lyecdevf
In Runtime
- Messages
- 218
I have recentlly looked at my /var/log direcotory. What I found upset me so I would like to ask
some one to help me understand this mess.
I am using debian lenny at the moment and I have had it for a few months now. I installed various
security tools on it including tcpspy.
So when I looked at the tcpspy logs I got very much confused. I have below written down what
logs I have.
daemon.log#1 May 10-17
daemon.log#3 Apr 26-May 3 07:43:10
Daemon.log#4 Apr 20 10:20:13-Apr 26 08:04:35
daemon.log#5 Apr 14 10:02:28-Apr 20 10:19:56
syslog.log#1 May 18 08:00:36-May 19 07:42:31
syslog.log#2 May 17 08:02:18-May 18 08:00:36
syslog.log#3 May 16 07:52:59-May 17 08:02:15
syslog.log#4 May 15 07:43:13-May 16 07:52:59
syslog.log#6 May 13 08:02:01-May 14 07:54:45
syslog.log#7 May 12 08:00:55-May 13 08:02:01
For some reason the logs of tcp spy are saved in two differentlly named files. The file called
daemon.log have some logs ranging from May 10-17, Apr26-May3, Apr20-26 and Apr 14-20 So they cover
the time from Apr 14-May 3 but than there is a gap between may 3 and may 10 which is a whole week
and I do not remember shuting down the comp that time although it is possible that it was offline.
That the file called syslog.log has tcpspy logs from May 12-19. There is actually some overlap between
the daemon.log and the syslog.log.
My question is where are the other logs? I am missing logs from before apr 14.
Here are some common problems that were reported. I am at the moment googling each one of them but I feel so overwhelemed. Could you point out which ones are the real security risks and the ones I should look more closely.
You may think this thread is a complete mess too and it probably is. Help me make sense of all this!
some one to help me understand this mess.
I am using debian lenny at the moment and I have had it for a few months now. I installed various
security tools on it including tcpspy.
So when I looked at the tcpspy logs I got very much confused. I have below written down what
logs I have.
daemon.log#1 May 10-17
daemon.log#3 Apr 26-May 3 07:43:10
Daemon.log#4 Apr 20 10:20:13-Apr 26 08:04:35
daemon.log#5 Apr 14 10:02:28-Apr 20 10:19:56
syslog.log#1 May 18 08:00:36-May 19 07:42:31
syslog.log#2 May 17 08:02:18-May 18 08:00:36
syslog.log#3 May 16 07:52:59-May 17 08:02:15
syslog.log#4 May 15 07:43:13-May 16 07:52:59
syslog.log#6 May 13 08:02:01-May 14 07:54:45
syslog.log#7 May 12 08:00:55-May 13 08:02:01
For some reason the logs of tcp spy are saved in two differentlly named files. The file called
daemon.log have some logs ranging from May 10-17, Apr26-May3, Apr20-26 and Apr 14-20 So they cover
the time from Apr 14-May 3 but than there is a gap between may 3 and may 10 which is a whole week
and I do not remember shuting down the comp that time although it is possible that it was offline.
That the file called syslog.log has tcpspy logs from May 12-19. There is actually some overlap between
the daemon.log and the syslog.log.
My question is where are the other logs? I am missing logs from before apr 14.
Code:
Apr 29 16:15:31 debian sm-mta[4093]: n3TE5F0Z024103: SYSERR(root): Cannot exec /usr/sbin/sensible-mda: No such file or directory
Apr 29 16:21:11 debian sm-msp-queue[4145]: unable to qualify my own domain name (debian) -- using short name
Apr 29 16:25:16 debian sm-mta[4152]: n3TF5Fjn025679: SYSERR(root): putbody: write error: Broken pipe
Apr 29 17:02:13 debian sendmail[5465]: My unqualified host name (debian) unknown; sleeping for retry
Apr 29 17:03:14 debian sendmail[5465]: unable to qualify my own domain name (debian) -- using short nam
May 17 08:06:36 debian sm-mta[12944]: n4HCkZee012604: SYSERR(root): hash map "Alias0": missing map file /etc/mail/aliases.db: No such file or directory<22>May 17 08:06:48 sm-mta[12944]: n4CD4lWY002752: n4HD6Zee012944: return to sender: Cannot send message for 5 days
--WARN-- [acc006w] Login ID gdm's home directory (/var/lib/gdm) has group `gdm' write access.
--WARN-- [acc021w] Login ID honeyd appears to be a dormant account.
--WARN-- [acc006w] Login ID mail's home directory (/var/mail) has group `mail' and world write access.
--WARN-- [acc022w] Login ID nobody home directory (/nonexistent) is not accessible.
--WARN-- [cron004w] Root crontab does not exist
--WARN-- [cron005w] Use of cron is not restricted
# Checking device permissions...
--WARN-- [dev003w] The directory /dev/bsg resides in a device directory.
--FAIL-- [dev002f] /dev/log has world permissions
--WARN-- [dev003w] File /dev/sndstat is a regular file in a device directory.
