How To Monitor System Authentication Logs on Ubuntu
How To Monitor System Logins
A fundamental component of authentication management is monitoring the system after you have configured your users.
Luckily, modern Linux systems log all authentication attempts in a discrete file. This is located at "/var/log/auth.log":
The Secure Shell (SSH) Protocol by default uses port 22. Accepting this value does not make your system insecure, nor will changing the port provide a significant variance in security. However, changing the default SSH port will stop many automated attacks and a bit harder to guess which port SSH is accessible from. In other words, a little security though obscurity.
Before getting started, we suggest you Learn Linux Basics and follow these precautions.
Steps to follow
Step 1
As root, use your favorite text editor (nano) to edit the sshd configuration file.
nano /etc/ssh/sshd_config
Step 2
Edit the line which states 'Port 22'. But before doing so, you'll want to read the note below. Choose an appropriate port, also making sure it not currently used on the system.
# What ports, IPs and protocols we listen for
Port 50683
Note: The Internet Assigned Numbers Authority (IANA) is responsible for the global coordination of the DNS Root, IP addressing, and other Internet protocol resources. It is good practice to follow their port assignment guidelines. Having said that, port numbers are divided into three ranges: Well Known Ports, Registered Ports, and Dynamic and/or Private Ports. The Well Known Ports are those from 0 through 1023 and SHOULD NOT be used. Registered Ports are those from 1024 through 49151 should also be avoided too. Dynamic and/or Private Ports are those from 49152 through 65535 and can be used. Though nothing is stopping you from using reserved port numbers, our suggestion may help avoid technical issues with port allocation in the future.
Step 3
Switch over to the new port by restarting SSH.
/etc/init.d/ssh restart
Step 4
Verify SSH is listening on the new port by connecting to it. Note how the port number now needs to be declared.
ssh username@hostname.com -p 50683
A fundamental component of authentication management is monitoring the system after you have configured your users.
Luckily, modern Linux systems log all authentication attempts in a discrete file. This is located at "/var/log/auth.log":
sudo less /var/log/auth.log
How To Use the "last" Command
Usually, you will only be interested in the most recent login attempts. You can see these with the "last" tool:
This gives a formated version of the "/etc/log/wtmp" file.
last
As you can see, in the first and third line, it shows that the user is still logged into the system. Otherwise, the total time logged into the system during a session is given by a set of hyphen-separated values.
How To Use the "lastlog" Command
If you would like to look at this situation from a different angle, you can view the last time each user on the system logged in.
This information is provided by accessing the "/etc/log/lastlog" file. It is then sorted according to the entries in the "/etc/passwd" file:
lastlog
You can see the latest login time of every user on the system.
Notice how the system users will almost all have "**Never logged in**". We saw earlier how these accounts do not have password authentication set up, so this is the expected value.
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Change the default SSH port
In this How-To we're going to walk you though changing the default SSH port on a Linux system.
In this How-To we're going to walk you though changing the default SSH port on a Linux system.
The Secure Shell (SSH) Protocol by default uses port 22. Accepting this value does not make your system insecure, nor will changing the port provide a significant variance in security. However, changing the default SSH port will stop many automated attacks and a bit harder to guess which port SSH is accessible from. In other words, a little security though obscurity.
Before getting started, we suggest you Learn Linux Basics and follow these precautions.
Steps to follow
Step 1
As root, use your favorite text editor (nano) to edit the sshd configuration file.
nano /etc/ssh/sshd_config
Step 2
Edit the line which states 'Port 22'. But before doing so, you'll want to read the note below. Choose an appropriate port, also making sure it not currently used on the system.
# What ports, IPs and protocols we listen for
Port 50683
Note: The Internet Assigned Numbers Authority (IANA) is responsible for the global coordination of the DNS Root, IP addressing, and other Internet protocol resources. It is good practice to follow their port assignment guidelines. Having said that, port numbers are divided into three ranges: Well Known Ports, Registered Ports, and Dynamic and/or Private Ports. The Well Known Ports are those from 0 through 1023 and SHOULD NOT be used. Registered Ports are those from 1024 through 49151 should also be avoided too. Dynamic and/or Private Ports are those from 49152 through 65535 and can be used. Though nothing is stopping you from using reserved port numbers, our suggestion may help avoid technical issues with port allocation in the future.
Step 3
Switch over to the new port by restarting SSH.
/etc/init.d/ssh restart
Step 4
Verify SSH is listening on the new port by connecting to it. Note how the port number now needs to be declared.
ssh username@hostname.com -p 50683
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
No comments:
Post a Comment