Centralizing logs with Papertrail

Sysadmins have a love/hate relationship with logs. We spend hours and hours every day diving through them looking for clues about what happened that shouldn’t have, what didn’t happen that should have, what systems and people are actually doing, and gauging capacity for the future.

It’s one thing to look at one log for one particular issue; but some complex issues lead a merry chase through many logs or many servers which can get very complicated very fast. To ease that burden, all but the simplest of setups should employ some form of log centralization. Centralized logs are easier to access en masse and they’re easier to bring analytical tools to bear to pry out their secrets.

Continue reading “Centralizing logs with Papertrail”

What does brute force SSH hacking look like?

Brute force hacking is the easiest, least effective, and messiest method of all the ways to attempt to gain access to a system. It leaves a really obvious trail, and it’s fairly easy to stop unless you’ve become the target of large organization that really is out to get you.

By definition, brute force hack attempts are simply some variation of just trying to guess a proper username and password combination. I will look at attempts to break in to a Linux box via SSH, but the principals are the same regardless of the attack target.

Continue reading “What does brute force SSH hacking look like?”

Looking for hacking activity in Apache Logs

This is my first post with Ghost and since it contains code snippets and command line goodies I thought it would be a good test for Ghost’s markdown language. Let’s see how it goes.

The sheer number of bad people on the planet mean that there’s a really good chance your website has at least been probed to see if it is a good attack platform. It may also mean that your website has already been compromised and is doing bad things for some other person as we speak. Some people I talk to say things like “well, if I get hacked, I’ll deal with it then”. But that’s dumb. It’s dumb because when someone compromises your website, they’re not going to put a big banner on it letting you know. It may be days, weeks or months before you notice.

Continue reading “Looking for hacking activity in Apache Logs”