Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: /var/log/secure* mysteriously empty!
Special Forums Cybersecurity /var/log/secure* mysteriously empty! Post 302509239 by antondev on Wednesday 30th of March 2011 10:52:39 AM
Old 03-30-2011
/var/log/secure* mysteriously empty!
Hello everyone. I'm a newbie and this is my first post, and I'm hoping to get some help understanding what happened on my server. I did as much research as I could, but now I turn to the forums for help Smilie

I've set up a VPS server and I "thought" I had good enough security on it, but all of a sudden I notice my /var/log/secure is empty and all the other syslog files, and rsyslogd stopped working (though I was able to restart it)... I'm wondering if this is sufficient security and what to do to prevent hackers: I've got a CentOS 5 box with iptables locking everything but ports 53,80,443 out. SSH is on a secret port using RSA/2048 encryption and public/private key login with root login not allowed. Password login also not allowed. Ports MySQL, SSH, and FTP only open with port knocker. I'm wondering if I've got weak settings and what to do about security. Also wondering if there's a way to know if I've been hacked, though I can't seem to find any traces of anything gone wrong, just empty log files. I checked that the conf for rsyslog is set to write authpriv.* to /var/log/secure.

I guess my biggest question is, did rsyslog just fail, and empty all my log files as a result? And is this configuration enough to be reasonably secure and what more can/should I be doing? Thank you for all your help!!

iptables info:

#what I type to start and not lock self out:
sudo iptables -P INPUT ACCEPT
sudo iptables -F

#local:
sudo iptables -A INPUT -i lo -j ACCEPT
sudo iptables -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A INPUT -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT

#http and https:
sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT

#dns:
sudo iptables -A INPUT -p tcp --dport 53 -j ACCEPT
sudo iptables -A INPUT -p udp --dport 53 -j ACCEPT

#mail:
sudo iptables -A INPUT -p tcp --dport 25 -j ACCEPT

#dbs & sphinx:
sudo iptables -A INPUT -p tcp -s [DB SERVER IP] --dport 3306 -j ACCEPT
sudo iptables -A INPUT -p tcp -s [DB SERVER IP] --dport 9312 -j ACCEPT
sudo iptables -A INPUT -p tcp -s [DB SERVER IP] --dport 9306 -j ACCEPT

#block rest but allow outgoing
sudo iptables -P INPUT DROP
sudo iptables -P FORWARD DROP
sudo iptables -P OUTPUT ACCEPT

#knock settings (upon successful port knock sequence):
iptables -A INPUT -s %IP% -p tcp -m multiport --dports [SSL PORT],3306,9312,9306,21 -j ACCEPT
#and on close:
iptables -D INPUT -s %IP% -p tcp -m multiport --dports [SSL PORT],3306,9312,9306,21 -j ACCEPT
 

10 More Discussions You Might Find Interesting

1. Shell Programming and Scripting

while var not empty

Hi! How can I run a cicle while one var is not empty? Or better saying how can I see if the var has something? thanks (1 Reply)
Discussion started by: ruben.rodrigues
1 Replies

2. Red Hat

/var/log/messages and secure not updating

Hello all, I recently deleted some lines from the messages and secure files, in /var/log and now they are not keeping a log anymore. The last update shows the date of when I deleted the lines. I had to delete some failed login attempts to stop denyhosts from blocking the ips (probably not the... (3 Replies)
Discussion started by: z1dane
3 Replies

3. Solaris

diff b/w /var/log/syslog and /var/adm/messages

hi sirs can u tell the difference between /var/log/syslogs and /var/adm/messages in my working place i am having two servers. in one servers messages file is empty and syslog file is going on increasing.. and in another servers message file is going on increasing but syslog file is... (2 Replies)
Discussion started by: tv.praveenkumar
2 Replies

4. Solaris

/var/adm/meesages file empty

Do not know the reason y messages file is empty already restarted the syslog daemon but still its showing empty . xxxxxxx# more /var/adm/messages xxxxxx# # ps -efo zone,pid,ppid,time,comm | grep syslog | grep global global 11861 1 00:10 /usr/sbin/syslogd svcs... (2 Replies)
Discussion started by: fugitive
2 Replies

5. UNIX for Dummies Questions & Answers

Check to see if string var is empty

i have a veriable set var1 set var2 = abcd how can i check if var 1 is empty and if var 2 is not empty ??? (2 Replies)
Discussion started by: nirnir26
2 Replies

6. Linux

Disable connection logging for a specfic service (/var/log/secure)

Hello, is there a way to disable connection logging for a specific service? Or eventually to disable /var/log/secure in general? Closed. Double post (0 Replies)
Discussion started by: TehOne
0 Replies

7. UNIX for Advanced & Expert Users

Disable connection logging for a specfic service (/var/log/secure)

Hello, is there a way to disable connection logging for a specific service? Or eventually to disable /var/log/secure in general? (2 Replies)
Discussion started by: TehOne
2 Replies

8. Solaris

Difference between /var/log/syslog and /var/adm/messages

Hi, Is the contents in /var/log/syslog and /var/adm/messages are same?? Regards (3 Replies)
Discussion started by: vks47
3 Replies

9. Solaris

/var/adm/messages empty

Hi all, One of the server is showing empty messages # logger -p user.error HELLO_SYSLOGD # dmesg Mon Apr 23 15:11:19 MYT 2012 /etc/syslog.conf file, i tried copy the conf file from another server, still it is not working *.err;kern.notice;auth.notice /dev/sysmsg... (8 Replies)
Discussion started by: beginningDBA
8 Replies

10. Shell Programming and Scripting

Transfer the logs being thrown into /var/log/messages into another file example /var/log/volumelog

I have been searching and reading about syslog. I would like to know how to Transfer the logs being thrown into /var/log/messages into another file example /var/log/volumelog. tail -f /var/log/messages dblogger: msg_to_dbrow: no logtype using missing dblogger: msg_to_dbrow_str: val ==... (2 Replies)
Discussion started by: kenshinhimura
2 Replies

LEARN ABOUT CENTOS

dmesg_selinux

dmesg_selinux(8)					       SELinux Policy dmesg						  dmesg_selinux(8)

NAME

       dmesg_selinux - Security Enhanced Linux Policy for the dmesg processes

DESCRIPTION

       Security-Enhanced Linux secures the dmesg processes via flexible mandatory access control.

