Check Your Linux SSH Log To Stop Hackers

22nd January 2010, 23:38

Silent Attacks

Your web server may be ticking over nicely and everything looks fine and dandy. However, unbeknownst to you your server could be under constant attack by hackers! How can you find out if this is happening? One of the first things to check is your SSH log.

What Is SSH?

SSH (secure shell) is a network protocol that allows Linux users to log into their shell accounts remotely over a secure connection that cannot be viewed by any third-parties that may be snooping.

SSH is used by Linux system administrators to connect to web servers. Logging in as the “root” user via SSH gives you complete control of the system and is a hacker’s ultimate goal.

SSH uses the standard TCP port 22 by default. Due to this it is possible for anyone (i.e. hackers) to connect to a web server via SSH on port 22 and try to gain access. Popular methods of attack are brute force and dictionary attacks. the chances are that this is happening to your web server without your knowledge.

Check If You Are Under Attack

Fortunately Linux systems log SSH activity so it’s possible to check back through your SSH logs and see if anyone is trying to login to your system.

Locations of SSH Logs

On Redhat systems the logs are stored at /var/log/secure and on other Linux flavours you should check /var/log/auth.log

How To View SSH Logs

You can view your SSH log in a couple of different ways. Firstly you can download the log via SFTP. (SFTP is secure FTP and is possible if you connect via SSH.)

However, the log can be large and you may not want to view all of it. The second option is to log in via SSH and use the Linux tail command to display the last x number of lines. When you’re logged in via SSH use the following command to view your SSH log:

tail /var/log/auth.log -n 100

That will display the last 100 lines of the SSH log on a non-Redhat system. Change the path to the log and the number of lines to display to suit your particular setup.

The log contains more than just SSH logins, so you’ll need to look through and identify any failed attempts to login via SSH. Failed attempts should show the username that the hacker tried and their IP address.

Hopefully there won’t be many hacking attempts, but if you’ve never investigated this issue before you might be surprised to learn how many people are trying to break into your system!

Prevent Hacking Attempts

The good news is that you can take proactive steps to prevent hackers gaining access to your system.

The first things that you can do is to take the SSH service off port 22 and put it on another random free port. That way if a hacker tries to attack you on port 22 he will get nowhere, and he has no idea which other ports to try!

Secondly you can use the DenyHosts tool. This will periodically access your SSH log and add a firewall rule blocking anyone trying to access your system via SSH who has multiple failed attempts logged.

Conclusion

There may be hackers trying to gain access to your server without your knowledge. However, you can track their attempts and take action to severely limit the chances of an unauthorised user gaining access to your system.

Tags: ,
Category: Linux  |  Comment (RSS)  |  Trackback

Leave a Reply

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong> <pre lang="" line="" escaped="">

Note: if you want to post PHP or ASP code including the opening tags (<?php etc...) you must use the HTML entity for the left chevron (<) - &lt; - or your code will be stripped out!