Detailed explanation of CentOS anti-intrusion through logs

1 View the log file

Check the /var/log/wtmp file on Linux to check the suspicious IP login

last -f /var/log/wtmp

This log file permanently records the login and logout of each user and the system startup and shutdown events. Therefore, as the system uptime increases, the size of the file will become larger and larger,

The speed of increase depends on the number of system user logins. This log file can be used to view user login records,

The

last command obtains this information by accessing this file and displays the user's login records in reverse order from back to front. Last can also display corresponding records based on the user, terminal tty or time.

Check the /var/log/secure file to find the number of suspicious IP logins

2 Script produces the operation history of all logged in users

In the environment of the Linux system, whether it is the root user or other users, we can view the history through the command history after logging in to the system. However, if multiple people log in to a server, one day because someone mistakenly The operation deleted important data. At this time, it is meaningless to view the history (command: history) (because history is only valid for execution under the logged-in user, and even the root user cannot obtain the history of other users). Is there any way to record the history of operations performed by recording the IP address and user name after login? Answer: Yes.

This can be achieved by adding the following code to /etc/profile:

PS1="`whoami`@`hostname`:"'[$PWD]'
history
USER_IP=`who -u am i 2>/dev/null| awk '{print $NF}'|sed -e 's/[()]//g'`
if [ "$USER_IP" = "" ]
then
USER_IP=`hostname`
fi
if [ ! -d /tmp/dbasky ]
then
mkdir /tmp/dbasky
chmod 777 /tmp/dbasky
fi
if [ ! -d /tmp/dbasky/${LOGNAME} ]
then
mkdir /tmp/dbasky/${LOGNAME}
chmod 300 /tmp/dbasky/${LOGNAME}
fi
export HISTSIZE=4096
DT=`date "+%Y-%m-%d_%H:%M:%S"`
export HISTFILE="/tmp/dbasky/${LOGNAME}/${USER_IP} dbasky.$DT"
chmod 600 /tmp/dbasky/${LOGNAME}/*dbasky* 2>/dev/null

source /etc/profile 使用脚本生效

Exit the user and log in again

The above script creates a dbasky directory in the system's /tmp to record all users and IP addresses (file names) who have logged in to the system. Each time a user logs in/out, a corresponding file will be created. This file saves the user login period. Internal operation history can be used to monitor system security.

root@zsc6:[/tmp/dbasky/root]ls
10.1.80.47 dbasky.2013-10-24_12:53:08
root@zsc6:[/tmp/dbasky/root]cat 10.1.80.47 dbasky.2013-10-24_12:53:08

The above is the detailed content of Detailed explanation of CentOS anti-intrusion through logs. For more information, please follow other related articles on the PHP Chinese website!