|
|
Sponsored Content
Special Forums
Cybersecurity
/var/log/secure* mysteriously empty!
Post 302509239 by antondev on Wednesday 30th of March 2011 10:52:39 AM
03-30-2011
/var/log/secure* mysteriously empty!
Hello everyone. I'm a newbie and this is my first post, and I'm hoping to get some help understanding what happened on my server. I did as much research as I could, but now I turn to the forums for help 
I've set up a VPS server and I "thought" I had good enough security on it, but all of a sudden I notice my /var/log/secure is empty and all the other syslog files, and rsyslogd stopped working (though I was able to restart it)... I'm wondering if this is sufficient security and what to do to prevent hackers: I've got a CentOS 5 box with iptables locking everything but ports 53,80,443 out. SSH is on a secret port using RSA/2048 encryption and public/private key login with root login not allowed. Password login also not allowed. Ports MySQL, SSH, and FTP only open with port knocker. I'm wondering if I've got weak settings and what to do about security. Also wondering if there's a way to know if I've been hacked, though I can't seem to find any traces of anything gone wrong, just empty log files. I checked that the conf for rsyslog is set to write authpriv.* to /var/log/secure.
I guess my biggest question is, did rsyslog just fail, and empty all my log files as a result? And is this configuration enough to be reasonably secure and what more can/should I be doing? Thank you for all your help!!
iptables info:
#what I type to start and not lock self out:
sudo iptables -P INPUT ACCEPT
sudo iptables -F
#local:
sudo iptables -A INPUT -i lo -j ACCEPT
sudo iptables -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A INPUT -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
#http and https:
sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT
#dns:
sudo iptables -A INPUT -p tcp --dport 53 -j ACCEPT
sudo iptables -A INPUT -p udp --dport 53 -j ACCEPT
#mail:
sudo iptables -A INPUT -p tcp --dport 25 -j ACCEPT
#dbs & sphinx:
sudo iptables -A INPUT -p tcp -s [DB SERVER IP] --dport 3306 -j ACCEPT
sudo iptables -A INPUT -p tcp -s [DB SERVER IP] --dport 9312 -j ACCEPT
sudo iptables -A INPUT -p tcp -s [DB SERVER IP] --dport 9306 -j ACCEPT
#block rest but allow outgoing
sudo iptables -P INPUT DROP
sudo iptables -P FORWARD DROP
sudo iptables -P OUTPUT ACCEPT
#knock settings (upon successful port knock sequence):
iptables -A INPUT -s %IP% -p tcp -m multiport --dports [SSL PORT],3306,9312,9306,21 -j ACCEPT
#and on close:
iptables -D INPUT -s %IP% -p tcp -m multiport --dports [SSL PORT],3306,9312,9306,21 -j ACCEPT
I've set up a VPS server and I "thought" I had good enough security on it, but all of a sudden I notice my /var/log/secure is empty and all the other syslog files, and rsyslogd stopped working (though I was able to restart it)... I'm wondering if this is sufficient security and what to do to prevent hackers: I've got a CentOS 5 box with iptables locking everything but ports 53,80,443 out. SSH is on a secret port using RSA/2048 encryption and public/private key login with root login not allowed. Password login also not allowed. Ports MySQL, SSH, and FTP only open with port knocker. I'm wondering if I've got weak settings and what to do about security. Also wondering if there's a way to know if I've been hacked, though I can't seem to find any traces of anything gone wrong, just empty log files. I checked that the conf for rsyslog is set to write authpriv.* to /var/log/secure.
I guess my biggest question is, did rsyslog just fail, and empty all my log files as a result? And is this configuration enough to be reasonably secure and what more can/should I be doing? Thank you for all your help!!
iptables info:
#what I type to start and not lock self out:
sudo iptables -P INPUT ACCEPT
sudo iptables -F
#local:
sudo iptables -A INPUT -i lo -j ACCEPT
sudo iptables -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A INPUT -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
#http and https:
sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT
#dns:
sudo iptables -A INPUT -p tcp --dport 53 -j ACCEPT
sudo iptables -A INPUT -p udp --dport 53 -j ACCEPT
#mail:
sudo iptables -A INPUT -p tcp --dport 25 -j ACCEPT
#dbs & sphinx:
sudo iptables -A INPUT -p tcp -s [DB SERVER IP] --dport 3306 -j ACCEPT
sudo iptables -A INPUT -p tcp -s [DB SERVER IP] --dport 9312 -j ACCEPT
sudo iptables -A INPUT -p tcp -s [DB SERVER IP] --dport 9306 -j ACCEPT
#block rest but allow outgoing
sudo iptables -P INPUT DROP
sudo iptables -P FORWARD DROP
sudo iptables -P OUTPUT ACCEPT
#knock settings (upon successful port knock sequence):
iptables -A INPUT -s %IP% -p tcp -m multiport --dports [SSL PORT],3306,9312,9306,21 -j ACCEPT
#and on close:
iptables -D INPUT -s %IP% -p tcp -m multiport --dports [SSL PORT],3306,9312,9306,21 -j ACCEPT
|
|
10 More Discussions You Might Find Interesting
1. Shell Programming and Scripting
Hi!
