First, view the log file
Linux View /var/log/wtmp
file view suspicious IP login
This log file permanently records each user's logon, logoff, and system startup, downtime events. So as the system uptime increases, the size of the file becomes larger,
The rate of increase depends on the number of times the system user logs on. The log file can be used to view the user's logon record, and the last command obtains the information by accessing the file, and then displays the user's login record in reverse order, and can also display the corresponding record according to the user, the terminal TTY, or the time.
View /var/log/secure
files looking for suspicious IP logon times
Second, the script production of all logged in user's operation history
In the Linux system environment, whether the root users or other users only access to the system after the entry operation we can through history
the command to view the history, but if a server many people landing, one day because someone mistakenly operation deleted important data. It doesn't make sense to view the history (command: history
) (because history
it works only for logged-in users, even if the root user cannot get other user histotry
histories).
Is there any way to achieve the historical record by recording the IP address and the user name after the login?
Answer: Yes.
/etc/profile
You can do this by adding the following code inside:
ps1= "' WhoAmI ' @ ' hostname ':" ' [$PWD] '
history
user_ip= ' who-u am I 2>/dev/null| awk ' {print $NF} ' |sed-e ' s/[()]//g '
if [' $USER _ip ' = ' "]
then
user_ip= ' hostname '
fi
if [! -d/tmp/dbasky]
then
Mkdir/tmp/dbasky
chmod 777/tmp/dbasky
fi
if [!-d/tmp/dbasky/${logname }]
then
mkdir/tmp/dbasky/${logname}
chmod 300/tmp/dbasky/${logname}
fi
export histsize= 4096
dt= ' date ' +%y-%m-%d_%h:%m:%s '
export histfile= '/tmp/dbasky/${logname}/${user_ip} dbasky. $DT "
chmod 600/tmp/dbasky/${logname}/*dbasky* 2>/dev/null
source/etc/profile Use script to take effect
Exit user, log in again
The above script creates a new Dbasky directory at the system's/TMP, records all the users and IP addresses (filenames) of the logged on system, and whenever the user logs in/exits to create the corresponding file that preserves the history of the user during the logon period, this method can be used to monitor the security of the system.
Root@zsc6:[/tmp/dbasky/root]ls
10.1.80.47 dbasky.2013-10-24_12:53:08
root@zsc6:[/tmp/dbasky/root]cat 10.1.80.47 dbasky.2013-10-24_12:53:08
Third, summary
The above is the entire content of this article, I hope to maintain the security of the server can help, if there are questions can be exchanged message.