my /var/log/auth.log contains quite some lines such as
"reverse mapping checking getaddrinfo for
224.51.174.61.dial.wz.zj.dynamic.163data.com.cn [61.174.51.224] failed -
POSSIBLE BREAK-IN ATTEMPT!"
"Failed password for root from 61.174.51.224 port 4227 ssh2"
"reverse mapping checking getaddrinfo for
187-101-166-232.dsl.telesp.net.br [187.101.166.232] failed -
POSSIBLE BREAK-IN ATTEMPT!"
"Invalid user Admin from 187.101.166.232"
These I can see that the hackers failed to break in.
But unfortunately I also see some logs such as
Successful su for xxxxxx (my username) by root
My dumb questions are:
- From the auth.log, how can I tell that the "successful su" was by me, not by hackers who may have gained my login info?
- How to filter the auth.log file so that it succinctly reports which user successfully logged in, for how long, and from where? The IP addresses were indeed in the auth.log file, but it is not easy to see if they actually succeeded in breaking in.
- Is there a log file to check what the hackers did?
Thank you for any enlightenment.