I've recently noticed some login entries that didn't seem to match my expectations on a Linux box. I ran the 'last -a' command to review the logins, but nothing stood out as obviously wrong. Still, it got me thinking about how to differentiate between what's normal and what's not when it comes to system logins. How do you usually monitor and verify logins on your Linux system?
5 Answers
I also check the audit log and use the `w` command to see who is logged in. It helps to get a complete view of the current user activity.
I usually check the `/var/log/secure` file; it's my go-to for verifying logins. It's definitely the first place I look.
If the situation is more complex, I send logs to Elastic, then filter and visualize them in Kibana. It's important to get the logs off the server quickly since malicious actors can wipe login history. Also, setting up anomaly detection in Elastic can help catch unusual activity.
Exactly! It's crucial to have your logs stored somewhere safe. Some malware, like Adore, can mess with login activity.
Don't forget to check `lastb` for failed login attempts as well! It's useful for catching unauthorized access attempts.
Sometimes when jumping between servers with commands like `ssh -J`, those activities don't always show up in `who`, `w`, or `last`, but you'll see them in the sshd logs.
Yeah same here, `/var/log/secure` is usually my first stop too!