LINUX SECURITY --- July 04, 2000

Monitoring System Logs
by Rick Johnson

Last week I posed the question, "You are monitoring your servers aren't  you?" Well, that elicited quite a response. So I saw it fitting to devote this week to that very topic.

I had the wonderful pleasure of assisting with the cleanup of a Denial-of-Service attack recently. After tracking down the origin of the attack, we contacted the administrator for that network. He listened very carefully and said, "I'm sorry, but you are wrong. My system is totally secure and I know for a fact we weren't compromised." Oh great, I thought, he is one of "those". You know the type, the person who is so sure of their abilities that the thought of someone challenging their skill is inconceivable. Finally, he agreed to look at the server and was shocked to discover he was hacked over three weeks ago. To top it off, they had also installed a root kit and were harvesting passwords. It turns out no one was actually watching the log files. He, of course, apologized and then quietly went off to rebuild the network. It saddens me to see a Security Administrator put so much effort into locking down a server, only to have it run unattended.

There are a variety of ways to keep an eye on your server. The most important, and most frequently overlooked, areas are the system logs.

One of the most useful tools in my arsenal is Logcheck from Psionic Software (http://www.psionic.com). No secure Linux server should be caught without it. Logcheck is a software package that is designed to automatically run and check system log files for security violations and unusual activity. It runs from cron at specified intervals and also keeps track of what sections were checked previously. That greatly increases the speed and helps keep the same incident from being reported twice. If any unusual activity is found, the results are emailed to an address specified in the script. The best part is that you can specify which log entries to ignore in case it's not an issue; plus, you can enter specific strings, which will immediately send up the red flag. The default installation comes with a basic set of rules to get you started.

Given the chance, your Linux server will try to warn of a possible problem. It's up to you to decide when and how to listen.

Firewall-1 vulnerable to denial-of-service attacks

New distributed firewalls emerge

Copyright 2000 ITworld.com, Inc., All Rights Reserved.

Questions or problems regarding this web site should be directed to abeckman@outdoorssite.com.

Copyright 2008 Art Beckman. All rights reserved.

Last Modified: March 9, 2008