Shulou(Shulou.com)06/01 Report--

Most people do not understand the knowledge points of this article "how to use logs to check intrusion in Linux", so the editor summarizes the following content, detailed content, clear steps, and has a certain reference value. I hope you can get something after reading this article. Let's take a look at this "how to use logs to check intrusion in Linux" article.

1 View log file

Linux View / var/log/wtmp File View suspicious IP login

Last-f / var/log/wtmp

Detailed explanation CentOS reverse check intrusion through log detailed explanation CentOS reverse check intrusion through log

The log file permanently records the events of login, logout, startup and downtime of each user. Therefore, as the uptime of the system increases, the size of the file will become larger and larger.

The rate of increase depends on the number of times the system user logs in. The log file can be used to view the user's login record

The last command obtains this information by accessing the file and displays the user's login records in reverse order, and last can also display the corresponding records based on the user, terminal tty, or time.

Check / var/log/secure file to find suspicious IP login times

2 script produces the operation history of all logged-in users

In the environment of the linux system, whether root users or other users can only log in to the system and use the entry operation, we can check the history by using the command history, but if a server is logged in by more than one person, the important data is deleted one day because of someone's misoperation. At this point, it doesn't make sense to check the history (command: history) (because history is only valid for logged-in users, even root users can't get other users' histotry history). Is there any way to record the history of the login IP address and a user name? Answer: yes.

This can be achieved by adding the following code to / etc/profile:

PS1= "`whoami` @ `hostname`:"'[$PWD] 'historyUSER_IP= `who-u ami 2 > / dev/null | awk' {print $NF}'| sed-e's / [()] / / g'`if ["$USER_IP" = ""] thenUSER_IP= `hostname`fiif [!-d / tmp/dbasky] thenmkdir / tmp/dbaskychmod 777 / tmp/dbaskyfiif [!-d / tmp/dbasky/$ {LOGNAME}] thenmkdir / tmp/dbasky/$ {LOGNAME} chmod 300 / tmp/dbasky/$ {LOGNAME} Fiexport HISTSIZE=4096DT= `date "+% Y-%m-%d_%H:%M:%S" `export HISTFILE= "/ tmp/dbasky/$ {LOGNAME} / ${USER_IP} dbasky.$DT" chmod 600 / tmp/dbasky/$ {LOGNAME} / * dbasky* 2 > / dev/nullsource / etc/profile takes effect using the script

Log out of the user and log in again

The above script creates a new dbasky directory in the / tmp of the system, recording all users who have logged in to the system and the IP address (file name). Every time the user logs in / out, the corresponding file will be created, which saves the operation history of the user during the login period, and can be used to monitor the security of the system.

Root@zsc6: [/ tmp/dbasky/root] ls10.1.80.47 dbasky.2013-10-24_12:53:08root@zsc6: [/ tmp/dbasky/root] cat 10.1.80.47 dbasky.2013-10-24012 the content of this article is about "how to use logs to check intrusion in Linux". I believe you all have some understanding. I hope the content shared by the editor will be helpful to you. If you want to know more about it, please follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.