How do you usually check logins on a Linux system?
Posted by newworldlife@reddit | linuxadmin | View on Reddit | 18 comments
Saw something small that didn’t quite match earlier.
Ran `last -a` just to double check logins.
Nothing obviously wrong, but a couple entries didn’t line up with what I expected for that box.
Might be nothing tbh, but it made me pause for a second.
How do you usually decide what’s normal vs off?
Loud_Posseidon@reddit
send over to elastic, then filter out/visualize (if the task is more recurring) in kibana. You want the logs off of the server as soon as possible.
You may also want to set up anomaly detection in Elastic and move on from there - tickets/alerts/calls/...
gainan@reddit
This is the way. Many malware or malicious actors wipe login activity:
For example the rootkit Adore / Adore-ng: https://github.com/yaoyumeng/adore-ng/blob/522c80a2dc043c2d523256472becc88c90d66337/adore-ng.c#L617
https://xcellerator.github.io/posts/linux_rootkits_09/
We have a mix of auditd+grafana and other EDRs.
Warm-Researcher-6884@reddit
That's really a great point.
newworldlife@reddit (OP)
that’s a good point. i wasn’t even thinking about log wiping, makes sense to move them off the box early
nof@reddit
The Cuckoo's Egg
newworldlife@reddit (OP)
yeah exactly
those small things that seem fine but just don’t feel right until you dig a bit
aieidotch@reddit
also check lastb
escape_deez_nuts@reddit
I check /var/log/secure
newworldlife@reddit (OP)
Yeah same here, /var/log/secure is usually my first stop too
courage_the_dog@reddit
There's also auth.log i think
newworldlife@reddit (OP)
Correct, good call, auth.log too depending on the distro
Runnergeek@reddit
Why are you responding like an AI bot
courage_the_dog@reddit
So when are you going to advertise the to you've built?
Ontological_Gap@reddit
This is much better if you have it configured
chocopudding17@reddit
Jeez, LLM spew in /r/linuxadmin? C'mon.
frymaster@reddit
sometimes hopping through a server with
ssh -Jor use ofscpor similar doesn't show up in one or more ofwho,w, andlast- I've never cared to check which is which. But they'll all show up in the sshd logsdisordr3000@reddit
finger.
Ontological_Gap@reddit
'w' and the audit log