# Performing check of embedded pathnames...
--WARN-- [embed001w] Path `/etc/mail/Makefile' contains `/etc/mail' which is not owned by root (owned by smmta).
Embedded references in: /etc/init.d/sendmail
--WARN-- [embed001w] Path `/etc/mail/tls/starttls.m4' contains `/etc/mail' which is not owned by root (owned by smmta).
Embedded references in: /etc/mail/Makefile->/etc/init.d/sendmail
--WARN-- [embed001w] Path `/etc/mail/tls/starttls.m4' contains `/etc/mail/tls' which is not owned by root (owned by smmta).
Embedded references in: /etc/mail/Makefile->/etc/init.d/sendmail
# Performing common access checks for root...
--FAIL-- [netw020f] There is no /etc/ftpusers file.
# Checking listening processes
--WARN-- [lin003w] The process `avahi-daemon' is listening on socket 35967 (UDP on every interface) is run by avahi.
--WARN-- [lin003w] The process `avahi-daemon' is listening on socket 5353 (UDP on every interface) is run by avahi.
--WARN-- [lin002i] The process `cupsd' is listening on socket 631 (UDP) on every interface.
--WARN-- [lin002i] The process `dhclient' is listening on socket 68 (UDP) on every interface.
--WARN-- [lin003w] The process `ktorrent' is listening on socket 6881 (TCP on every interface) is run by mupi.
--WARN-- [lin003w] The process `portmap' is listening on socket 111 (TCP on every interface) is run by daemon.
--WARN-- [lin003w] The process `portmap' is listening on socket 111 (UDP on every interface) is run by daemon.
--WARN-- [lin003w] The process `rpc.statd' is listening on socket 43664 (TCP on every interface) is run by statd.
--WARN-- [lin003w] The process `rpc.statd' is listening on socket 51234 (UDP on every interface) is run by statd.
--WARN-- [lin003w] The process `rpc.statd' is listening on socket 935 (UDP on every interface) is run by statd.
# Checking listening processes
--WARN-- [lin003w] The process `avahi-daemon' is listening on socket 35967 (UDP on every interface) is run by avahi.
--WARN-- [lin003w] The process `avahi-daemon' is listening on socket 5353 (UDP on every interface) is run by avahi.
--WARN-- [lin002i] The process `cupsd' is listening on socket 631 (UDP) on every interface.
--WARN-- [lin002i] The process `dhclient' is listening on socket 68 (UDP) on every interface.
--WARN-- [lin003w] The process `ktorrent' is listening on socket 6881 (TCP on every interface) is run by mupi.
--WARN-- [lin003w] The process `portmap' is listening on socket 111 (TCP on every interface) is run by daemon.
--WARN-- [lin003w] The process `portmap' is listening on socket 111 (UDP on every interface) is run by daemon.
--WARN-- [lin003w] The process `rpc.statd' is listening on socket 43664 (TCP on every interface) is run by statd.
--WARN-- [lin003w] The process `rpc.statd' is listening on socket 51234 (UDP on every interface) is run by statd.
--WARN-- [lin003w] The process `rpc.statd' is listening on socket 935 (UDP on every interface) is run by statd.
# Checking listening processes
--WARN-- [lin003w] The process `avahi-daemon' is listening on socket 35967 (UDP on every interface) is run by avahi.
--WARN-- [lin003w] The process `avahi-daemon' is listening on socket 5353 (UDP on every interface) is run by avahi.
--WARN-- [lin002i] The process `cupsd' is listening on socket 631 (UDP) on every interface.
--WARN-- [lin002i] The process `dhclient' is listening on socket 68 (UDP) on every interface.
--WARN-- [lin003w] The process `ktorrent' is listening on socket 6881 (TCP on every interface) is run by mupi.
--WARN-- [lin003w] The process `portmap' is listening on socket 111 (TCP on every interface) is run by daemon.
--WARN-- [lin003w] The process `portmap' is listening on socket 111 (UDP on every interface) is run by daemon.
--WARN-- [lin003w] The process `rpc.statd' is listening on socket 43664 (TCP on every interface) is run by statd.
--WARN-- [lin003w] The process `rpc.statd' is listening on socket 51234 (UDP on every interface) is run by statd.
--WARN-- [lin003w] The process `rpc.statd' is listening on socket 935 (UDP on every interface) is run by statd.
# Performing check of passwd files...
# Checking entries from /etc/passwd.
--WARN-- [pass014w] Login (backup) is disabled, but has a valid shell.
--WARN-- [pass014w] Login (bin) is disabled, but has a valid shell.
--WARN-- [pass014w] Login (daemon) is disabled, but has a valid shell.
--WARN-- [pass014w] Login (debian-tor) is disabled, but has a valid shell.
--WARN-- [pass014w] Login (games) is disabled, but has a valid shell.
--WARN-- [pass014w] Login (gnats) is disabled, but has a valid shell.
--WARN-- [pass014w] Login (irc) is disabled, but has a valid shell.
--WARN-- [pass014w] Login (libuuid) is disabled, but has a valid shell.
--WARN-- [pass014w] Login (list) is disabled, but has a valid shell.
--WARN-- [pass014w] Login (lp) is disabled, but has a valid shell.
