Check the /var/log/wtmp file on Linux to check the suspicious IP login
last -f /var/log/wtmp
This log file permanently records the login and logout of each user and the system startup and shutdown events. Therefore, as the system uptime increases, the size of the file will become larger and larger,
The speed of increase depends on the number of system user logins. This log file can be used to view user login records,
Thelast command obtains this information by accessing this file and displays the user's login records in reverse order from back to front. Last can also display corresponding records based on the user, terminal tty or time.
Check the /var/log/secure file to find the number of suspicious IP logins
In the environment of the Linux system, whether it is the root user or other users, we can view the history through the command history after logging in to the system. However, if multiple people log in to a server, one day because someone mistakenly The operation deleted important data. At this time, it is meaningless to view the history (command: history) (because history is only valid for execution under the logged-in user, and even the root user cannot obtain the history of other users). Is there any way to record the history of operations performed by recording the IP address and user name after login? Answer: Yes.
This can be achieved by adding the following code to /etc/profile:
PS1="`whoami`@`hostname`:"'[$PWD]' history USER_IP=`who -u am i 2>/dev/null| awk '{print $NF}'|sed -e 's/[()]//g'` if [ "$USER_IP" = "" ] then USER_IP=`hostname` fi if [ ! -d /tmp/dbasky ] then mkdir /tmp/dbasky chmod 777 /tmp/dbasky fi if [ ! -d /tmp/dbasky/${LOGNAME} ] then mkdir /tmp/dbasky/${LOGNAME} chmod 300 /tmp/dbasky/${LOGNAME} fi export HISTSIZE=4096 DT=`date "+%Y-%m-%d_%H:%M:%S"` export HISTFILE="/tmp/dbasky/${LOGNAME}/${USER_IP} dbasky.$DT" chmod 600 /tmp/dbasky/${LOGNAME}/*dbasky* 2>/dev/null
source /etc/profile 使用脚本生效
Exit the user and log in again
The above script creates a dbasky directory in the system's /tmp to record all users and IP addresses (file names) who have logged in to the system. Each time a user logs in/out, a corresponding file will be created. This file saves the user login period. Internal operation history can be used to monitor system security.
root@zsc6:[/tmp/dbasky/root]ls 10.1.80.47 dbasky.2013-10-24_12:53:08 root@zsc6:[/tmp/dbasky/root]cat 10.1.80.47 dbasky.2013-10-24_12:53:08
The above is the detailed content of Detailed explanation of CentOS anti-intrusion through logs. For more information, please follow other related articles on the PHP Chinese website!