centos查看登录日志

   

<

h1 id=”wiz-toc-0-79627912″>linux的登录日志

1 lastlog

lastlog引用的是/var/log/lastlog文件中的信息,包括login-name、port、last login time

[root@oracle ~]# lastlog
用户名           端口     来自             最后登陆时间
root             pts/0    192.168.0.1      三 9月  2 10:12:14 +0800 2020
...
mcs                                        **从未登录过**
oracle           pts/0    202.120.29.25    三 9月  2 01:18:56 +0800 2020

2 last

它默认读取的是/var/log/wtmp文件的信息。输出的内容包括:用户名、终端位置、登录源信息、开始时间、结束时间、持续时间。注意最后一行输出的是wtmp文件起始记录的时间。当然也可以通过last -f参数指定读取文件,可以是/var/log/btmp、/var/run/utmp
语法:last [-R] [-num] [ -n num ] [-adiowx] [ -f file ] [ -t YYYYMMDDHHMMSS ] [name…] [tty…]
例子:last -x :显示系统关闭、用户登录和退出的历史
last -i:显示特定ip登录的情况
last -t 20181010120101: 显示20181010120101之前的登录信息

[root@oracle ~]# last
root     pts/0        192.168.0.1      Wed Sep  2 10:12   still logged in   
oracle   pts/0        202.120.29.25    Wed Sep  2 01:18 - 04:30  (03:11) 

2 lastb

和last命令功能完全相同,只不过它默认读取的是/var/log/btmp文件的信息。当然也可以通过last -f参数指定读取文件,可以是/var/log/btmp、/var/run/utmp

[root@oracle ~]# lastb | more
root     ssh:notty    192.168.0.129    Wed Sep  2 01:23 - 01:23  (00:00)    
ubuntu   ssh:notty    192.168.0.129    Wed Sep  2 01:23 - 01:23  (00:00)    
student  ssh:notty    192.168.0.129    Wed Sep  2 01:23 - 01:23  (00:00)    
test     ssh:notty    192.168.0.129    Wed Sep  2 01:23 - 01:23  (00:00)    
git      ssh:notty    192.168.0.129    Wed Sep  2 01:23 - 01:23  (00:00)    
test2    ssh:notty    192.168.0.129    Wed Sep  2 01:23 - 01:23  (00:00)    
mysql    ssh:notty    192.168.0.129    Wed Sep  2 01:23 - 01:23  (00:00)    
gpadmin  ssh:notty    192.168.0.129    Wed Sep  2 01:23 - 01:23  (00:00)    
es       ssh:notty    192.168.0.129    Wed Sep  2 01:23 - 01:23  (00:00)    
lsfadmin ssh:notty    192.168.0.129    Wed Sep  2 01:23 - 01:23  (00:00)    
root     ssh:notty    192.168.0.129    Wed Sep  2 01:23 - 01:23  (00:00)    
root     ssh:notty    192.168.0.129    Wed Sep  2 01:23 - 01:23  (00:00)    
root     ssh:notty    192.168.0.129    Wed Sep  2 01:23 - 01:23  (00:00)    
ftpuser  ssh:notty    192.168.0.129    Wed Sep  2 01:23 - 01:23  (00:00)    
mysql    ssh:notty    192.168.0.129    Wed Sep  2 01:23 - 01:23  (00:00)    
weblogic ssh:notty    192.168.0.129    Wed Sep  2 01:23 - 01:23  (00:00)    
customer ssh:notty    192.168.0.129    Wed Sep  2 01:23 - 01:23  (00:00

3 SSH登录日志分析

检查/var/log目录下的secure(CentOS)或者auth.log(Ubuntu),如果存在大量异常IP高频率尝试登录,且有成功登录记录(重点查找事发时间段),在微步在线上查询该登录IP信息,如果为恶意IP且与用户常用IP无关,则很有可能为用户弱口令被成功爆破。

[root@oracle ~]# cat /var/log/secure |more
...
Sep  1 16:24:06 localhost sshd[55917]: Failed password for root from 188.165.166.18 port 58128 ssh2
Sep  1 16:24:06 localhost sshd[55918]: Received disconnect from 188.165.166.18: 11: Normal Shutdown, Thank you for playing
Sep  1 16:24:08 localhost sshd[55919]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=188.165.166.18  user=root
Sep  1 16:24:09 localhost sshd[55919]: Failed password for root from 188.165.166.18 port 59144 ssh2
Sep  1 16:24:11 localhost sshd[55920]: Received disconnect from 188.165.166.18: 11: Normal Shutdown, Thank you for playing
Sep  1 16:24:14 localhost sshd[55922]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=188.165.166.18  user=root
...

[root@oracle ~]# less /var/log/secure|grep 'Accepted'
Aug 31 20:07:32 localhost sshd[46929]: Accepted password for root from 192.168.0.170 port 50244 ssh2
Aug 31 20:08:42 localhost sshd[46962]: Accepted password for root from 192.168.0.170 port 50283 ssh2
Aug 31 20:28:17 localhost sshd[47153]: Accepted password for oracle from 192.168.0.175 port 59906 ssh2
Aug 31 20:36:04 localhost sshd[47260]: Accepted password for root from 192.168.0.170 port 51061 ssh2
Sep  1 17:05:48 localhost sshd[57442]: Accepted password for oracle from 188.165.166.18 port 36446 ssh2
Sep  2 01:18:56 localhost sshd[65566]: Accepted password for oracle from 202.120.29.25 port 36413 ssh2
Sep  2 01:23:45 localhost sshd[66159]: Accepted password for oracle from 192.168.0.129 port 9253 ssh2
Sep  2 10:12:14 localhost sshd[72864]: Accepted password for root from 192.168.0.1 port 51547 ssh2

其他相关日志

  1. /var/log/message 一般信息和系统信息
  2. /var/log/secure 登陆信息
  3. /var/log/maillog mail记录
  4. /var/log/utmp
  5. /var/log/wtmp登陆记录信息(last命令即读取此日志)

发表评论