Use the log system to protect Linux security

This article describes how to use the log subsystem and Its commands in Linux to better protect system security.

The log sub-system in Linux is very important for system security. It records various daily events of the system, including those users who used or are using the system, logs can be used to check the cause of the error. More importantly, after the system is attacked by a hacker, logs can record traces left by the attacker, the system administrator can detect some methods and features of hacker attacks, so as to be able to handle them and prepare for the next attack.

In Linux, there are three main log subsystems:

● Connection time log: logs are written to/var/log/wtmp and/var/run/utmp and login by executing multiple programs. The wtmp and utmp files are updated, enables the system administrator to track who is logged on to the system at any time.

● Process Statistics: It is executed by the system kernel. When a process is terminated, a record is written for each process to the process Statistics file (pacct or acct. Process statistics are used to provide command usage statistics for basic services in the system.

● Error Log: the error log is executed by the syslogd (8) daemon. Various system Daemon Processes, user programs, and kernels run through syslogd (3) the daemon reports noteworthy events to the file/var/log/messages. In addition, many Unix programs create logs. Servers that provide network services such as HTTP and FTP also maintain detailed logs.

Use of logs in Linux

1. Use of basic log commands

Utmp and wtmp log files are the key to most Linux Log subsystems. They store records of user logon and exit. Information about the current login user is recorded in the file utmp; logon entry and exit records are recorded in the file wtmp; data exchange, shutdown, and restart machine information are also recorded in the wtmp file. All records contain timestamps. Timestamp is very important for logs, because many attack behavior analyses are closely related to time. These files are growing rapidly in systems with a large number of users. For example, the wtmp file can grow infinitely unless it is intercepted regularly. Many systems configure wtmp as cycle loops per day or week. It is usually modified by the scripts run by cron. These scripts are renamed and the wtmp file is recycled.

The utmp file is used by various command files, including who, w, users, and finger. The wtmp file is used by the program last and ac. However, they are binary files and cannot be cut or merged by tail commands (using cat commands ). You need to use the information contained in the two files by who, w, users, last, and ac. The usage is as follows:

Who command: The who command queries the utmp file and reports to each user currently logged on. The default output of Who includes the user name, terminal type, logon date, and remote host. With this command, the system administrator can view which illegal users exist in the current system to audit and process them. For example, run the who command to display the following:

[Root @ working] # who

Root pts/0 May 9 21:11 (10.0.2.128)

Root pts/1 May 9 21:16 (10.0.2.129)

Lhwen pts/7 May 9 (10.0.2.27)

If the wtmp file name is specified, the who command queries all previous records. For example, the command who/var/log/wtmp will report every login since the wtmp file was created or deleted.

Log usage considerations

System Management personnel should be vigilant, pay attention to various suspicious situations at any time, and check various system log files on time and randomly, including general information logs, network connection logs, file transfer logs, and user logon logs. When checking these logs, pay attention to whether there are unreasonable time records. For example:

■ Users log on at unconventional times;

■ Abnormal log records, such as incomplete logs or intermediate log files such as wtmp, are missing for no reason;

■ The IP address used to log on to the system is different from the previous one;

■ Logs of user logon failures, especially those that fail to log on continuously;

■ Commands for illegal use or improper use of superuser permissions su;

■ Records for restarting various network services for no reason or illegal reasons.

In addition, the Administrator is particularly reminded that logs are not completely reliable. Clever Hackers often clean the site after they intrude into the system. Therefore, the above system commands need to be used comprehensively and comprehensively for review and detection, and should not be taken out of context. Otherwise, it is difficult to detect intrusion or make wrong judgments.

