<
h1 id="wiz-toc-0-79627912">linux的登录日志
1 lastlog
lastlog引用的是/var/log/lastlog文件中的信息,包括login-name、port、last login time
[root@oracle ~]# lastlog
用户名 端口 来自 最后登陆时间
root pts/0 192.168.0.1 三 9月 2 10:12:14 +0800 2020
...
mcs **从未登录过**
oracle pts/0 202.120.29.25 三 9月 2 01:18:56 +0800 2020
2 last
它默认读取的是/var/log/wtmp文件的信息。输出的内容包括:用户名、终端位置、登录源信息、开始时间、结束时间、持续时间。注意最后一行输出的是wtmp文件起始记录的时间。当然也可以通过last -f参数指定读取文件,可以是/var/log/btmp、/var/run/utmp
语法:last [-R] [-num] [ -n num ] [-adiowx] [ -f file ] [ -t YYYYMMDDHHMMSS ] [name...] [tty...]
例子:last -x :显示系统关闭、用户登录和退出的历史
last -i:显示特定ip登录的情况
last -t 20181010120101: 显示20181010120101之前的登录信息
[root@oracle ~]# last
root pts/0 192.168.0.1 Wed Sep 2 10:12 still logged in
oracle pts/0 202.120.29.25 Wed Sep 2 01:18 - 04:30 (03:11)
2 lastb
和last命令功能完全相同,只不过它默认读取的是/var/log/btmp文件的信息。当然也可以通过last -f参数指定读取文件,可以是/var/log/btmp、/var/run/utmp
[root@oracle ~]# lastb | more
root ssh:notty 192.168.0.129 Wed Sep 2 01:23 - 01:23 (00:00)
ubuntu ssh:notty 192.168.0.129 Wed Sep 2 01:23 - 01:23 (00:00)
student ssh:notty 192.168.0.129 Wed Sep 2 01:23 - 01:23 (00:00)
test ssh:notty 192.168.0.129 Wed Sep 2 01:23 - 01:23 (00:00)
git ssh:notty 192.168.0.129 Wed Sep 2 01:23 - 01:23 (00:00)
test2 ssh:notty 192.168.0.129 Wed Sep 2 01:23 - 01:23 (00:00)
mysql ssh:notty 192.168.0.129 Wed Sep 2 01:23 - 01:23 (00:00)
gpadmin ssh:notty 192.168.0.129 Wed Sep 2 01:23 - 01:23 (00:00)
es ssh:notty 192.168.0.129 Wed Sep 2 01:23 - 01:23 (00:00)
lsfadmin ssh:notty 192.168.0.129 Wed Sep 2 01:23 - 01:23 (00:00)
root ssh:notty 192.168.0.129 Wed Sep 2 01:23 - 01:23 (00:00)
root ssh:notty 192.168.0.129 Wed Sep 2 01:23 - 01:23 (00:00)
root ssh:notty 192.168.0.129 Wed Sep 2 01:23 - 01:23 (00:00)
ftpuser ssh:notty 192.168.0.129 Wed Sep 2 01:23 - 01:23 (00:00)
mysql ssh:notty 192.168.0.129 Wed Sep 2 01:23 - 01:23 (00:00)
weblogic ssh:notty 192.168.0.129 Wed Sep 2 01:23 - 01:23 (00:00)
customer ssh:notty 192.168.0.129 Wed Sep 2 01:23 - 01:23 (00:00
3 SSH登录日志分析
检查/var/log目录下的secure(CentOS)或者auth.log(Ubuntu),如果存在大量异常IP高频率尝试登录,且有成功登录记录(重点查找事发时间段),在微步在线上查询该登录IP信息,如果为恶意IP且与用户常用IP无关,则很有可能为用户弱口令被成功爆破。
[root@oracle ~]# cat /var/log/secure |more
...
Sep 1 16:24:06 localhost sshd[55917]: Failed password for root from 188.165.166.18 port 58128 ssh2
Sep 1 16:24:06 localhost sshd[55918]: Received disconnect from 188.165.166.18: 11: Normal Shutdown, Thank you for playing
Sep 1 16:24:08 localhost sshd[55919]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=188.165.166.18 user=root
Sep 1 16:24:09 localhost sshd[55919]: Failed password for root from 188.165.166.18 port 59144 ssh2
Sep 1 16:24:11 localhost sshd[55920]: Received disconnect from 188.165.166.18: 11: Normal Shutdown, Thank you for playing
Sep 1 16:24:14 localhost sshd[55922]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=188.165.166.18 user=root
...
[root@oracle ~]# less /var/log/secure|grep 'Accepted'
Aug 31 20:07:32 localhost sshd[46929]: Accepted password for root from 192.168.0.170 port 50244 ssh2
Aug 31 20:08:42 localhost sshd[46962]: Accepted password for root from 192.168.0.170 port 50283 ssh2
Aug 31 20:28:17 localhost sshd[47153]: Accepted password for oracle from 192.168.0.175 port 59906 ssh2
Aug 31 20:36:04 localhost sshd[47260]: Accepted password for root from 192.168.0.170 port 51061 ssh2
Sep 1 17:05:48 localhost sshd[57442]: Accepted password for oracle from 188.165.166.18 port 36446 ssh2
Sep 2 01:18:56 localhost sshd[65566]: Accepted password for oracle from 202.120.29.25 port 36413 ssh2
Sep 2 01:23:45 localhost sshd[66159]: Accepted password for oracle from 192.168.0.129 port 9253 ssh2
Sep 2 10:12:14 localhost sshd[72864]: Accepted password for root from 192.168.0.1 port 51547 ssh2
其他相关日志
- /var/log/message 一般信息和系统信息
- /var/log/secure 登陆信息
- /var/log/maillog mail记录
- /var/log/utmp
- /var/log/wtmp登陆记录信息(last命令即读取此日志)
发表评论