[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[cobalt-security] Re: cobalt-security digest, Vol 1 #727 - 16 msgs
- Subject: [cobalt-security] Re: cobalt-security digest, Vol 1 #727 - 16 msgs
- From: alan macdonald <webmaster@xxxxxxxxxxxxxxx>
- Date: Fri, 22 Mar 2002 18:54:15 +0000
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
Do something like this as well
cat /var/log/auth | grep "Accepted" | grep -v "*see note below*" | mail -s
"Login Check" you@xxxxxxxxxxxxxx
*note*
Simply replace *see note below* with as much of your own computers usual ip
address as you can, i.e., the ip address you get from your isp when connected.
e.g. if your connection ip addresses range from 34.75.128.0 to
34.75.129.255, just put in 34.75.12 in the brackets above.
What this does is checks to see if anyone besides you has telneted/ssh'ed
into the server.
Of course, this only works if you are the only person shelling in, and that
you have a fairly static ip, and it's not perfect, but it's a start.
Works for me anyway!
Put that in a shell script in your cron.quarter-hourly, or .hourly,
depending on how paranoid you are. Then set up email filters to bin it if
it is empty when it comes in.
At 02:28 22/03/2002 -0800, you wrote:
Message: 5
From: Michael Stauber <cobalt@xxxxxxxxxxxxxx>
[snip]
There are other logfiles, which you might find more interesting:
/var/log/messages General system logfile
/var/log/maillog Logfile for email related issues
/var/log/kernel Logfile for kernel related issues
rgds
Alan MacDonald
--
Webmaster - aceposition.com
webmaster@xxxxxxxxxxxxxxx
+353 51 870 594