Linux UpSkill Challenge Day 3 - sudo and auth.log
One thing that I've been pretty poor at is checking logs. I think I can count on 1 hand the number of time I've used Event Viewer on Windows in the 21 years I was using it. It wasn't until I started using NGINX as my reverse proxy that I started actively looking at them. Browsing the access.log and error.log files gave me a glimpse as to who was accessing my domain and specifically what. I learned something similar doing the day 3 challenge when it came to /var/log/auth.log.
Since this is a remote server any login attempt is logged through there, and since I secured the server with keys instead of a password majority of the attempts by the bots don't make it past that part. There are a few that seem to have a set of keys to use as pictured below, what exactly they are looking for I do not know but I imagine that's the type of thing a honeypot would be good for.
I see a whole bunch of Diffie-Hellman key information in the logs and wasn't sure what they were exactly. Apparently DH keys are one of the earliest examples of public key protocols and still used by many today, although RSA keys which I am more familiar with came after and are more commonly used as public keys nowadays. There was a paper also published in October 2015 which I will link to here(don't want to directly link to the PDF download for security reasons, but clicking view publication will download it for those to wish to read it in full) that shows that DH keys are not as secure as believed. Considering how many unupgraded systems there are on the net it wouldn't surprise me if there are some exposed systems still using this type of keys that the bots are looking to compromise with some keys they found on the darkweb.
Log management is an important role in being a system administrator so just this portion of Day 3 alone was good for me to learn and keep in the back of my mind.