Friday, 23 August 2013

How to check for Suspecious Account Use


Problem: Want to find out unusual or dangerous usage of accounts on your system: dormant user accounts, recent logins to system accounts etc. 


Solutions:
 
1. To print information about the last login for each uesr:
    # lastlog -u username

# lastlog -u root
Username   Port     From             Latest
root          pts/2    192.168.1.3  Wed Aug 14 21:43:11 -0700 2013

# lastlog -u ctechz
Username         Port     From             Latest
ctechz                                     **Never logged in**

2. To print entire login history:
    # last username

[root@localhost ~]# last ctechz
ctechz   pts/3      192.168.0.30   Thu Jun 27 05:32 - 05:32  (00:00)   
ctechz   pts/3      192.168.0.30   Thu Jun 27 05:31 - 05:31  (00:00)   
ctechz   pts/2      192.168.0.30   Tue Jun 25 04:38 - 04:39  (00:01)   
ctechz   pts/2      192.168.0.30   Tue Jun 25 04:18 - down   (00:04)
 
3. To print failed login attempts:
    # lastb username

# lastb ctechz
ctechz  ssh:notty  192.168.0.30  Tue Jun 25 04:38 - 04:38 (00:00)   
ctechz  ssh:notty  192.168.0.30  Tue Jun 25 04:18 - 04:18 (00:00)   
ctechz  ssh:notty  192.168.0.30  Mon Jun 24 22:42 - 22:42 (00:00)    
  

To enable recording of bad logins:
  # touch /var/log/btmp
 # chown --reference=/var/log/wtmp /var/log/btmp
 # chmod --reference=/var/log/wtmp /var/log/btmp


Note:-
Attackers look for inactive accounts that are still enables, in the hope that intrusions will escape detection for long periods of time.

  Linux systems record each user's last login time in the database /var/log/lastlog. The terminal and remote system name, if any are also noted.

The /var/log/lastlog is a database not a log file.

In contrast, the btmp log file will grow slowly (unless you are under attack) but it should be rotated like other log file.
 You can either add btmp to the wtmp entry in /etc/logrotate.conf or add a similar entry in a separate file in the /etc/logrotate.d dir

A history of all logins and logouts is recorded in the log file /var/log/wtmp. The "last" command scans this log file to produce a report of all login sessions,in reverse chronological order, sorted by login time.

Failed login attempts can also be recorded in the log file /var/log/btmp, but this is not done by default. To enable recording of bad logins, create the btmp file manually, using the same owner, group, and permissions as for the wtmp file. The "lastb" command prints the history of bad logins.

In Linux/Unix operating systems everything is logged some where.
Most of the system logs are logged in to /var/log folder. This folder contains logs related to different services and applications.
In this folder we have some files such as utmp, wtmp and btmp.
These files contains all the details about login’s and logout’s which are from local as well as from remote systems and system status such as uptime etc.

utmp will give you complete picture of users logins at which terminals, logouts, system events and current status of the system, system boot time etc.


wtmp gives historical data of utmp.
btmp records only failed login attempts.

Normally when we try to view these files using cat command or vi editor they used to throw some junk characters and garbage values or in encrypted form or hex values. The output of these files when open with vi or cat command are shown below to show how wtmp file look when opened with vi.

We can read this file with only last command.


"last" command is one of the important command which will give you how logged in, when they logged in and when they logged out etc info on the screen.

# last
This last command display many details about user login/logout activity. The same command can be used to view wtmp, utmp and btmp files.

To open wtmp file and view its content use below command
 

# last -f /var/log/wtmp

jeffin   pts/2    192.168.0.30  Tue Jun 25 01:59 - down   (00:23)   
root     pts/1        :0.0           Tue Jun 25 01:59 - down   (00:24)   
root     :0                             Tue Jun 25 01:59 - down   (00:24)   
root     :0                             Tue Jun 25 01:59 - 01:59  (00:00)   
reboot   system boot  2.6.18-194.el5   Tue Jun 25 01:57 (00:26)   
jeffin   pts/2    192.168.0.30  Tue Jun 25 01:43 - down   (00:11)   
jeffin   pts/2    192.168.0.30  Tue Jun 25 01:41 - 01:43  (00:01)   
ctechz  pts/3   192.168.0.30  Mon Jun 24 23:38 - 23:38  (00:00)   
ctechz  pts/3   192.168.0.30  Mon Jun 24 23:31 - 23:31  (00:00) 

To see still logged in users view utmp file use last command
# last -f /var/run/utmp

To view btmp file use same command
# last -f /var/log/btmp
                                                         gone - no logout
root     ssh:notty  192.168.0.30 Tue Jun 25 03:49 - 04:18 (00:28)   
root     ssh:notty  192.168.0.30 Tue Jun 25 03:37 - 03:49 (00:12)   
cteechz  ssh:notty 192.168.0.30 Mon Jun 24 23:37-03:37 (04:00)   
cteechz  ssh:notty 192.168.0.30 Mon Jun 24 23:37 - 23:37 (00:00)


No comments:

Post a Comment