       The  dmesg  processes  execute with the dmesg_t SELinux type. You can check if you have these processes running by executing the ps command
       with the -Z qualifier.

       For example:

       ps -eZ | grep dmesg_t

ENTRYPOINTS

       The dmesg_t SELinux type can be entered via the dmesg_exec_t file type.

       The default entrypoint paths for the dmesg_t domain are the following:

       /bin/dmesg, /usr/bin/dmesg

PROCESS TYPES

       SELinux defines process types (domains) for each process running on the system

       You can see the context of a process using the -Z option to ps

       Policy governs the access confined processes have to files.  SELinux dmesg policy is very flexible allowing users to setup their dmesg pro-
       cesses in as secure a method as possible.

       The following process types are defined for dmesg:

       dmesg_t

       Note:  semanage	permissive  -a dmesg_t can be used to make the process type dmesg_t permissive. SELinux does not deny access to permissive
       process types, but the AVC (SELinux denials) messages are still generated.

BOOLEANS

       SELinux policy is customizable based on least access required.  dmesg policy is extremely flexible and has several booleans that allow  you
       to manipulate the policy and run dmesg with the tightest access possible.

       If you want to allow all daemons the ability to read/write terminals, you must turn on the daemons_use_tty boolean. Disabled by default.

       setsebool -P daemons_use_tty 1

       If  you	want  to  deny	any  process  from ptracing or debugging any other processes, you must turn on the deny_ptrace boolean. Enabled by
       default.

       setsebool -P deny_ptrace 1

       If you want to allow all domains to use other domains file descriptors, you must turn on the domain_fd_use boolean. Enabled by default.

       setsebool -P domain_fd_use 1

       If you want to allow all domains to have the kernel load modules, you must turn on  the	domain_kernel_load_modules  boolean.  Disabled	by
       default.

       setsebool -P domain_kernel_load_modules 1

       If you want to allow all domains to execute in fips_mode, you must turn on the fips_mode boolean. Enabled by default.

       setsebool -P fips_mode 1

       If you want to enable reading of urandom for all domains, you must turn on the global_ssp boolean. Disabled by default.

       setsebool -P global_ssp 1

MANAGED FILES

       The  SELinux process type dmesg_t can manage files labeled with the following file types.  The paths listed are the default paths for these
       file types.  Note the processes UID still need to have DAC permissions.

       var_log_t

	    /var/log/.*
	    /nsr/logs(/.*)?
	    /var/webmin(/.*)?
	    /var/log/secure[^/]*
	    /opt/zimbra/log(/.*)?
	    /var/log/maillog[^/]*
	    /var/log/spooler[^/]*
	    /var/log/messages[^/]*
	    /usr/centreon/log(/.*)?
	    /var/spool/rsyslog(/.*)?
	    /var/axfrdns/log/main(/.*)?
	    /var/spool/bacula/log(/.*)?
	    /var/tinydns/log/main(/.*)?
	    /var/dnscache/log/main(/.*)?
	    /var/stockmaniac/templates_cache(/.*)?
	    /opt/Symantec/scspagent/IDS/system(/.*)?
	    /var/log
	    /var/log/dmesg
	    /var/log/syslog
	    /var/named/chroot/var/log

FILE CONTEXTS

       SELinux requires files to have an extended attribute to define the file type.

       You can see the context of a file using the -Z option to ls

       Policy governs the access confined processes have to these files.  SELinux dmesg policy is very flexible  allowing  users  to  setup  their
       dmesg processes in as secure a method as possible.

       STANDARD FILE CONTEXT

       SELinux defines the file context types for the dmesg, if you wanted to store files with these types in a diffent paths, you need to execute
       the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk.

       semanage fcontext -a -t dmesg_exec_t '/srv/dmesg/content(/.*)?'
       restorecon -R -v /srv/mydmesg_content

       Note: SELinux often uses regular expressions to specify labels that match multiple files.

       The following file types are defined for dmesg:

       dmesg_exec_t

       - Set files with the dmesg_exec_t type, if you want to transition an executable to the dmesg_t domain.

       Paths:
	    /bin/dmesg, /usr/bin/dmesg

       Note: File context can be temporarily modified with the chcon command.  If you want to permanently change the file context you need to  use
       the semanage fcontext command.  This will modify the SELinux labeling database.	You will need to use restorecon to apply the labels.

COMMANDS

       semanage fcontext can also be used to manipulate default file context mappings.

       semanage permissive can also be used to manipulate whether or not a process type is permissive.

       semanage module can also be used to enable/disable/install/remove policy modules.

       semanage boolean can also be used to manipulate the booleans

       system-config-selinux is a GUI tool available to customize SELinux policy settings.

AUTHOR

       This manual page was auto-generated using sepolicy manpage .

SEE ALSO

       selinux(8), dmesg(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) , setsebool(8)

dmesg								     14-06-10							  dmesg_selinux(8)
All times are GMT -4. The time now is 11:58 PM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy