Security Information - BSD

This is a discussion on Security Information - BSD ; Besides /var/log/messages and /var/log/security where else can one look for security information on a FreeBSD server. I've been noticing some mail to var which shows invalid user attempted a login via ssh and was wondering exactly where this information is ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: Security Information

  1. Security Information

    Besides /var/log/messages and /var/log/security where else can one look for
    security information on a FreeBSD server. I've been noticing some mail to
    var which shows invalid user attempted a login via ssh and was wondering
    exactly where this information is stored before it's sent to root's mailbox.



  2. Re: Security Information

    Vladimir Tserijemiwtz wrote:

    > Besides /var/log/messages and /var/log/security where else can one look
    > for security information on a FreeBSD server. I've been noticing some mail
    > to var which shows invalid user attempted a login via ssh and was
    > wondering exactly where this information is stored before it's sent to
    > root's mailbox.


    For this particular item look at: /var/log/auth.log

    Also the w command will show who is logged in currently, while the last
    command will show a login history. One old hacker trick used to be
    modifying the /var/run/utmp, the /var/log/wtmp, and the /var/log/lastlog
    files used for keeping track of login(s) in order to erase evidence of
    login activity.

    As far as general purpose security logging, it's not a one-stop shop and
    will depend more on how your particular environment is configured. For
    example, some like to put log_in_vain="YES" in their /etc/rc.conf which
    will log attempts to connect to ports that have nothing listening on them.
    This may be OK on machines that are behind firewalls and don't get many
    such requests, but in other situations it will spam your logs with gobs of
    stuff which will drown out your patience to examine it all.


    Most third party apps like Postfix, Courier-Imap, and the like, will
    generally have their own logs. If they are some form of auth daemon, like
    saslauthd for instance they may log to /var/log/auth.log as well. You may
    also be able to manage your logging to a certain extent with entries
    in /etc/syslog.conf, especially for things that have a built-in
    functionality enabling them to use syslogd.

    -Jason


  3. Re: Security Information

    On Oct 25, 5:55 pm, "Vladimir Tserijemiwtz"
    wrote:
    > Besides /var/log/messages and /var/log/security where else can one look for
    > security information on a FreeBSD server. I've been noticing some mail to
    > var which shows invalid user attempted a login via ssh and was wondering
    > exactly where this information is stored before it's sent to root's mailbox.


    Jason pointed you to the correct places to look.

    Most of the mail servers I build do not even give users a
    shell(nologin).


+ Reply to Thread