Release: dedicated wait
God checked the server security log, and the firewall blocked the ip addresses that handled some brute force ssh password cracking attacks (one of the ip addresses is a famous CDN service provider in Beijing ), then all the/var/log/secure * log files are deleted.
When I checked the logs again today, I found that/var/log/secure had no records, so I thought that when I deleted the log files directly, the corresponding service had to be restarted. Run the command: service syslog restart; service sshd restart is normal.
By the way, I will review ssh settings in syslog.
1. settings in/etc/ssh/sshd_config: (that is, SyslogFacility is set to AUTHPRIV)
[Root @ mail ~] # More/etc/ssh/sshd_config
# Port 22
# Logging
# Obsoletes QuietMode and FascistLogging
# SyslogFacility AUTH
<Strong> SyslogFacility AUTHPRIV </strong>
# LogLevel INFO
# Defines the sshd log at the authriv.info level.
2. In combination with the settings in/etc/syslog. conf:
[Root @ mail ~] # More/etc/syslog. conf
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
# Kern. */dev/console
# Log anything (could t mail) of level info or higher.
# Dont log private authentication messages!
*. Info; mail. none; authpriv. none; cron. none/var/log/messages
# The authpriv file has restricted access.
<Strong> authpriv. */var/log/secur </strong> e
Restart sshd and syslog