Question

3

how to simplify the info contained in /var/log/auth.log

rated 0 times [ 3] [ 0] / answers: 1 / hits: 14410 / 2 Years ago, sun, june 19, 2022, 11:13:14

my /var/log/auth.log contains quite some lines such as

"reverse mapping checking getaddrinfo for 

 224.51.174.61.dial.wz.zj.dynamic.163data.com.cn [61.174.51.224] failed - 

 POSSIBLE BREAK-IN ATTEMPT!" 

"Failed password for root from 61.174.51.224 port 4227 ssh2"



"reverse mapping checking getaddrinfo for 

 187-101-166-232.dsl.telesp.net.br [187.101.166.232] failed - 

 POSSIBLE BREAK-IN ATTEMPT!"

"Invalid user Admin from 187.101.166.232"

These I can see that the hackers failed to break in.

But unfortunately I also see some logs such as

Successful su for xxxxxx (my username) by root

My dumb questions are:

From the auth.log, how can I tell that the "successful su" was by me, not by hackers who may have gained my login info?

How to filter the auth.log file so that it succinctly reports which user successfully logged in, for how long, and from where? The IP addresses were indeed in the auth.log file, but it is not easy to see if they actually succeeded in breaking in.

Is there a log file to check what the hackers did?

Thank you for any enlightenment.

Answers

Only authorized users can answer the question. Please sign in first, or register a free account.

neasinient

Add To Favorites

Follow

Total Points: 491

Total Questions: 120

Total Answers: 93

Location: The Bahamas

Member since Mon, Aug 2, 2021

3 Years ago

neasinient questions

1 After updating to Ubuntu 22.04, I am no longer able to access Jupyter Notebook

Fri, Apr 8, 22, 20:01, 2 Years ago

1 input sources missing ubuntu "21.10"

Thu, Feb 16, 23, 10:28, 1 Year ago

1 How to configure autozsys, so that it doesn't destroy zfs snapshots older than X time?

Thu, Jul 21, 22, 14:47, 2 Years ago

1 How do I disable/remove Klipper in KDE Plamsa 5?

Fri, Jun 4, 21, 08:14, 3 Years ago

1 How to enable a daisy-chained DisplayPort monitor via USB-C?

Wed, Oct 13, 21, 21:37, 3 Years ago

View All

answered 2 Years ago tigehanc · Accepted Answer

1) from the auth.log, how can I tell that the "successful su" was by me,
not by hackers who may have gained my login info?

That would break the meaning of log files. How should your system know if it is a hacker, that did a succesfull su?

2) How to filter the auth.log file so that it succinctly reports which
user successfully logged in, for how long, and from where?

That's what the program last is for. It parses the files /var/log/wmtp and /var/log/utmp, that contain this information. See:

user@host:~$ last

root     pts/0        1.2.3.4      Fri Apr  4 07:59   still logged in

root     pts/5        1.2.3.4      Wed Apr  2 15:58 - 17:00  (01:02)

root     pts/0        1.2.3.4      Wed Apr  2 07:39 - 16:15  (08:36)

root     pts/0        1.2.3.4      Tue Apr  1 07:39 - 16:00  (08:20)

Additionally your can parse older wtmp and utmp files with the -f option: last -f /var/log/wtmp.1.

3) Is there a log file to check what the hackers did?

See question 1). When a hacker gains access to your system it IS a successful authentication. So the system does not know that it is a hacker. All you can do is searching in /var/log/* for traces.