linux服务器在挂到外网的时候,很容易受到黑客的扫描,攻击,拿到服务器权限。所以,如有异常账户ip登录服务器,就应该高度警惕,更换密码,检查漏洞等。
1.wtmp日志
查看所有SSH登陆日志 包括IP,输出的内容包括:用户名、终端位置、登录源信息、开始时间、结束时间、持续时间。注意最后一行输出的是wtmp文件起始记录的时间。当然也可以通过last -f参数指定读取文件
命令:last
[root@localhost ~]# last
root pts/0 192.168.8.88 Wed Jan 4 11:03 still logged in
root pts/1 10.10.10.253 Tue Jan 3 21:23 - 21:39 (00:16)
root pts/0 192.168.8.88 Tue Jan 3 21:09 - 10:55 (13:46)
reboot system boot 3.10.0-957.el7.x Tue Jan 3 09:43 - 16:46 (2+07:02)
root pts/0 192.168.8.88 Tue Jan 3 09:12 - down (00:08)
reboot system boot 3.10.0-957.el7.x Tue Jan 3 09:11 - 09:20 (00:08)
wtmp begins Mon Dec 12 16:35:12 2022命令:last -x -F
[root@localhost ~]# last -x -F
root pts/0 192.168.8.88 Wed Jan 4 11:03:55 2023 still logged in
root pts/1 10.10.10.253 Tue Jan 3 21:23:34 2023 - Tue Jan 3 21:39:38 2023 (00:16)
runlevel (to lvl 3) 3.10.0-957.el7.x Mon Dec 12 16:36:28 2022 - Mon Dec 12 16:49:59 2022 (00:13)
reboot system boot 3.10.0-957.el7.x Mon Dec 12 16:35:12 2022 - Mon Dec 12 16:49:59 2022 (00:14)
wtmp begins Mon Dec 12 16:35:12 2022
2.查看在线用户情况
(1)w 命令用于显示已经登陆系统的用户列表,并显示用户正在执行的指令。单独执行w命令会显示所有的用户,也可指定用户名称,仅显示某位用户的相关信息:
w 用户名
[root@localhost ~]# w
16:49:36 up 2 days, 7:12, 1 user, load average: 0.06, 0.03, 0.05
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
root pts/0 192.168.8.88 三11 0.00s 2.57s 0.00s w
(2)who am i 显示出口IP地址,该地址用于SSH连接的源IP
[root@localhost ~]# who am i
root pts/0 2023-01-04 11:03 (192.168.8.88)
3.lastlog 列出所有用户最近登录的信息
lastlog引用的是/var/log/lastlog文件中的信息,包括login-name、port、last login time
[root@localhost ~]# lastlog
用户名 端口 来自 最后登陆时间
root pts/0 192.168.8.88 三 1月 4 11:03:55 +0800 2023
bin **从未登录过**
daemon **从未登录过**
adm **从未登录过**
lp **从未登录过**
sync **从未登录过**
shutdown **从未登录过**
halt **从未登录过**
mail **从未登录过**
operator **从未登录过**
games **从未登录过**
ftp **从未登录过**
nobody **从未登录过**
systemd-network **从未登录过**
dbus **从未登录过**
polkitd **从未登录过**
libstoragemgmt **从未登录过**
abrt **从未登录过**
rpc **从未登录过**
sshd **从未登录过**
postfix **从未登录过**
ntp **从未登录过**
chrony **从未登录过**
tcpdump **从未登录过**
apache **从未登录过**
mabos **从未登录过**
4.lastb 列出失败尝试的登录信息
和last命令功能完全相同,只不过它默认读取的是/var/log/btmp文件的信息。
[root@localhost ~]# lastb
btmp begins Wed Jan 4 20:18:51 20235.SSH登录日志分析
检查/var/log目录下的secure(CentOS),存在大量异常IP高频率尝试登录,且有成功登录记录(重点查找事发时间段)。
cat /var/log/secure |more
Jan 4 11:03:55 localhost sshd[7648]: Accepted password for root from 192.168.8.88 port 56455 ssh2
Jan 4 11:03:55 localhost sshd[7648]: pam_unix(sshd:session): session opened for user root by (uid=0)
Jan 4 11:03:55 localhost sshd[7650]: Accepted password for root from 192.168.8.88 port 56458 ssh2
Jan 4 11:03:55 localhost sshd[7650]: pam_unix(sshd:session): session opened for user root by (uid=0)
Jan 4 15:34:34 localhost polkitd[4857]: Registered Authentication Agent for unix-process:8161:10782133 (system bus name :1.458 [/usr/bin/pkttyagent --notif
y-fd 5 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale zh_CN.UTF-8)
Jan 4 15:34:34 localhost polkitd[4857]: Unregistered Authentication Agent for unix-process:8161:10782133 (system bus name :1.458, object path /org/freedesk
top/PolicyKit1/AuthenticationAgent, locale zh_CN.UTF-8) (disconnected from bus)
Jan 4 20:18:49 localhost useradd[20139]: failed adding user 'dbus', exit code: 9
Jan 4 20:18:51 localhost polkitd[4857]: Reloading rules
less /var/log/secure|grep'Accepted'
[root@localhost ~]# less /var/log/secure | grep 'Accepted'
Jan 3 09:12:14 localhost sshd[5901]: Accepted password for root from 192.168.8.88 port 57536 ssh2
Jan 3 09:12:14 localhost sshd[5903]: Accepted password for root from 192.168.8.88 port 57539 ssh2
Jan 3 21:09:05 localhost sshd[6674]: Accepted password for root from 192.168.8.88 port 58119 ssh2
Jan 3 21:09:06 localhost sshd[6676]: Accepted password for root from 192.168.8.88 port 58122 ssh2
Jan 3 21:23:28 localhost sshd[6736]: Accepted password for root from 10.10.10.253 port 52502 ssh2
Jan 3 21:23:30 localhost sshd[6738]: Accepted password for root from 10.10.10.253 port 52790 ssh2
Jan 4 11:03:55 localhost sshd[7648]: Accepted password for root from 192.168.8.88 port 56455 ssh2
Jan 4 11:03:55 localhost sshd[7650]: Accepted password for root from 192.168.8.88 port 56458 ssh2/var/log/其他日志说明:
/var/log/message 一般信息和系统信息
/var/log/secure 登陆信息
/var/log/maillog mail记录
/var/log/utmp
/var/log/wtmp登陆记录信息(last命令即读取此日志)