Use the log system to protect the security of your Linux System (1)

The log subsystem in Linux is very important for system security. It records all kinds of events that occur in the system every day, including those users who used or are using the system, logs can be used to check the cause of the error. More importantly, after the system is attacked by a hacker, logs can record traces left by the attacker, the system administrator can detect some methods and features of hacker attacks, so as to be able to handle them and prepare for the next attack.
In Linux, there are three main log subsystems:
◆ Connection time log: logs are written to/var/log/wtmp and/var/run/utmp and login by executing multiple programs. The wtmp and utmp files are updated, enables the system administrator to track who is logged on to the system at any time.
◆ Process Statistics: It is executed by the system kernel. When a process is terminated, a record is written for each process to the process Statistics file pacct or acct. Process statistics are used to provide command usage statistics for basic services in the system.
◆ Error log: It is executed by syslogd8) daemon. Various system daemon, user programs, and kernels report noteworthy events to the file/var/log/messages through syslogd3) daemon. In addition, many Unix programs create logs. Servers that provide network services such as HTTP and FTP also maintain detailed logs.
Use of logs in Linux
1. Use of basic log commands
Utmp and wtmp log files are the key to most Linux Log subsystems. They store records of user logon and exit. Information about the current login user is recorded in the file utmp; logon entry and exit records are recorded in the file wtmp; data exchange, shutdown, and restart machine information are also recorded in the wtmp file. All records contain timestamps. Timestamp is very important for logs, because many attack behavior analyses are closely related to time. These files are growing rapidly in systems with a large number of users. For example, the wtmp file can grow infinitely unless it is intercepted regularly. Many systems configure wtmp to be used cyclically in units of one day or one week. It is usually modified by the scripts run by cron. These scripts are renamed and the wtmp file is recycled.
The utmp file is used by various command files, including who, w, users, and finger. The wtmp file is used by the program last and ac. However, they are binary files and cannot be cut or combined with cat commands by tail commands ). You need to use the information contained in the two files by who, w, users, last, and ac. The usage is as follows:
Who command: The who command queries the utmp file and reports to each user currently logged on. The default output of Who includes the user name, terminal type, logon date, and remote host. With this command, the system administrator can view which illegal users exist in the current system to audit and process them. For example, run the who command to display the following:

[root@working]# whoroot pts/0 May 9 21:11 (10.0.2.128)root pts/1 May 9 21:16 (10.0.2.129)lhwen pts/7 May 9 22:03 (10.0.2.27)

If the wtmp file name is specified, the who command queries all previous records. For example, the command who/var/log/wtmp will report every login since the wtmp file was created or deleted.
Log usage considerations
System Management personnel should be vigilant, pay attention to various suspicious situations at any time, and check various system log files on time and randomly, including general information logs, network connection logs, file transfer logs, and user logon logs. When checking these logs, pay attention to whether there are unreasonable time records. For example:
◆ Users log on at unconventional times;
◆ Abnormal log records, such as incomplete logs or intermediate log files such as wtmp, are missing for no reason;
◆ The IP address used to log on to the system is different from the previous one;
◆ Logs of user logon failures, especially those that fail to log on continuously;
◆ Commands for illegal use or improper use of superuser permissions su;
◆ Records for restarting various network services for no reason or illegal reasons.
In addition, the Administrator is particularly reminded that logs are not completely reliable. Clever Hackers often clean the site after they intrude into the system. Therefore, the above system commands need to be used comprehensively and comprehensively for review and detection, and should not be taken out of context. Otherwise, it is difficult to detect intrusion or make wrong judgments.
Users command: users prints the current logon user with a single line. Each displayed user name corresponds to a logon session. If a user has more than one login session, the user name will display the same number of times. Run the following command:

[root@working]# users

Root // only one user with the Root permission is logged on
Last Command: The last command searches back for wtmp to display the users who have logged on since the first file creation. The system administrator can periodically audit and assess the logon status of these users, so as to discover the problems and identify and handle illegal users. Run the following command:

[root@working]# lastdevin pts/1 10.0.2.221 Mon Jul 21 15:08-down (8+17:46)devin pts/1 10.0.2.221 Mon Jul 21 14:42 - 14:53 (00:11)changyi pts/2 10.0.2.141 Mon Jul 21 14:12 - 14:12 (00:00)devin pts/1 10.0.2.221 Mon Jul 21 12:51 - 14:40 (01:49)reboot system boot 2.4.18 Fri Jul 18 15:42 (11+17:13)reboot system boot 2.4.18 Fri Jul 18 15:34 (00:04)reboot system boot 2.4.18 Fri Jul 18 15:02 (00:36)

As you can see, the above command shows too much information and the degree of discrimination is very small. Therefore, you can specify a user to display its logon information. For example, if you use last devin to display the historical logon information of devin, It is shown as follows:

[root@working]# last devindevin pts/1 10.0.2.221 Mon Jul 21 15:08 - down (8+17:46)devin pts/1 10.0.2.221 Mon Jul 21 14:42 - 14:53 (00:11)

Ac command: the ac Command reports the user's connection time based on the current Logon Time and exit time in the/var/log/wtmp file. If no sign is used, the total time is reported. In addition, you can add some parameters. For example, last-t 7 indicates that the report of the previous week is displayed.
The lastlog file of the lastlog command is queried every time a user logs on. You can use the lastlog command to check the last logon time of a specific user and format the last logon log/var/log/lastlog. It displays the logon name, port number tty, and last logon time according to the UID sorting. If a user has Never logged on, lastlog displays "** Never logged **". Note that you need to run this command as root. Run the following command:

[Root @ working] # lastlogUsername Port From Latestroot pts/1 10.0.2.129 10:13:26 on April 9, May 10 + 0800 2005 opal pts/1 10.0.2.129 10:13:26 on April 9, May 10 + 0800 2005