Linux – Finding latest successful logins and failed attempts to a CentOS server

centoslinuxSecurity

I'm looking for a log file or any service to report the latest login attempts that have failed due to username/password mismatch. Are there any such utilities available for CentOS? (built-in is preferred)

My second question, and more generally, I need a log file of penetration attempts to my server. Ideally, this log should contain all attempts including logins, httpd activities, and other conventional open ports.

Best Answer

In Linux, the last command shows successful login attempts and displays session information (pts, source, date and length).

The lastb command records all bad login attempts. Both share the same man page, but the difference is that last reads the binary /var/log/wtmp file, and lastb reads the /var/log/btmp file by default.

The range of these files depends on your log rotation schedule, but it should span a few weeks. Most distributions will rotate /var/log/wtmp monthly, so you can read a previous record, usually listed as /var/log/wtmp.1 by specifying the file with the -f parameter... last -f /var/log/wtmp.1

Related Solutions

Hundreds of Failed SSH Logins – How to Secure Your Server

You can use iptables to rate-limit new incoming connections to the SSH port. I'd have to see your entire iptables configuration in order to give you a turnkey solution, but you're basically talking about adding rules like:

iptables -A INPUT -p tcp --dport 22 -m recent --update --seconds 60 --hitcount 5 --name SSH --rsource -j DROP 
iptables -A INPUT -p tcp --dport 22 -m recent --set --name SSH --rsource -j ACCEPT

These rules assume that you're accepting ESTABLISHED connections earlier in the table (so that only new connections will hit these rules). New SSH connections will hit these rules and be marked. In 60 seconds, 5 attempts from a single IP address will result in new incoming connections from that IP being dropped.

This has worked well for me.

Edit: I prefer this method to "fail2ban" because no additional software to be installed, and happens totally in kernel-mode. It doesn't handle parsing log files like "fail2ban" will, but if your problem is only with SSH I wouldn't use something user-mode that requires software installation and is more complex.

Centos – Snort: not logging anything

As long as the Snort daemon is running the problem that generally causes this behavior is usually one of three things:

Missing rule set, does not appear to apply here.
Interface not configured correctly (listening on inside interface, not external monitor port)
External interface not connected via a tap (if you are monitoring other hosts).

My best guess at this point is that probably need to specify the interface to the daemon differently. Unless you are actually using a bonded interface (not mentioned in your question) that would be the first place I would look.

Best Answer

Related Solutions

Hundreds of Failed SSH Logins – How to Secure Your Server

Centos – Snort: not logging anything

Related Topic