Question : How to Check ssh logs?
Answer: For example if your box is hacked and you want to know who has did that
- First check the last logged existing in /etc/password with command lastlogs
[root@unixmen-Fedora14 ~]# lastlog
Username Port From Latest
root pts/1 wsp243101wss.bra Wed Mar 2 15:13:32 +0100 2011
bin **Never logged in**
daemon **Never logged in**
adm **Never logged in**
lp **Never logged in**
sync **Never logged in**
shutdown **Never logged in**
smmsp **Never logged in**
sshd **Never logged in**
smolt **Never logged in**
pulse **Never logged in**
gdm **Never logged in**
pirat9 pts/1 10.33.19.127 Fri Jan 28 17:58:32 +0100 2011
mysql **Never logged in**
- The second method is to check in the logs
In Fedora/Centos/RHEL check /var/log/secure
in Ubuntu/Ubunut based check /var/log/auth
you will see something like
May 12 14:58:50 unixmen-Fedora14 sshd[2774]: warning: /etc/hosts.allow, line 11: missing ":" separator
May 12 14:58:50 unixmen-Fedora14 sshd[2774]: warning: /etc/hosts.allow, line 12: missing ":" separator
May 12 14:58:50 unixmen-Fedora14 sshd[2776]: Connection closed by 127.0.0.1
May 12 15:01:13 unixmen-Fedora14 sshd[2869]: warning: /etc/hosts.allow, line 11: missing ":" separator
May 12 15:01:13 unixmen-Fedora14 sshd[2869]: warning: /etc/hosts.allow, line 12: missing ":" separator
May 12 15:01:21 unixmen-Fedora14 sshd[2869]: Accepted password for root from 10.61.10.131 port 60100 ssh2
May 12 15:01:21 unixmen-Fedora14 sshd[2869]: pam_unix(sshd:session): session opened for user root by (uid=0)
- To clear the logs just remove the content of the files with :
cat /dev/null > /var/log/auth
cat /dev/null > /var/log/secure
{module user9-footer}
