SSH Login Status Analysis
1.wtmp Log
lastlast -x -F
2. View Online User status
(1) The W command displays a list of users who have logged in to the system and displays the instructions that the user is executing. The Execute W command alone displays all users, and you can also specify the user name to display information about only one user.
(2) Who am I displays your export IP address, which is the source IP for SSH connection
who am iroot pts/0 2018-03-29 04:12 (111.204.243.8)
3.SSH Log Log Analysis
cat /var/log/secure |moreless /var/log/secure|grep ‘Accepted‘ less /var/log/auth.log|grep ‘Accepted‘
Check/var/ Log directory of Secure (CentOS) or Auth.log (Ubuntu), if there are a large number of abnormal IP high frequency attempts to log in, and have a successful login record (focus on the time period of the incident), in the micro-step online Query the login IP information, if it is a malicious IP and the user's usual IP, it is likely that the user weak The password was successfully exploded.
/var/log/Other Log descriptions:
/var/log/message 一般信息和系统信息/var/log/secure 登陆信息/var/log/maillog mail记录/var/log/utmp /var/log/wtmp登陆记录信息(last命令即读取此日志)
Linux intrusion Analysis (ii) analysis of SSH login logs