How can I run a cicle while one var is not empty?
Or better saying how can I see if the var has something?
thanks (1 Reply)
Discussion started by: ruben.rodrigues
1 Replies
2. Red Hat
Hello all,
I recently deleted some lines from the messages and secure files, in /var/log and now they are not keeping a log anymore. The last update shows the date of when I deleted the lines.
I had to delete some failed login attempts to stop denyhosts from blocking the ips (probably not the... (3 Replies)
Discussion started by: z1dane
3 Replies
3. Solaris
hi sirs
can u tell the difference between /var/log/syslogs and /var/adm/messages
in my working place i am having two servers.
in one servers messages file is empty and syslog file is going on increasing..
and in another servers message file is going on increasing but syslog file is... (2 Replies)
Discussion started by: tv.praveenkumar
2 Replies
4. Solaris
Do not know the reason y messages file is empty already restarted the syslog daemon but still its showing empty .
xxxxxxx# more /var/adm/messages
xxxxxx#
# ps -efo zone,pid,ppid,time,comm | grep syslog | grep global
global 11861 1 00:10 /usr/sbin/syslogd
svcs... (2 Replies)
Discussion started by: fugitive
2 Replies
5. UNIX for Dummies Questions & Answers
i have a veriable
set var1
set var2 = abcd
how can i check if var 1 is empty and if var 2 is not empty ??? (2 Replies)
Discussion started by: nirnir26
2 Replies
6. Linux
Hello,
is there a way to disable connection logging for a specific service? Or eventually to disable /var/log/secure in general?
Closed. Double post (0 Replies)
Discussion started by: TehOne
0 Replies
7. UNIX for Advanced & Expert Users
Hello,
is there a way to disable connection logging for a specific service? Or eventually to disable /var/log/secure in general? (2 Replies)
Discussion started by: TehOne
2 Replies
8. Solaris
Hi,
Is the contents in /var/log/syslog and /var/adm/messages are same??
Regards (3 Replies)
Discussion started by: vks47
3 Replies
9. Solaris
Hi all,
One of the server is showing empty messages
# logger -p user.error HELLO_SYSLOGD
# dmesg
Mon Apr 23 15:11:19 MYT 2012
/etc/syslog.conf file, i tried copy the conf file from another server, still it is not working
*.err;kern.notice;auth.notice /dev/sysmsg... (8 Replies)
Discussion started by: beginningDBA
8 Replies
10. Shell Programming and Scripting
I have been searching and reading about syslog. I would like to know how to Transfer the logs being thrown into /var/log/messages into another file example /var/log/volumelog.
tail -f /var/log/messages
dblogger: msg_to_dbrow: no logtype using missing
dblogger: msg_to_dbrow_str: val ==... (2 Replies)
Discussion started by: kenshinhimura
2 Replies
LEARN ABOUT FREEBSD
_secure_path
_SECURE_PATH(3) BSD Library Functions Manual _SECURE_PATH(3) NAME
_secure_path -- determine if a file appears to be secure LIBRARY
System Utilities Library (libutil, -lutil) SYNOPSIS
#include <sys/types.h> #include <libutil.h> int _secure_path(const char *path, uid_t uid, gid_t gid); DESCRIPTION
This function does some basic security checking on a given path. It is intended to be used by processes running with root privileges in order to decide whether or not to trust the contents of a given file. It uses a method often used to detect system compromise. A file is considered 'secure' if it meets the following conditions: 1. The file exists, and is a regular file (not a symlink, device special or named pipe, etc.), 2. Is not world writable. 3. Is owned by the given uid or uid 0, if uid is not -1, 4. Is not group writable or it has group ownership by the given gid, if gid is not -1. RETURN VALUES
This function returns zero if the file exists and may be considered secure, -2 if the file does not exist, and -1 otherwise to indicate a security failure. The syslog(3) function is used to log any failure of this function, including the reason, at LOG_ERR priority. SEE ALSO
lstat(2), syslog(3) HISTORY
Code from which this function was derived was contributed to the FreeBSD project by Berkeley Software Design, Inc. BUGS
The checks carried out are rudimentary and no attempt is made to eliminate race conditions between use of this function and access to the file referenced. BSD
May 2, 1997 BSD