Reporting Penetration Attempts to My Server

I need a log file of penetration attempts to my server. Ideally, this log should contain all attempts including logins, HTTPD activities, FTP activities, NFS, and other conventional open ports. However, it is enough for me to have HTTPD, FTP, and NFS.

Is there such service (or log files) available in CentOS (built-in preferred)?


Solution 1:

There is no single log file that included that logs all these things. You will need to go through all your logs and extract single lines. You can ofcourse facilitate this with a regex.

One thing you might want to opt for is using OSSEC on your machine. It's a host based intrusion detection system and it actually keeps logs of all malicious login attempts on your server. Even better: it blocks ip's when they try to bruteforce your machine.

Solution 2:

Following are the logs files.

Http:

/var/log/httpd/access.log - All the information about who access your site.

/var/log/httpd/error.log - All the error logs of your web-site are stored there.

It also depends on virtualhost configurations what file you defined for logs, default files are above.

Security:

All security related logs stored in

/var/log/secure

Syslog: System wide messages stored in

/var/log/messages

Maillog: Maillog stored in

/var/log/maillog

VSFTPD: ftp log file depends on your configuration. see the xferlog_file=/var/log/xferlog if you are using vsftpd and also enable xferlog_enable=YES

Better to configure fail2ban for log file monitoring.