In a Linux system, there are three main types of log subsystems:
1. Connection time log: Executed by multiple programs, write records to/var/log/wtmp and/var/run/utmp,login and other programs will update wtmp and utmp files, allowing system administrators to track who is logged on to the system.
2. Process statistics: Performed by the system kernel, when a process terminates, writes a record for each process to the process statistics file (PACCT or acct). The purpose of process statistics is to provide command usage statistics for basic services in the system.
3. Error log: Performed by the syslogd Daemon, a variety of system daemons, user programs, and kernels report to the file/var/log/messages through the SYSLOGD (3) daemon. Web services such as HTTP and FTP also maintain verbose logging.
The use of logs under Linux
1. Use of basic log commands
Utmp, wtmp log files save User login entry and exit record. Information about the currently logged-on user is recorded in the file utmp; Log in and exit the record in file wtmp. utmp files are used by various command files, including who, W, users, and finger. Cannot be used such as tail (using the Cat command). Users need to use who, W, users, last, and AC to use the information contained in these two files. The specific usage is as follows:
Who command: The WHO command queries the utmp file and reports each user who is currently logged on. The WHO default output includes the user name, terminal type, logon date, and remote host. With this command, the system administrator can audit and process the illegal users that exist on the current system.
For example, running the WHO command appears as follows:
[Email protected]]# who
Root pts/0 May 9 21:11 (10.0.2.128)
Command who/var/log/wtmp will report every login since the Wtmp file was created or hacked.
Users print out a separate line for the currently logged-on user, and each displayed user name corresponds to a logon session.
[[Email protected]]# users]
root root//login to a user with root privileges
Last command search wtmp to show users who have logged in since the first time the file was created, found the illegal user, and processed it.
[Email protected]]# last
Devin PTS/1 10.0.2.221 Mon Jul 15:08-down (8+17:46)
Devin PTS/1 10.0.2.221 Mon Jul 21 14:42-14:53 (00:11)
Changyi PTS/2 10.0.2.141 Mon Jul 21 14:12-14:12 (00:00)
Devin PTS/1 10.0.2.221 Mon Jul 21 12:51-14:40 (01:49)
Reboot system boot 2.4.18 Fri Jul 18 15:42 (11+17:13)
You can display their login information by indicating the user. For example: Use last Devin to display the Devin history login information, as follows:
[Email protected]]# last Devin
Devin PTS/1 10.0.2.221 Mon Jul 15:08-down (8+17:46)
Devin PTS/1 10.0.2.221 Mon Jul 21 14:42-14:53 (00:11)
The AC command reports the user's connection time based on login entry and exit in the current/var/log/wtmp file.
The Lastlog command checks the last logon time for a particular user and formats the output of the last logon log/var/log/lastlog. It displays the login name, port number (TTY), and last logon time based on the UID sort. The command needs to be run as root. As shown below:
[[Email protected]]# lastlog
Username Port from Latest
Root PTS/1 10.0.2.129 25 months 10 10:13:26 +0800 2005
Opal PTS/1 10.0.2.129 25 months 10 10:13:26 +0800 2005
/VAR/LOG/DMESG
You can quickly view the boot log for the last system boot.
/var/log/xferlog
This log file records the FTP session and can show what files the user has copied to the FTP server or from the server. The file shows the malicious program that the user has copied to the server to invade the server, and what files the user has copied for him to use.
The file is in the format: the first field is the date and time, the second domain is the number of seconds spent downloading the file, the remote system name, the file size, the local pathname, the transport type (a:ascii,b: binary), the compression-related flag or tar, or "_" (if there is no compression), the transport direction ( Relative to the server: I represents the input, O stands out), Access mode (A: Anonymous, G: Enter password, r: Real user), user name, service name (usually FTP), authentication method (l:rfc931, or 0), authentication User ID or "*".
/var/log/syslog
The log file is not generated by default, but you can configure/etc/syslog.conf to have the log file generated by the system. It is different from the/etc/log/messages log file, it only records the warning message, often is the system problem information, so should be concerned about the file. To have the log file generated by the system, add: *.warning/var/log/syslog The log file can record information such as error password, sendmail problem, su command execution failure when the user logged in/etc/syslog.conf.
/var/log/maillog
The log file records the activity of each email sent to or from the system. It can be used to see which system the user uses to send the tool or send the data to.
/var/log/cron
This log file records the actions of the child process derived from the crontab daemon Crond, preceded by the user, logon time and PID, and the actions of the derived process. One action of CMD is a common scenario in which cron derives a scheduling process. The Replace action records the user's updates to its cron file, which lists the task schedules to be executed periodically.
/var/log/boot.log
This file records the events that occurred during the boot process, which is the information displayed during the post process of the Linux system.
/var/log/secure
Record system-related account security, is not an unknown IP address attempt to use the root user login system.
Linux system forces the user to kick out of the login
Linux system root user can force other logged-on users to kick off
1. w command to view logged in user information
# w16:15:11 up 210 days, 12:17, 2 users, load average : 0.13, 0.15, 0.10user tty from [email protected] idle jcpu pcpu WHATliu pts/1 ipaddress 16:14 0.00s 0.04s 0.03s sshd: liu [priv]fmd001_c pts/2 IPADDRESS 16:13 52.00s   0.03S    0.02S   SSHD: FMD001_CLEANING [PRIV]
2. Kick the specified user
# pkill-kill-t TTY//-t Specifies the TTY of the user to be kicked, as on the command to kick the user except Liu: pkill-kill-t pts/1
Only the root user can kick a person, and if there are two people logged in with the root user, any one of them could kick off the other.
3. Shielded IP
# iptables-i Input-s 123.45.6.7-j drop//Shielded single ip# iptables-i input-s 123.0.0.0/8-j DROP//Shield 123.0.0.1-123.255.255.2 54 Segment # Iptables-i Input-s 124.45.0.0/16-j DROP//#屏蔽123.45.0.1-123.45.255.254 IP Segment # iptables-i input-s 123.45.6.0/24-j DROP//#屏蔽123.45.6.1-123.45.6.254 IP Segment
This article is from the "Start from the Heart" blog, please be sure to keep this source http://hao360.blog.51cto.com/5820068/1630686
Use the log system to protect Linux security and force the user to be kicked out of the login