Find out who's trying to break into your box

Discussion in 'Server Security' started by Rob, Nov 9, 2011.

  1. Rob

    Rob Administrator Staff Member

    Messages:
    575
    Likes Received:
    225
    Trophy Points:
    43
    The /var/log/btmp file shows you failed logins. you can use last to read it:

    Code:
    last -f /var/log/btmp
    or simply just use lastb


    Code:
    lastb
    Then spice it up a little bit ...

    Show the top 10 IPs with failed logins (first column is failed # of tries, then 2nd column is the IP)
    Code:
    lastb | awk '{print $3}' | sort | uniq -c | sort -rn | head -10
    Show the top 10 usernames with failed logins
    Code:
    lastb | awk '{print $1}' | sort | uniq -c | sort -rn | head -10
    Kovax and DaReaper like this.
  2. gcawood

    gcawood Administrator Staff Member

    Messages:
    49
    Likes Received:
    19
    Trophy Points:
    0
    by default:
    `last` uses /var/log/wtmp (shows a list of users who logged in)
    `lastb` uses /var/log/btmp (shows bag login attempts)
    Luis Pena likes this.
  3. MustangV10

    MustangV10 New Member

    Messages:
    87
    Likes Received:
    3
    Trophy Points:
    0
    That's quite interesting I think..CSF/WHM notifies me of failed login attempts already though.
  4. DaReaper

    DaReaper New Member

    Messages:
    184
    Likes Received:
    3
    Trophy Points:
    0
    Quite impressive terminal code there! Two months ago i noticed through my Kloxo's lxguard logs, i noticed around 200+ login failed attempts from different IP's. I could have never thought that a host not advertised a lot would attract so much intrusion.

    Glad there are stuff to detect these and block them out.
  5. scotty

    scotty New Member

    Messages:
    84
    Likes Received:
    3
    Trophy Points:
    0
    Yeah its important to check for bad logins, you may look and think, oh well at least they are not getting in, but it could easily be a DDoS. Linux logs are just awesome,
    Rob likes this.
  6. DaReaper

    DaReaper New Member

    Messages:
    184
    Likes Received:
    3
    Trophy Points:
    0
    I had a question in mind when you mentioned about DDoS. Do Dos deflators really works that well when it comes to such situations? There could be different kind of attacks. I've noticed that HTTP attacks from few IP's are much easier to stop than TCP.
  7. Darwin

    Darwin New Member

    Messages:
    115
    Likes Received:
    3
    Trophy Points:
    0
    It would depend on the size of attack - I have been on the other end of such a DDoS which was huge, the deflators did not hold firm. Anyhow since I have had no such problems. So they could be working.
  8. Luis Pena

    Luis Pena New Member

    Messages:
    16
    Likes Received:
    5
    Trophy Points:
    3
    wow this is great infomation, ive recently gotten into server security and these are the types of commands i was hoping to find!

    Also can these commands be written into a bash script?
  9. Redemptus

    Redemptus New Member

    Messages:
    1
    Likes Received:
    3
    Trophy Points:
    3
    You could make a bash script easily to do this for you which might be handy if you wanted to run them at specific intervals via CRON, or you could simply use a command alias which you can add to your .bashrc and they'll be available when you login:

    An example script follows:
    Code:
    #!/bin/sh
    #  Show top 10 IPs with failed logins
    lastb | awk '{print $3}' | sort | uniq -c | sort -rn | head -10
    And example aliases for your .bashrc; note the quoting is crazy but necessary to escape it properly. You could put this in a file at ~/.aliases and then source it from your ~/.bashrc with a simple line appended as: . ~/.aliases

    Check your ~/.bashrc as it may already have an alias file being sourced in which case you could just add these to that file instead.

    Code:
    alias lastbtop10ips='lastb | awk '"'"'{print $3}'"'"' | sort | uniq -c | sort -rn | head -10'
    alias lastbtop10logins='lastb | awk '"'"'{print $1}'"'"' | sort | uniq -c | sort -rn | head -10'
    You could then run the alias by typing the name into the terminal, eg:
    Code:
    root@waaagh [~]# lastbtop10logins
      14208 root
        372 oracle
        158 bin
        96 admin
        94 ftpuser
        68 auto
        58 adrian
        53 postgres
        46 test
        40 cacti
    Hope that helps, Luis.
    Rob, Luis Pena and DevynCJohnson like this.
  10. Luis Pena

    Luis Pena New Member

    Messages:
    16
    Likes Received:
    5
    Trophy Points:
    3

    it has! thanks alot for sharing that with me, im going to do this now :)
  11. JDG

    JDG New Member

    Messages:
    17
    Likes Received:
    2
    Trophy Points:
    3
    DDoS doesn't necessarily involve login attempts. I would categorize this more as a brute-force attempt. This could still be a precursor to a DDoS attack.

    I could definitely see a DDoS attack being used to hide the attacker's objectives once they obtain your credentials. DDoS can be an effective method to generate noise in your logs.
  12. 请带我走进计算机的世界

    请带我走进计算机的世界 New Member

    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    DDOS 是无法避免的 至少软件做不了这个工作 因为数据量太大 如果没硬件抵挡的话 只能祈求上帝别来DDOS 你的设备!
  13. 请带我走进计算机的世界

    请带我走进计算机的世界 New Member

    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1



    0.0
  14. mavankhang

    mavankhang New Member

    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    That's quite interesting I think..CSF/WHM notifies me of failed login attempts already though.

Share This Page