CentOS system through log back to check whether the intrusion _ server other

First, view the log file

Linux View /var/log/wtmp file view suspicious IP login

 Last-f/var/log/wtmp

This log file permanently records each user's logon, logoff, and system startup, downtime events. So as the system uptime increases, the size of the file becomes larger,

The rate of increase depends on the number of times the system user logs on. The log file can be used to view the user's logon record, and the last command obtains the information by accessing the file, and then displays the user's login record in reverse order, and can also display the corresponding record according to the user, the terminal TTY, or the time.

View /var/log/secure files looking for suspicious IP logon times

Second, the script production of all logged in user's operation history

In the Linux system environment, whether the root users or other users only access to the system after the entry operation we can through history the command to view the history, but if a server many people landing, one day because someone mistakenly operation deleted important data. It doesn't make sense to view the history (command: history ) (because history it works only for logged-in users, even if the root user cannot get other user histotry histories).

Is there any way to achieve the historical record by recording the IP address and the user name after the login?

Answer: Yes.

/etc/profileYou can do this by adding the following code inside:

ps1= "' WhoAmI ' @ ' hostname ':" ' [$PWD] '
history
user_ip= ' who-u am I 2>/dev/null| awk ' {print $NF} ' |sed-e ' s/[()]//g '
if [' $USER _ip ' = ' "]
then
user_ip= ' hostname '
fi
if [! -d/tmp/dbasky]
then
Mkdir/tmp/dbasky
chmod 777/tmp/dbasky
fi
if [!-d/tmp/dbasky/${logname }]
then
mkdir/tmp/dbasky/${logname}
chmod 300/tmp/dbasky/${logname}
fi
export histsize= 4096
dt= ' date ' +%y-%m-%d_%h:%m:%s '
export histfile= '/tmp/dbasky/${logname}/${user_ip} dbasky. $DT "
chmod 600/tmp/dbasky/${logname}/*dbasky* 2>/dev/null
source/etc/profile Use script to take effect

Exit user, log in again

The above script creates a new Dbasky directory at the system's/TMP, records all the users and IP addresses (filenames) of the logged on system, and whenever the user logs in/exits to create the corresponding file that preserves the history of the user during the logon period, this method can be used to monitor the security of the system.

Root@zsc6:[/tmp/dbasky/root]ls

10.1.80.47 dbasky.2013-10-24_12:53:08

root@zsc6:[/tmp/dbasky/root]cat 10.1.80.47 dbasky.2013-10-24_12:53:08

Third, summary

The above is the entire content of this article, I hope to maintain the security of the server can help, if there are questions can be exchanged message.