my /var/log/auth.log contains quite some lines such as
"reverse mapping checking getaddrinfo for
224.51.174.61.dial.wz.zj.dynamic.163data.com.cn [61.174.51.224] failed -
POSSIBLE BREAK-IN ATTEMPT!"
"Failed password for root from 61.174.51.224 port 4227 ssh2"
"reverse mapping checking getaddrinfo for
187-101-166-232.dsl.telesp.net.br [187.101.166.232] failed -
POSSIBLE BREAK-IN ATTEMPT!"
"Invalid user Admin from 187.101.166.232"
These I can see that the hackers failed to break in.
But unfortunately I also see some logs such as
Successful su for xxxxxx (my username) by root
My dumb questions are:
- From the auth.log, how can I tell that the "successful su" was by me, not by hackers who may have gained my login info?
- How to filter the auth.log file so that it succinctly reports which user successfully logged in, for how long, and from where? The IP addresses were indeed in the auth.log file, but it is not easy to see if they actually succeeded in breaking in.
- Is there a log file to check what the hackers did?
Thank you for any enlightenment.
Best Answer
That would break the meaning of log files. How should your system know if it is a hacker, that did a succesfull su?
That's what the program
last
is for. It parses the files/var/log/wmtp
and/var/log/utmp
, that contain this information. See:Additionally your can parse older
wtmp
andutmp
files with the-f
option:last -f /var/log/wtmp.1
.See question 1). When a hacker gains access to your system it IS a successful authentication. So the system does not know that it is a hacker. All you can do is searching in
/var/log/*
for traces.