The world has gone to dogs in the online arena.
The attacks are increasing and they’re coming fast and furious from Vietnam, Romania, Thailand, France, China, Ukraine, Russia, Turkey, U.S., Canada and all over the globe.
Both private individuals and government agencies are on the rampage.
You cannot stop all of the attacks but with some effort you can prevent a lot of them before they inflict catastrophic damage on your web site or network.
Log File Analysis
Studying log files on your Linux server is a good way to spot suspicious activity early and stop attacks before they start or get out of hand.
In this post, we will examine different log files that can help to identify malicious or potentially bad actors based mostly on IP addresses.
As always in tackling web security, there’ll be some false positives but that’s the price you pay for security.
Not every visitor from Ukraine, Iran, France, UK or Turkey nor every Amazon Web services IP address is a bad element.
Types of Log Files
Linux systems log everything that happens on the server and store the activity in various files under etc/var/log and etc/var/log/httpd folders.
From a security perspective, the following logs are of interest to us.
1) vsftpd.log – stores all FTP login attempts (including failed attempts) to your server
2) maillog – includes all e-mail sent and received by various users on your server, connections to mail server and postfix/smtpd login failures
3) messages – saves all attempts like relaying, DDOS attacks (mod_evasive attacks,) SMTP attacks, fail2ban actions, invalid smtp saslauthd logins
4) access_log – saved in /log/httpd folder and tells the story of who accessed your server including various bots and their IP addresses
5) error_log – located in /log/httpd folder provides useful information about errors generated on your web server
Now how do we access these various log files.
You can access the log files either through command line or via GUI panels like Webmin.
From the command line you can find out malicious visitors or potential attackers by running netstat or ss commands.
While these are extremely useful, they have some limitations as they will not tell you clearly who did what a few hours back, yesterday or two days back on your web site.
Also, you may have to run netstat command multiple times with different options to figure out the attacking IP.
It is here that analyzing log files directly comes in handy.
Log files can be analyzed in two ways:
1) With the command less
2) Using tailf
The less command lets you examine log files for four or five days.
Whereas tailf allows you to monitor log files live as they are being generated.
To access log files on your Linux system, you have to first log in as root or superuser.
Once you are in the log folder, you can read the log files through less command.
[root@christyserver]# cd /etc/var/log
[root@christyserver log]# less vsftpd.log
When the log file opens in command line it starts at the beginning of the file. The document may contain logs for three or four days.
The beginning of the log file contains logs for older dates. This is because when the logs are saved, the newest entries are appended at the end of existing log file entries.
You can use various options to navigate the log file opened through less.
a) Page Up or b – Scroll back one page
b) Page Down or press space bar – scroll forward one page
c) Up arrow – scroll up one line
d) Down arrow – scroll down one line
e) G – Move to the end of the text file
f) 1G or g – move to the beginning of the text file
g) /characters – search forward to the next occurrence of characters
h) n -search for the next occurrence of previous search
i) h – display help screen for less
j) q – quit less
Here’s an example of useful stuff gleaned from the less command:
[root@christyserver httpd]# less access_log
126.96.36.199 - - [15/Dec/2014:18:55:14 -0500] "GET /ghgh/ghg/gh.php HTTP/1.1" 301 329 "-" "-"
188.8.131.52 - - [15/Dec/2014:18:55:14 -0500] "GET /phpMyAdmin/scripts/setup.php HTTP/1.1" 301 342 "-" "-"
184.108.40.206 - - [15/Dec/2014:18:55:15 -0500] "GET /pma/scripts/setup.php HTTP/1.1" 301 335 "-" "-"
220.127.116.11 - - [15/Dec/2014:18:55:15 -0500] "GET /myadmin/scripts/setup.php HTTP/1.1" 301 339 "-" "-"
In the above example, a bad element from Hong Kong is trying to play mischief with my PHP setup. So our next step ought to be to drop this IP and prevent it from accessing the server again. Continue reading »