CentOS Logs back intrusion

1. viewing log files
   

Linux View/var/log/wtmp file view suspicious IP login

Last-f/var/log/wtmp

650) this.width=650; "title=" capture. PNG "alt=" wkiom1wfgxzhcevgaagmxsgbd_m637.jpg "src=" http://s3.51cto.com/wyfs02/M01/6F/8D/ Wkiom1wfgxzhcevgaagmxsgbd_m637.jpg "/>

This log file permanently records each user's logon, logoff, and system startup, downtime events. So as the system uptime increases, the size of the file becomes larger,

The rate of increase depends on the number of times the system user logs on. This log file can be used to view the user's login record,

The last command obtains this information by accessing the file, and displays the user's login record in reverse order from back to front, which can also display the corresponding record based on user, terminal TTY, or time.

View/var/log/secure files Looking for suspicious IP login times

650) this.width=650; "title=" capture. PNG "alt=" wkiom1wfgqbxk_ptaazcuqkwnqk202.jpg "src=" http://s3.51cto.com/wyfs02/M01/6F/8D/wKiom1WfgQbxK_ Ptaazcuqkwnqk202.jpg "/>

2 script production The operation history of all logged-in users

In the Linux system environment, whether it is the root user or other users only after logging on the system with the access to the operation we can see history through the command, but if a server many people landing, one day because someone mistakenly operation deleted the important data. It doesn't make sense to look at the history (Command: Historical) at this time (because history is only valid for the logged-on user, even if the root user does not have access to other user histotry histories). Is there any way to achieve history by logging the IP address and a user name after login? Answer: Yes.

This can be achieved by adding the following code to the/etc/profile:

ps1= "' WhoAmI ' @ ' hostname ':" ' [$PWD] ' historyuser_ip= ' who-u am I 2>/dev/null| awk ' {print $NF} ' |sed-e ' s/[()]//g "if [" $USER _ip "=" "]thenuser_ip= ' hostname ' FIIF [! -d/tmp/dbasky]thenmkdir/tmp/dbaskychmod 777/tmp/dbaskyfiif [!-d/tmp/dbasky/${logname}]thenmkdir/tmp/dbasky/${log Name}chmod 300/tmp/dbasky/${logname}fiexport histsize=4096dt= ' date ' +%y-%m-%d_%h:%m:%s ' ' Export HISTFILE= '/tmp/ DBASKY/${LOGNAME}/${USER_IP} Dbasky. $DT "chmod 600/tmp/dbasky/${logname}/*dbasky* 2>/dev/null

Source/etc/profile use script to take effect

Quit user, sign in again

The above script in the system's/TMP to create a new Dbasky directory, logging all logged on the system users and IP address (file name), each time the user login/exit will create the corresponding file, which saves the user login period of operation history, you can use this method to monitor the security of the system.

[Email Protected]:[/tmp/dbasky/root]ls

10.1.80.47 dbasky.2013-10-24_12:53:08

[Email protected]:[/tmp/dbasky/root]cat 10.1.80.47 dbasky.2013-10-24_12:53:08

This article is from the "Nothing-skywalker" blog, please be sure to keep this source http://tianxingzhe.blog.51cto.com/3390077/1672739

CentOS Logs back intrusion