The history command can view the commands executed in Linux recently.
1. History common commands
| 1 2 3 4 |
|
For example # View the last 5 commands
| 1 2 3 4 5 6 |
|
2. If you don't want the command to be recorded, you can add a space before the command.
If it doesn't work, please check HISTCONTROL whether the environment variable contains ignorespace,配置方法如下#
| 1 |
|
After the configuration is complete, enter the command with a space at will to see if it is recorded in the history#
| 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
|
View History#
| 1 2 3 4 5 6 7 8 9 10 11 |
|
Note that # echo 4 and echo 5 are executed with a space. So it wasn't recorded.
Third, you can also directly disable the history
| 1 |
|
Fourth, the choice of environment variable configuration file
The above uses the ~/.bashrc file, and you can also choose /etc/profile, /etc/bashrc (some systems do not have this file, such as ubuntu, corresponding to /etc/bash.bashrc), ~/.profile, ~ /.bash_profile and other files.
The differences in the use of these files:
If it can be used as soon as the configuration information is completed, that is, it can be used by opening a new shell, and you don’t want to restart the system, then add it in /etc/bashrc (/etc/bash.bashrc) or ~/.bashrc;
If it is to add configuration information in /etc/profile or ~/.profile or ~/.bash_profile file. Then it will only take effect after restarting.
Log in to Linux normally and record relevant logs in the following locations:
Logs related to SSH login operations are located in the following locations:
-
1
2
3
4
5
6
7
/var/log/btmp,记录错误的登录尝试,查询命令:lastb/var/log/auth.log,记录认证成功的用户/var/log/secure,记录与安全相关的日志信息/var/log/lastlog,记录用户上次登录信息/var/log/wtmp,记录当前和曾经登入系统的用户信息,查询命令:last/var/run/utmp,记录当前正在登录系统的用户信息,查询命令:w~/.bash_history,记录从最开始至上一次登录所执行过的命令,查询命令:history无法直接查看的需要通过:strings /var/log/wtmp 来查看内容Execute during normal log tracing
1
ps -aux|grep sshd
Log in to putty normally
-
sshd:root@pts/0
-
Use sftp, rsyn, scp and other protocols to log in
-
sshd:root@notty
Using notty, the following logs can be bypassed: /var/log/lastlog, records the user's last login information /var/log/wtmp, record the current and previous user information of the system, query command: last /var/run/utmp, record the user information currently logging in to the system, query command: w ~/.bash_history, records the commands executed from the beginning to the last login, query command: history
防御关注点 查看错误的登录尝试,查询命令:lastb,文件位置/var/log/btmp 查看认证成功的用户,文件位置/var/log/auth.log 查看tcp连接,查看命令:netstat -vatn
查看SSH端口22被哪些IP地址和端口连接,并使用awk命令过滤出需要的信息:
该命令会列出所有连接到SSH端口22的IP地址和端口,并输出到控制台。
sudo netstat -tnp | grep :22 | awk '{print $4, $5}'
查看SSH登录日志, 下面需将 secure 改为 auth.log 并使用grep命令过滤出需要的信息:
该命令会列出所有SSH登录成功的记录,包括登录用户、登录时间、登录IP地址等信息,并输出到控制台。
sudo grep "Accepted" /var/log/secure | grep "sshd" | grep -v "sudo" | awk '{print $1, $2, $3, $9, $11}'
查看SSH登录使用的秘钥,并使用grep命令过滤出需要的信息:
该命令会列出所有使用公钥登录成功的记录,包括登录用户、登录时间、登录IP地址等信息,并输出到控制台。
sudo grep "Accepted publickey" /var/log/secure | awk '{print $1, $2, $3, $9, $11, $13}'
过滤登录失败的记录 操作如下:=================================================
查看SSH端口22被哪些IP地址和端口连接,并使用awk命令过滤出需要的信息,包括连接失败的记录:
该命令会列出所有连接到SSH端口22失败的记录,包括登录IP地址和端口,并输出到控制台。
sudo grep "sshd.*Connection refused" /var/log/messages | awk '{print $1, $2, $3, $9}'
查看SSH登录日志,并使用grep命令过滤出需要的信息,包括登录失败的记录:
该命令会列出所有SSH登录失败的记录,包括登录用户、登录时间、登录IP地址等信息,并输出到控制台。
sudo grep "Failed" /var/log/secure | grep "sshd" | grep -v "sudo" | awk '{print $1, $2, $3, $9, $11}'
查看SSH登录使用的秘钥,并使用grep命令过滤出需要的信息,包括登录失败的记录:
该命令会列出所有使用公钥登录失败的记录,包括登录用户、登录时间、登录IP地址等信息,并输出到控制台。
sudo grep "Failed publickey" /var/log/secure | awk '{print $1, $2, $3, $9, $11, $13}'