my computer (not that I think anyone will crack my password which is greater than ten characters. Wait a second.... I do not think I ever set an ssh password. ...
guys, my websearch has proven to be fruitless. what do you suggest I do?

in any case, I was looking at the settings for openssh.config (or whatever the file is called) and happened upon:

     Rate-limit the connections


which happens to use ufw:

sudo ufw limit ssh

I was wondering if that command would turn it on permanently? After I entered the command it responded with something like 'new rule added' so I am assuming (I am not an ass!) that is so. 

I was wondering what should be changed?
I am making loglevel Verbose
:-)~MIKE~(-:


---------------------------------------------------
PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org
To subscribe, unsubscribe, or to change your mail settings:
http://lists.phxlinux.org/mailman/listinfo/plug-discuss



--
Todd Millecam

---------------------------------------------------
PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org
To subscribe, unsubscribe, or to change your mail settings:
http://lists.phxlinux.org/mailman/listinfo/plug-discuss