If you find that Linux is remote login by suspicious users, how to solve it?
1, first check the recent system's login situation
Last-10
Indicates the last 10 users logged in information, if found suspicious account, is the password is cracked
[Email protected] ~]# last-10
Root PTS/3 192.168.2.29 Fri Jul 31 10:16-10:17 (00:01)
Root PTS/2 192.168.2.29 Fri Jul 31 10:15-10:17 (00:01)
Root PTS/1 192.168.2.29 Fri Jul 31 10:15-10:17 (00:01)
Root pts/0 192.168.2.20 Fri Jul 10:08 still logged in
Root PTS/2 192.168.2.29 Fri Jul 31 10:06-10:08 (00:02)
Root PTS/1 192.168.2.29 Fri Jul 31 10:06-10:08 (00:02)
Root pts/0 192.168.2.20 Fri Jul 31 09:52-10:08 (00:15)
Root PTS/1 192.168.2.29 Fri Jul 31 09:48-09:53 (00:05)
Root pts/0 192.168.2.20 Thu Jul 30 18:24-09:52 (15:27)
Root tty1:0 Thu Jul 18:24 still logged in
The first is to modify the user's password, after the modification, then the suspicious user kicked down
[Email protected] ~]# passwd
Changing password for user root.
New Password:
Bad Password:it is too simplistic/systematic
Bad Password:is too simple
Retype new Password:
Passwd:all authentication tokens updated successfully.
Because you kick this suspicious user first, his remote tool will be much shorter than your password time to connect your server.
How to deal with suspicious users found under Linux