Users command: users prints the current logon user with a single line. Each displayed user name corresponds to a logon session. If a user has more than one login session, the user name will display the same number of times. Run the following command:

[Root @ working] # users

Root // only one user with the Root permission is logged on

Last Command: The last command searches back for wtmp to display the users who have logged on since the first file creation. The system administrator can periodically audit and assess the logon status of these users, so as to discover the problems and identify and handle illegal users. Run the following command:

[Root @ working] # last

Devin pts/1 10.0.2.221 Mon Jul 21 :08-down (8 + 17: 46)

Devin pts/1 10.0.2.221 Mon Jul 21)

Changyi pts/2 10.0.2.141 Mon Jul 21)

Devin pts/1 10.0.2.221 Mon Jul 21)

Reboot system boot 2.4.18 Fri Jul 18 :42 (11 + 17: 13)

Reboot system boot 2.4.18 Fri Jul 18)

Reboot system boot 2.4.18 Fri Jul 18)

As you can see, the above command shows too much information and the degree of discrimination is very small. Therefore, you can specify a user to display its logon information. For example, if you use last devin to display the historical logon information of devin, It is shown as follows:

[Root @ working] # last devin

Devin pts/1 10.0.2.221 Mon Jul 21 :08-down (8 + 17: 46)

Devin pts/1 10.0.2.221 Mon Jul 21)

Ac command: the ac Command reports the user connection time (hours) based on the current logon entry and exit in the/var/log/wtmp file. If no sign is used, the total time is reported. In addition, you can add some parameters. For example, last-t 7 indicates that the report of the previous week is displayed.

The lastlog file of the lastlog command is queried every time a user logs on. You can use the lastlog command to check the last logon time of a specific user and format the last logon log/var/log/lastlog. It displays the logon name, port number (tty), and last logon time according to the UID sorting. If a user has Never logged on, lastlog displays "** Never logged **". Note that you need to run this command as root. Run the following command:

[Root @ working] # lastlog

Username Port From Latest

Root pts/1 10.0.2.129 10:13:26 + 0800 2005

Opal pts/1 10.0.2.129 10:13:26 + 0800 2005

2. Use Syslog Devices

Syslog has been adopted by many log functions and is used in many protection measures. Any program can record events through syslog. Syslog can record system events, write to a file or device, or send a message to users. It can record local events or events on another host over the network.

The core of the Syslog device includes a daemon (/etc/syslogd daemon) and a configuration file (/etc/syslog. conf configuration file ). Generally, most syslog information is written to the/var/adm or the information file (messages. *) in the/var/log directory .*). A typical syslog record includes the name of the generated program and a text message. It also includes a device and a priority range.

By using the syslog. conf file, the system administrator can flexibly configure the location and related information of the generated logs to meet application requirements. For example, to record all mail messages to a file, perform the following operations:

# Log all the mail messages in one place

Mail. */var/log/maillog

Other devices also have their own logs. UUCP and news devices can produce many external messages. It stores these messages in its own logs (/var/log/spooler) and limits the level to \ "err \" or higher. For example:

# Save news errors of level crit and higher in a special file.

Uucp, news. crit/var/log/spooler

When an emergency message arrives, all users may want to get it. You may also want to receive and save your own logs.

# Everybody gets emergency messages, plus log them on anther machine

*. Emerg *

*. Emerg @ linuxaid.com.cn

You can specify all devices in a row. In the following example, messages of info or higher level are sent to/var/log/messages, except for mail. Level \ "none \" disables a device:

# Log anything (could t mail) of level info or higher

# Don \'t log private authentication messages!

*. Info: mail. none; autHPriv. none/var/log/messages

In some cases, logs can be sent to the printer, so that no intrusion trace can be cleared when network intruders modify logs. Therefore, the syslog device is a notable target of attackers. If it is damaged, it will make it difficult for users to find traces of intrusion and intrusion. Therefore, pay special attention to protecting their daemon and configuration files.

3. Use of program logs

Many programs maintain logs to reflect the security status of the system. The su command allows the user to obtain permissions of another user. Therefore, its security is very important. Its file is sulog, and sudolog is also used. In addition, Http servers such as Apache have two logs: access_log (client access log) and error_log (service error log ). FTP service logs are stored in xferlog files, while sendmail logs in Linux are generally stored in maillog files.

The creation and use of program logs depend largely on the user's good programming habits. For a good programmer, writing any program related to system security or network security should contain the log function, which not only facilitates program debugging and error correction, more importantly, the log analysis function can be provided to the application users, so that the system administrator can better master the running status of the program and even the system and take actions in a timely manner, eliminate and block accidents and malicious intrusions.