Your auth.log file is the first step in determining of an intrusion is being attempted, or has occured. It logs all ssh connection attempts, cron jobs, and su calls. If an ssh brute force attach is occurring you will see countless failed ssh login attempts. Most likely various usernames will be attempted. You should immediately stop the ssh server and implement some security countermeasures. Implement various rules in your hosts.allow and hosts.deny files any if you want implement some iptables rules. Host.allow and deny should be enough; the files control tcp connections to your running system daemons. Iptables will block ip numbers just at the connection attempt is made to the computer so for ultimate security implemente iptables and various host rules.
After locking down your servers you will see brute force attacks stop, and your auth.log file will be mainly filled with cron jobs and su commands by users and daemons. The cron jobs are automated process run by various applications, and are mostly run as root. Mail servers, and other tasks are typically managed by cron jobs. You can check user specific cron jobs using the crontab command. Use option -e to edit a users jobs.
Image via Wikipedia
You should have backups of all your files all the time. For a desktop machine always have a backup of your entire /home partition. Use a cronjob and rsync. Mount a usb drive to the /media directory. Use a cronjob as follows:
1 1 0 0 0 rsync -r /home/user /media/backup/user
The above rsync will recursively transfer all folders and files from the user directory to /media/backup/user directory.
You should have at least 1 backup. You can also implement a raid 1 array in case of a hardware failure, which is highly unlikely but does indeed happen. My configuration involves a usb backup drive, mounted as above, and another machine that I rsync the backup to via the network.
Crontab is automated. Don’t bother configuring /etc/cron.hourly etc…. Just configure a crontab line and it will propogate to the /etc subdirectories accordingly.
Crontab lines are configured with:
sudo crontab -e
There are five starts in front. The first is minutes the second is hours. Third fourth and fith are for days of the week, day of the month and month of the year. I usually only bother with the first two to get various scripts to run daily. If you set a crontab to 00 02 * * * it will run every day at 2 am. Note that it is military time.