unix Commands to Check Server Logs For Security

Abhishek Ghosh

By Abhishek Ghosh September 16, 2015 9:34 am Updated on September 16, 2015

unix Commands to Check Server Logs For Security

Here is a Basic Guide For the Beginners to Self Manage Cloud Server Instances. Master these unix Commands to Check Server Logs For Security. Self-Managing server by one person only is quite dangerous. One of the reason why most advanced users’ server do not get under attack is precaution.

Introduction to unix Commands to Check Server Logs For Security

It is quite normal today for a new user to use a cheaper Cloud IaaS at $5-$10/month charge to host website. It is, indeed far better than Shared Hosting. But you should be aware at least to understand that you may be under attack! Installing WordPress is quite easy, but server administration is not exactly easy. We recommend to use HP Cloud IaaS over Rackspace and Softlayer for HP Cloud’s excellent virtual router, possibility to easily take a backup as snapshot and change the IP using OpenStack floating IP system.

How you’ll secure the server, that is fully different topic. This is for a basic checking. Perhaps, you installed WordPress reading our guides or someone else’s; that is great. But you need to learn more. Suddenly using web based graphical monitoring system may introduce more vulnerabilities due to your lack of knowledge!

You are doing these on a GNU/Linux server (we used Ubuntu) with Nginx PHP5-FPM setup as root user. There is no reason to think that, knowing these unix commands to check server logs for security is enough.

Where to Check these unix Commands to Check Server Logs

Usually, the location /var/log/ is constant. There is a file named /etc/rsyslog.conf (do not edit it without knowledge), that controls this location. On custom setup, we change this location. If a third party get access to log, they will find the flaw faster!

You should have a minimum idea about sed, grep, awk, tail, cat, last, more, head and unix pipe. These are basic commands or utilities. Only under /var/log/, there are are at least 30 files which are important to check, needless to say, some location & names are corresponding to our previous guides :

/var/log/nginx/access.log
/var/log/nginx/error.log
/var/log/nginx/fpm.status.log
/var/log/mysql/error.log
/var/log/mysql/mysql.log
/var/log/messages
/var/log/dmesg
/var/log/auth.log
/var/log/boot.log
/var/log/daemon.log
/var/log/dpkg.log
/var/log/kern.log
/var/log/lastlog
/var/log/maillog /var/log/mail.log
/var/log/user.log
/var/log/Xorg.x.log
/var/log/alternatives.log
/var/log/btmp
/var/log/anaconda.log
/var/log/cron
/var/log/secure
/var/log/wtmp or /var/log/utmp
/var/log/faillog
/var/log/mail/
/var/log/prelink/
/var/log/prelink/prelink.log
/var/log/audit/
/var/log/sssd/

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

/var/log/nginx/access.log

/var/log/nginx/error.log

/var/log/nginx/fpm.status.log

/var/log/mysql/error.log

/var/log/mysql/mysql.log

/var/log/messages

/var/log/dmesg

/var/log/auth.log

/var/log/boot.log

/var/log/daemon.log

/var/log/dpkg.log

/var/log/kern.log

/var/log/lastlog

/var/log/maillog /var/log/mail.log

/var/log/user.log

/var/log/Xorg.x.log

/var/log/alternatives.log

/var/log/btmp

/var/log/anaconda.log

/var/log/cron

/var/log/secure

/var/log/wtmp or /var/log/utmp

/var/log/faillog

/var/log/mail/

/var/log/prelink/

/var/log/prelink/prelink.log

/var/log/audit/

/var/log/sssd/

for checking these files, running a cat is basic work :

cat /var/log/nginx/access.log

1	cat /var/log/nginx/access.log

But, that is not a way to filter the errors. Our previous guide on XMLRPC attack elaborates complicated commands with real examples. It is mandatory to read, else you will not understand what we want to do with :

---

cat /var/log/nginx/access.log | grep xmlrpc | awk '{print $1}' | sort | uniq

1	cat /var/log/nginx/access.log \| grep xmlrpc \| awk '{print $1}' \| sort \| uniq

unix Commands to Check Server Logs For Security : Networking

It is important to check the networking randomly. If you run this command (control+C is quit) :

sudo watch netstat -anlp

1	sudo watch netstat -anlp

you’ll get an idea around the open requests towards the ports. netstat -na is great basic tool which can rule out DDoS attacks on IaaS. I expect that, the table for :

netstat -an | grep :443 | sort

1	netstat -an \| grep :443 \| sort

will be larger than :

netstat -an | grep :80 | sort

1	netstat -an \| grep :80 \| sort

for this website. This is a HSTS website. I can see the IP address sending requests :

netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

1	netstat -ntu \| awk '{print $5}' \| cut -d: -f1 \| sort \| uniq -c \| sort -n

Last but not the least, top definitely one of the top notch basic command to check the system resource usage on the go. Q is to quit it. This is a server under attack, eating up the full memory attack (shown with yellow lines). Obviously, if you never checked the maximum memory consumed at highest load with a known number of traffic shown in any software like Google Analytics, normal situation will appear as “under attack”.

unix Commands to Check Server Logs For Security

These commands are lesser than what you really should know, but yet better than knowing nothing.

Tagged With xml logs and server using unix commands , how to chck the cloud server up or not in unix , commands to get logs from server , command to check the status of logs -h , command to check the logs in unix , command to check logs in a host , command to check log file on server , checking security log in unix , check unix logs on host server , cat security server command

About Abhishek Ghosh

Here’s what we’ve got for you which might like :

Take The Conversation Further ...