Auditing for unauthorized access attempts with the auth.log file (LINUX)

Leave a Comment / Uncategorised / By /

Hello All,

If you are running a linux based webserver or any type of server as a best practice is to view any unauthorized access attempts against your server this can give you an insight as to if your server is being bruteforce attacked or if someone within your network is attempting to gain access to you server

there are many ways of doing this but for this post I will show you how to see this information in the AUTH.LOG file

the auth.log file is located in /var/log/auth.log this file logs authorization success and failures and reports the remote IP if the attempt from the network as well as the username being used

here is a sample output

Nov 24 11:17:01 CRON[9076]: pam_unix(cron:session): session opened for user root by (uid=0)
Nov 24 11:17:01 CRON[9076]: pam_unix(cron:session): session closed for user root
Nov 24 11:21:03 sshd[9079]: Did not receive identification string from 220.226.6.44
Nov 24 11:29:58 sshd[9080]: Invalid user bob from 107.20.246.150
Nov 24 11:29:58 sshd[9080]: input_userauth_request: invalid user bob [preauth]
Nov 24 11:29:58 sshd[9080]: pam_unix(sshd:auth): check pass; user unknown
Nov 24 11:29:58 sshd[9080]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=ec2-107-20-246-150.compute-1.amazonaws.com
Nov 24 11:30:01 sshd[9080]: Failed password for invalid user bob from 107.20.246.150 port 55032 ssh2
Nov 24 11:30:01 sshd[9080]: Received disconnect from 107.20.246.150: 11: Bye Bye [preauth]
Nov 24 11:30:02 sshd[9082]: Invalid user john from 107.20.246.150
Nov 24 11:30:02 sshd[9082]: input_userauth_request: invalid user john [preauth]
Nov 24 11:30:02 sshd[9082]: pam_unix(sshd:auth): check pass; user unknown
Nov 24 11:30:02 sshd[9082]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=ec2-107-20-246-150.compute-1.amazonaws.com

The above is an output from a public webserver as we can see from the log an access attempt from 107.20.246.150 using the username john

Viewing this log regularly can help you build proper firewall rules if you happen to see many access attempts from a specific network or a specific IP

you could also create a small script that can email you this log periodically that would be helpful I suppose

Until next time
stay secure !

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.