FTP "OTHER Root" Logs

Craig White plug-discuss@lists.PLUG.phoenix.az.us
Sun, 8 Apr 2001 16:14:38 -0700


> -----Original Message-----
> From: plug-discuss-admin@lists.plug.phoenix.az.us
> [mailto:plug-discuss-admin@lists.plug.phoenix.az.us]On Behalf Of
> der.hans
> Sent: Sunday, April 08, 2001 12:06 PM
> To: plug-discuss@lists.plug.phoenix.az.us
> Subject: RE: FTP "OTHER Root" Logs
>
>
> Am 08. Apr, 2001 schwäzte Craig White so:
>
> > Type "last" at the command prompt to get a list of successful
> logins. Type
> > "lastb" to get a list of unsuccessful logins. If lastb fails,
> then 'touch
> > /var/log/btmp' and it will start recording unsuccessful logins.
>
> Cool deal. Never heard of btmp.
>
> I note that wtmp on my debian boxen is owned root:utmp and has 664 perms.
>
> chown root:utmp /var/log/btmp
> chmod 644 /var/log/btmp
>
> Don't know if that's what btmp should have. The last/lastb manpage doesn't
> explicitly say. Turned in a bug report asking them to add that info to the
> manpage :).
>
-----
I am really tickled that I contributed something that you didn't know. I
used to lay low and not offer advice since I was certain that so many had
much better answers but am gaining a bit more confidence as time goes on.

I don't know about the 644 on wtmp & btmp - some processes run as other than
root and you may want them to log successful/unsuccessful logins to these
files (does wu-ftpd run as root?) so YMMV. I also have cron files that send
me an email with the output of last, lastb, & grep of the word REJECT in
/var/log/messages at various times as a means to monitor a system (still
uncertain as to how far portsentry actually goes). Having some systems
cracked before, it's obvious that cleanup of the wtmp file is one of the
methods employed by crackers to hide their presence.

I know that you ragged on webmin / webadmin as being a bit too technical for
the 'non-technicals' but in actuality, it is really useful as a GUI for
those that don't need the GUI, just appreciate having the GUI around. I also
use it for 2nd tier administrators allowing them to create users & groups,
mail aliases, and in some cases, samba users.

Craig