newbie: how to monitor remote access like ssh to my server?

Hi, I have a slackware 10.2 system, just learned to configure my
system as a web & mail server (using apache), i wanted to know how can
i monitor any remote access (i have opened port 22,25,21,80) to my
comp? even the access to my webpage?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


xcrazy wrote:
> Hi, I have a slackware 10.2 system, just learned to configure my
> system as a web & mail server (using apache), i wanted to know how can
> i monitor any remote access (i have opened port 22,25,21,80) to my
> comp? even the access to my webpage?

Port 21 is your ftp server. Slackware's default proftp is actually
launched on demand by inetd (see /etc/inetd.conf) and logged to
/var/log/messages

Port 22 is your ssh server. Slackware's default OpenSSH and syslog
setup will log SSH activity to /var/log/messages . Look for the lines
marked "(sshd)"

Port 25 is your SMTP (email) server. Slackware's default sendmail and
syslog setup will log SMTP activities to /var/log/maillog

Port 80 is your web server .Slackware's default Apache setup will log
activity to files in /var/log/apache/ Look for access_log (which logs
all HTTP requests and their result code) and error_log (which logs all
error requests)

In all cases, /var/log/messages, /var/log/syslog, and /var/log/debug
are the three critical files; review these first, then move on to the
application-specific logs. You also want to watch /var/log/secure

HTH
- --
Lew Pitcher


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (MingW32) - WinPT 0.11.12

iD8DBQFE5bXJagVFX4UWr64RAjwRAKCEWx+fAb4IWJfiwKod9O nnmZIgFgCfc+jZ
2dDmfgZQBa+dsjgdKNQ9CPQ=
=ZLCu
-----END PGP SIGNATURE-----

On Fri, 18 Aug 2006, Lew Pitcher wrote:

LP> xcrazy wrote:
LP> > Hi, I have a slackware 10.2 system, just learned to configure my
LP> > system as a web & mail server (using apache), i wanted to know how can
LP> > i monitor any remote access (i have opened port 22,25,21,80) to my
LP> > comp? even the access to my webpage?
LP>
LP>
LP> In all cases, /var/log/messages, /var/log/syslog, and /var/log/debug
LP> are the three critical files; review these first, then move on to the
LP> application-specific logs. You also want to watch /var/log/secure
LP>


I have a script in ~/bin/logtail.sh that runs a tail of my logs

<--------- cut here ------------>

#!/bin/bash

su -c "tail -f /var/log/named/bind.log /var/log/apache/access_log /var/log/messages ~alan/.procmail/log /var/log/maillog"

<--------- cut here ------------>

(The tail line should all be on one line)

I leave this running in a terminal window. Also I make it old fashioned
green on black to distinguish from other terminal windows.

You get a real time output of your logs looking something like this:

==> /var/log/named/bind.log <==
Aug 18 23:14:41.375 queries: info: client 127.0.0.1#48849: query:
yahoo.co.jp IN A
Aug 18 23:14:41.766 queries: info: client 127.0.0.1#48849: query:
nard.clifford.ac IN A

==> /var/log/maillog <==
Aug 18 23:14:41 nard milter-greylist: k7IMEeME028949: addr 60.15.129.113
from (E-Mail Removed) to
(E-Mail Removed) delayed for 00:05:00
Aug 18 23:14:41 nard sm-mta[28949]: k7IMEeME028949: Milter:
to=(E-Mail Removed), reject=451 4.7.1
Greylisting in action, please come back in 00:05:00
Aug 18 23:14:42 nard sm-mta[28949]: k7IMEeME028949:
from=(E-Mail Removed), size=0, class=0, nrcpts=0, proto=SMTP,
daemon=MTA, relay=[60.15.129.113]

==> /var/log/apache/access_log <==
65.55.213.37 - - [18/Aug/2006:23:14:43 +0100] "GET
/photo/2003/USA.October/tn/pa240470.med.jpg HTTP/1.0" 200 91504
65.55.213.37 - - [18/Aug/2006:23:14:49 +0100] "GET
/photo/2003/USA.October/tn/pa300500.med.jpg HTTP/1.0" 200 99500
65.55.213.37 - - [18/Aug/2006:23:14:53 +0100] "GET
/photo/2003/USA.October/tn/pa190363.med.jpg HTTP/1.0" 200 97565
65



--
Alan

( If replying by mail, please note that all "sardines" are canned.
There is also a password autoresponder but, unless this a very
old message, a "tuna" will swim right through. )

Alan Clifford wrote:

> su -c "tail -f /var/log/named/bind.log ..."

You could make your log files readable to a group that contains your
user (and no users who don't perform system administration on your
system). The you wouldn't need to use root privilege just to tail log
files ...

--
----------------------------------------------------------------------
Sylvain Robitaille (E-Mail Removed)

Systems and Network analyst Concordia University
Instructional & Information Technology Montreal, Quebec, Canada
----------------------------------------------------------------------