Linux 登录日志

Posted by wxianfeng Tue, 31 Aug 2010 15:57:00 GMT

环境:centos 5.5

在这之前我的服务器密码很简单，感觉不安全，于是改的复杂一点了，顺手对我的登录日志分析了一下，还真发现了很多来破解root密码的远程ip，还记得之前在公司有一次上下班忘记打卡，行政找到我必须找出证据，于是从我工作电脑中调出当天的登入登出信息最好不过了，记得当时不太熟悉，还是在同事帮助下立即解决的，另外合理的分析登录日志对你服务器的安全也有很大的作用～！

1,来看看你的服务器被哪些ip登录过（root密码错误的）

[root@li165-150 log]# grep "Failed password for root" /var/log/secure | awk '{print $9}' | uniq -c | sort -nr # awk分割，uniq -c 剔重 + 显示重复次数 ,  sort -nr 降序(-r) + 数值排序(-n)
   3116 69.162.125.77
    224 173.230.145.104
    111 184.106.229.209
     84 60.217.234.142
     76 222.237.78.139
     51 210.193.16.75
     46 88.191.73.232
     13 109.169.56.3
      4 220.165.28.67
      2 115.248.49.217
      1 88.191.52.74
      1 221.221.173.88
      1 220.181.147.187

从上面可以看出来有许多ip试图登录我的服务器，其中 69.162.125.77 就有 3116次失败记录，总共统计下：

[root@li165-150 log]#  grep "Failed password for root" /var/log/secure | awk '{print $9}' | wc -l
13730

哈，原来这么多人喜欢扫描我的服务器啊。。。。。

2，从系统日志里查找 root 的相关信息

[root@li165-150 log]# cd /var/log
[root@li165-150 log]# find ./ -type f -name "messages*" | xargs grep "root" | more
./messages:2010-08-30T12:54:25.987395-04:00 li165-150 avahi-daemon[2862]: Successfully dropped root privileges.
./messages:2010-08-30T12:54:26.023483-04:00 li165-150 avahi-daemon[2862]: Successfully called chroot().
./messages.1:2010-08-20T22:55:03.457101-04:00 li165-150 avahi-daemon[2928]: Successfully dropped root privileges.
./messages.1:2010-08-20T22:55:03.504958-04:00 li165-150 avahi-daemon[2928]: Successfully called chroot().
./messages.1:2010-08-20T22:56:22.025464-04:00 li165-150 avahi-daemon[3047]: Successfully dropped root privileges.
./messages.1:2010-08-20T22:56:22.054287-04:00 li165-150 avahi-daemon[3047]: Successfully called chroot().
./messages.1:2010-08-21T14:21:13.824695-04:00 li165-150 avahi-daemon[2816]: Successfully dropped root privileges.
./messages.1:2010-08-21T14:21:13.907610-04:00 li165-150 avahi-daemon[2816]: Successfully called chroot().

3，当前登录用户的信息记录在文件/var/run/utmp 中,这是一个二进制文件用普通的 tail ， cat 等工具是无法查看的，但是可以通过一些命令来查看文件的信息，例如who

当前登录用户：

[root@li165-150 log]# who  # 或者 users 命令
root     ttyp1        Aug 31 12:13 (220.181.147.187)
root     ttyp2        Aug 31 12:53 (220.181.147.187)

[root@li165-150 log]# who -b # 上次启动时间
         system boot  Aug 30 12:54

更多的who命令请>who —help

4,所有登录进入和退出纪录在文件/var/log/wtmp中，也是二进制文件

[root@li165-150 log]# last -10 root # 查看root用户最后10次的登录情况
root     ttyp2        220.181.147.187  Tue Aug 31 12:53   still logged in   
root     ttyp1        220.181.147.187  Tue Aug 31 12:13   still logged in   
root     ttyp0        220.181.147.187  Tue Aug 31 09:06 - 13:16  (04:10)    
root     ttyp0        221.221.173.88   Mon Aug 30 22:40 - 22:42  (00:01)    
root     ttyp0        220.181.147.187  Mon Aug 30 12:55 - 13:11  (00:16)    
root     ttyp0        220.181.147.187  Mon Aug 30 12:51 - down   (00:01)    
root     ttyp1        221.221.8.126    Fri Aug 27 03:01 - 04:14  (01:12)    
root     ttyp0        125.34.211.119   Fri Aug 27 01:47 - 04:21  (02:33)    
root     ttyp0        125.34.211.119   Wed Aug 25 23:41 - 23:41  (00:00)    
root     ttyp0        221.221.8.126    Wed Aug 25 21:44 - 21:46  (00:01)    

wtmp begins Wed Jun  2 09:10:09 2010

[root@li165-150 log]# last # last命令往回搜索wtmp,来显示自从文件第一次创建以来登录过的用户
root     ttyp2        220.181.147.187  Tue Aug 31 12:53   still logged in   
root     ttyp1        220.181.147.187  Tue Aug 31 12:13   still logged in   
root     ttyp0        220.181.147.187  Tue Aug 31 09:06 - 13:16  (04:10)    
root     ttyp0        221.221.173.88   Mon Aug 30 22:40 - 22:42  (00:01)    
root     ttyp0        220.181.147.187  Mon Aug 30 12:55 - 13:11  (00:16)    
reboot   system boot  2.6.32.16-linode Mon Aug 30 12:54         (1+00:55)   
root     ttyp0        220.181.147.187  Mon Aug 30 12:51 - down   (00:01)    
root     ttyp1        221.221.8.126    Fri Aug 27 03:01 - 04:14  (01:12)    
root     ttyp0        125.34.211.119   Fri Aug 27 01:47 - 04:21  (02:33)    
root     ttyp0        125.34.211.119   Wed Aug 25 23:41 - 23:41  (00:00)    
root     ttyp0        221.221.8.126    Wed Aug 25 21:44 - 21:46  (00:01)    
root     ttyp0        125.34.211.119   Wed Aug 25 21:34 - 21:37  (00:02)

5，最后一次登录记录在 /var/log/lastlog 这个文件中,可以用lastlog查看

[root@li165-150 log]# lastlog             
Username         Port     From             Latest
root             ttyp2    220.181.147.187  Tue Aug 31 12:53:34 -0400 2010

6，清除登录log

>rm -f /var/log/wtmp
>cat /dev/null > /var/log/lastlog

另外今天学了一招历史命令的用法，之前都是用上箭头调出，若是调到前面第10个就需要10下，麻烦，可以用history命令搞定

[root@li165-150 log]# history 10 # 最近10条
 1085  last
 1086  last
 1087  last
 1088  lastlog
 1089  lastlog -u wxianfeng
 1090  lastlog
 1091  last
 1092  rm -f /var/log/wtmp
 1093  last
 1094  history 10

>history -c # 清除 history

SEE：
http://zhiwei.li/text/2010/06/linux%E7%99%BB%E5%BD%95%E6%97%A5%E5%BF%97/

This entry was posted on Tue, 31 Aug 2010 15:57:00 GMT and Posted in Centos. You can follow any any response to this entry through the Atom feed. You can leave a comment or a trackback from your own site.

Tags Centos

Trackbacks

Use the following link to trackback from your own site:
http://wxianfeng.com/trackbacks?article_id=67

Comments

No comments

{:web=>:wxianfeng}

Livesearch

Pages

Mp3

Categories

Archives

Syndicate

Tags

Links

Comments