This morning I discovered that my web-server was the subject of a brute force style attack. I only discovered this when I randomly checked my /var/log/auth.log file and saw the incoming requests. Has anyone got any advice on which log files I should be reading on my Apache web-server? along with this is it worth emailing myself the logs to read at my leisure and if so what are the easiest methods for doing this?
Tools like OSSEC really help you to catch these kinds of things while they're happening, instead of discovering them the next day.
Beyond that, I continue to use logwatch just for the sake of an archived digest I can search through quickly via my mail client.
Logwatch will scan and mail out details of the logs. Very useful for archiving purposes should you even need to review older states. Larger production machines tend to need the output filtered somewhat.
Also, install denyhosts or similar to block the attempts.
Just use logcheck or logwatch (I prefer logcheck, myself) to filter out all the stuff you don't want to see, and then the rest will be e-mailed to you. Massively useful, should be running on every server.
Check the bottom of
/etc/aliases
and add your email address at the bottom:Make sure sendmail or postfix is working so you actually get the email.
Depending on how many boxes you want to monitor, you might want to look into a centralised log monitoring system. I personally use it even for small deployments simply because its much more convenient to have all my logs (not just apache) accessible and searchable centrally.
Tools like Splunk make that very easy and quite pleasant to use.