Hacked - FreeBSD 7.1-Release
Dan Langille
dan at langille.org
Fri Dec 25 13:26:16 UTC 2009
Chris H wrote:
> On Tue, December 22, 2009 8:35 am, Andresen, Jason R. wrote:
>> Squirrel wrote:
>>
>>> most likely could be some kind of remote code execution or SQLi executed in
>>> the context of some php scripts, you should audit php code of your web
>>> interface and of the websites you host. also consider the strenght of your
>>> passwords, lots of login attempts to ssh/ftp may mean a he has tried a
>>> bruteforce (or a dictionary attack maybe). you should also check webmin logs,
>>> there are a few bruteforcer for webmin out there, (*hint*) consider the lenght
>>> of your average password if it's more than 7-8 characters aplhanumeric with
>>> simbols most likely this isn't the case.
>> While it's true that it's a good idea to check your password strength, pretty
>> much any host connected to the internet is going to be hit daily by bots
>> looking for weak passwords. It's one area where you logs don't help much
>> because there is too much noise.
> That's why there's GREP(1), AWK(1), FIND(1), TAIL(1), and CAT(1)
> Consider the following...
> adding the following to your /etc/rc.conf:
>
> # SECURITY RELATED
> ####################################
> syslogd_flags="-ss"
> log_in_vain="YES"
> tcp_keepalive="YES"
>
>
> now your log file will /really/ sing (log_in_vain="YES").
> Of course, unless you have a great deal of time on your hands, visually parsing
> that "noisy" log will be quite tedious, and time consuming. So you have a few
> options...
> If your running X11, simply run tail in a root window - there are quite a few
> utilities in ports for doing just this - some that'll only write messages you
> want to see.
> You could also create a script out of cron that will only produce messages you
> are interested in, for example:
>
> ~# cat /var/log/messages | ssh
>
> will emit any attempt to ssh into your box
> you can also redirect the messages to a file:
>
> ~# cat /var/log/messages | ssh >>~/EVIL_DOERS
>
> You could also add en entry to PERIODIC(8) that will
> provide a daily report on any attempts you are interested in.
>
> HTH
>
> --Chris H
I use security/logcheck: Mails anomalies in the system logfiles to the
administrator.
Logcheck helps spot problems, anomalies and security violations
in your logfiles automatically and will send the summaries to you
via e-mail. Logcheck is run as a cron job.
More information about the freebsd-stable
mailing list