Linux view SSH user login log and operation log

SSH User logon log

The Linux login log is in the following directory:

The code is as follows	Copy Code
Cd/var/log

To view the login log for an SSH user:

The code is as follows	Copy Code
Less secure

1. Introduction to the Log

Logs are important for security, and he records a variety of things that happen every day in the system, and you can use him to check the cause of the error or the traces left by the attacker at the time of the attack. The main functions of the log are: Audit and monitoring. He can also monitor system status in real time, monitor and track intruders, and so on.

In a Linux system, there are three main log subsystems:

Connection time Logs – executed by multiple programs, writing records to programs such as/VAR/LOG/WTMP and/var/run/utmp,login to update wtmp and utmp files so that system administrators can track who is logged on to the system. Process statistics – executed by the system kernel. When a process terminates, write a record for each process to the process statistics file (PACCT or acct). The purpose of process statistics is to provide command usage statistics for basic services in the system.

Error log – Executed by SYSLOGD (8). Various system daemons, user programs, and cores report noteworthy events to file/var/log/messages via Syslog (3). There are also many UNIX programs that create logs. Servers that provide network services, such as HTTP and FTP, also maintain detailed logs. The common log files are as follows:

Transmission of Access-log Record Http/web

Acct/pacct Record User command

Aculog record the activities of the modem

Btmp record of failed records

Lastlog Record of recent successful logon events and last unsuccessful login

Messages records information from Syslog (some linked to the syslog file)

Sudolog records using Sudo's command

Sulog record use of the SU command

Syslog Records information from syslog (usually linked to messages files)

Utmp record each user currently logged in

Wtmp a permanent record of entry and exit time for each user login

Xferlog Log FTP session

The utmp, wtmp, and lastlog log files are key to most reusable UNIX log subsystems-keeping users logged in and out of the record. Information about the current logged-on user is recorded in the file utmp, the login entry and exit records are in the file wtmp, and the last logon file can be viewed with the Lastlog command. Data interchange, shutdown, and restart are also recorded in the Wtmp file. All records contain a timestamp. These files (often lastlog) grow very quickly in systems with a large number of users. For example, wtmp files can grow infinitely, unless periodically intercepted. Many systems configure WTMP to be recycled in a single day or week. It is usually modified by a cron-run script. These scripts are renamed and recycled using the Wtmp file. Usually, Wtmp is named after the end of the first day WTMP.1, and the second days WTMP.1 becomes WTMP.2 and so on, until wtmp. 7.

Each time a user logs on, the login program sees the UID of the user in the file lastlog. If found, writes the user's last login, exit time, and host name to standard output, and the login program records the new logon time in Lastlog. After the new Lastlog record is written, the Utmp file opens and inserts the user's utmp record. The record is used until the user logs on and exits. utmp files are used by various command files, including who, W, users, and finger.

Next, the login program opens the file wtmp the attached user's utmp record. The same utmp record with the update timestamp is appended to the file when the user logs out. wtmp files are used by program last and AC.

2. Specific orders

Wtmp and utmp files are binary files and they cannot be clipped or merged (using cat commands), such as the tail command. Users need to use who, W, users, last, and AC to use the information contained in these two files.

The who:who command queries the utmp file and reports each user who is currently logged on. The WHO default output includes user name, terminal type, logon date, and remote host. For example: Who (carriage return) display

The code is as follows	Copy Code
Chyang pts/o Aug 18 15:06 Ynguo PTS/2 Aug 18 15:32 Ynguo PTS/3 Aug 18 13:55 Lewis Pts/4 Aug 18 13:35 Ynguo PTS/7 Aug 18 14:12 Ylou PTS/8 Aug 18 14:15

If the wtmp filename is indicated, the WHO command queries all previous records. Command who/var/log/wtmp to log in every time since the Wtmp file was created or deleted.

The w:w command queries the utmp file and displays information about each user in the current system and the process it is running. For example: W (carriage return) display: 3:36pm up 1 day, 22:34, 6 users, load average:0.23, 0.29, 0.27

The code is as follows	Copy Code
USER TTY from login@ IDLE jcpu pcpu WHAT Chyang pts/0 202.38.68.242 3:06pm 2:04 0.08s 0.04s-bash Ynguo pts/2 202.38.79.47 3:32pm 0.00s 0.14s 0.05 W Lewis Pts/3 202.38.64.233 1:55pm 30:39 0.27s 0.22s-bash Lewis Pts/4 202.38.64.233 1:35pm 6.00s 4.03s 0.01s sh/home/users/ Ynguo PTS/7 simba.nic.ustc.e 2:12pm 0.00s 0.47s 0.24s telnet Mail Ylou pts/8 202.38.64.235 2:15pm 1:09m 0.10s 0.04s-bash

Users:users a single line to print out the currently logged-on user, and each displayed user name corresponds to a login session. If a user has more than one login session, his username displays the same number of times. For example: Users (carriage returns) display: Chyang Lewis Lewis Ylou Ynguo Ynguo

The last:last command searches back wtmp to show who has logged in since the first time the file was created. For example:

The code is as follows	Copy Code
Chyang PTS/9 202.38.68.242 Tue Aug 1 08:34–11:23 (02:49) Cfan PTS/6 202.38.64.224 Tue Aug 1 08:33–08:48 (00:14) Chyang PTS/4 202.38.68.242 Tue Aug 1 08:32–12:13 (03:40) Lewis PTS/3 202.38.64.233 Tue Aug 1 08:06–11:09 (03:03) Lewis PTS/2 202.38.64.233 Tue Aug 1 07:56–11:09 (03:12)

SSH operation Log

SSH program automatically adds log function:

1, first create the folder to store the log and open read and write permissions

The code is as follows	Copy Code
$ mkdir ~/ssh_logs/ $ sudo chmod-r 777 ~/ssh_logs/

2, the original SSH program modified to another name, and then create an execution script, the script calls the original SSH program, but in the call to add the previously said Tee command

code is as follows

copy code

$ sudo mv/usr/ bin/ssh/usr/bin/ssh_ori  $ sudo vi/usr/bin/ssh  The contents of the new SSH file are as follows:    -------------- -------------------------------------------------------  #!/bin/sh    Mkdir-p ~/ssh_ logs    ip=$ (???? grep-op) (?:(? : 25[0-5]|2[0-4]d| [01]?d?d).) {3} (?: 25[0-5]|2[0-4]d| [01]?d?d)]   logname=${ip}_$ (date + "%y%m%d_%t")   Ssh_ori $@ | tee-a ~/ssh_logs/${logname}.log

---------------------------------------------------------------------
The script first uses the regular expression to extract the Access IP, then determines the log file name based on the IP and the current timestamp, and finally invokes the original SSH program (add Tee Command feature)

3. Add execution rights

The code is as follows	Copy Code
$ sudo chmod a+x/usr/bin/ssh

Subsequent use of the SSH login host operation will write the operation and output to the corresponding log file, the log file format is "Access to Ip_8 bit date _ minutes. Log" For example:
Each time you perform an ssh 192.168.1.100-l user1 or ssh user1@192.168.1.100 (not supported using a host name), a new log file is generated based on the current time and access IP: "192.168.1.100_ 20130726_17:36:18.log ",