How to see who tried logging into your Ubuntu machine


Putting a piece of software onto a publicly reachable machine on the open (bad, dangerous, dirty and unbelievably complex) web presents you with all kinds of neat problems.
One of them is that as soon as you have a public address, a certain kind of people will sure try to knock on your door, push and pull a little here and there in order to see if they can open a door or a window and look what’s inside for them.

The last few days, we’ve seen an interesting increase in visits from China (well, as far as you can tell from IP address lookup. Maybe someone just uses a chinese access point or whatnot), who all try to log in as root on our Linux server.

Here is what you can do to first find out if someone was on your machine (and left traces):

lastlog
This will show you a list of all your users on the machine and when and from which address they logged in. As long as there are no users in the list that you don’t know, and as long as there are no addresses from where they logged in that sound suspicious to you, there is a chance there was no breach into your system – at least you have a first idea if there is a problem here. Of course, you can assume that real professionals will be clever enough to remove their traces anyways. Not to mention those bad guys we hear so much about these days…

Here’s what the output of lastlog looks like:

Username         Port     From             Latest
root             pts/2    IPADDRESS     Thu Aug 28 15:38:05 +0200 2014
daemon                                     **Never logged in**
bin                                        **Never logged in**

/var/log/auth.log (on Ubuntu)
This is the log file in which you see all authentication attempts. By searching through this file, you can see all login attempts that failed by looking for entries like:

Aug 24 07:21:22 yourhostname sshd[20151]: Failed password for root from 116.10.191.206 port 45168 ssh2

Based on what you learn from the logs you can decide to block certain IPs or subnets in your firewall. It’s hard to give good general advice on the topic…