--WARN-- [pass014w] Login (mail) is disabled, but has a valid shell.
--WARN-- [pass014w] Login (man) is disabled, but has a valid shell.
--WARN-- [pass014w] Login (mupi) is disabled, but has a valid shell.
--WARN-- [pass014w] Login (news) is disabled, but has a valid shell.
--WARN-- [pass014w] Login (nobody) is disabled, but has a valid shell.
--WARN-- [pass014w] Login (proxy) is disabled, but has a valid shell.
--WARN-- [pass015w] Login ID sync does not have a valid shell (/bin/sync).
--WARN-- [pass014w] Login (sys) is disabled, but has a valid shell.
--WARN-- [pass014w] Login (uucp) is disabled, but has a valid shell.
--WARN-- [pass014w] Login (www-data) is disabled, but has a valid shell.
--WARN-- [pass012w] Home directory /var/lib/sendmail exists multiple times (2) in /etc/passwd.
--WARN-- [pass006w] Integrity of password files questionable (/usr/sbin/pwck -r).
# Checking running processes
--FAIL-- [misc020f] The process 'syslogd' has not been found running in the processes table.
--FAIL-- [misc020f] The process 'klogd' has not been found running in the processes table.
# Performing check of 'services' ...
# Checking services from /etc/services.
--WARN-- [inet003w] The port for service sieve is also assigned to service cisco-sccp.
--WARN-- [inet003w] The port for service ndtp is also assigned to service pipe_server.
--WARN-- [inet003w] The port for service ndtp is also assigned to service search.
--WARN-- [inet003w] The port for service postgres is also assigned to service postgresql.
--WARN-- [inet003w] The port for service postgres is also assigned to service postgresql.
--WARN-- [inet003w] The port for service sane is also assigned to service sane-port.
--WARN-- [inet003w] The port for service webcache is also assigned to service http-alt.
--WARN-- [inet003w] The port for service webcache is also assigned to service http-alt.
# Performing system specific checks...
# Performing checks for Linux/2...
# Checking for single user-mode password...
# Checking boot loader file permissions...
--WARN-- [boot02] The configuration file /boot/grub/menu.lst has group permissions. Should be 0600
--FAIL-- [boot02] The configuration file /boot/grub/menu.lst has world permissions. Should be 0600
--WARN-- [boot06] The Grub bootloader does not have a password configured.
# Checking for vulnerabilities in inittab configuration...
--FAIL-- [lin007w] Normal users can reboot the system through ctrl+alt+del in runlevels 12345
# Checking for correct umask settings for init scripts...
--WARN-- [misc021w] There are no umask entries in /etc/init.d/rcS
# Checking Logins not used on the system ...
# Checking network configuration
--WARN-- [lin012w] The system accepts ICMP redirection messages
--FAIL-- [lin013f] The system is not protected against Syn flooding attacks
--FAIL-- [lin014f] The system permits the transmission of IP packets with invalid addresses
--FAIL-- [lin016f] The system permits source routing from incoming packets
--WARN-- [lin017w] The system is not configured to log suspicious (martian) packets
--FAIL-- [lin019f] The system does not have any local firewall rules configured
# Verifying system specific password checks...
# Checking OS release...
# Checking installed packages vs Debian Security Advisories...
# Checking md5sums of installed files
# Checking installed files against packages...
--WARN-- [lin001w] File `/lib/init/rw/.ramfs' does not belong to any package.
--WARN-- [lin001w] File `/lib/modules/2.6.26-1-686/modules.dep' does not belong to any package.
--WARN-- [lin001w] File `/lib/modules/2.6.26-1-686/modules.pcimap' does not belong to any package.
--WARN-- [lin001w] File `/lib/modules/2.6.26-1-686/modules.inputmap' does not belong to any package.
--WARN-- [lin001w] File `/lib/modules/2.6.26-1-686/modules.isapnpmap' does not belong to any package.
--WARN-- [lin001w] File `/lib/modules/2.6.26-1-686/modules.alias' does not belong to any package.
--WARN-- [lin001w] File `/lib/modules/2.6.26-1-686/modules.ccwmap' does not belong to any package.
--WARN-- [lin001w] File `/lib/modules/2.6.26-1-686/modules.ieee1394map' does not belong to any package.
--WARN-- [lin001w] File `/lib/modules/2.6.26-1-686/modules.ofmap' does not belong to any package.
--WARN-- [lin001w] File `/lib/modules/2.6.26-1-686/modules.seriomap' does not belong to any package.
--WARN-- [lin001w] File `/lib/modules/2.6.26-1-686/modules.symbols' does not belong to any package.
--WARN-- [lin001w] File `/lib/modules/2.6.26-1-686/modules.usbmap' does not belong to any package.
--WARN-- [lin001w] File `/lib/modules/2.6.26-2-686/modules.dep' does not belong to any package.
Here are some common problems that were reported. I am at the moment googling each one of them but I feel so overwhelemed. Could you point out which ones are the real security risks and the ones I should look more closely.
You may think this thread is a complete mess too and it probably is. Help me make sense of all this!