Shulou(Shulou.com)06/02 Report--

This article uses one of the most common inspection users to check the RedHat 7.4 system log, check the user login trace, and explain how to judge whether there is an illegal access record, such as springboard access, etc.

The list of logs you need to care about here is as follows

/ var/log/lastlog binary file, which records the most recent connection record

/ var/log/wtmp binary file, which records login and logout information for each user

/ var/log/secure text file to record the login behavior information of the user

/ var/log/btmp binary file to record failed login attempt information

/ run/utmp binary file to record the information of the currently logged in user

01

-

Use the cat command to view

If there are only basic commands such as cat, the output of the binary file will appear in garbled form.

However, although there is a lot of garbled, you can also see the key information, and you can see the IP information accessed historically, as well as the users used. If suspicious IP addresses are found, you can conduct in-depth behavior analysis.

02

-

Use the strings command to view

The binary file information can be viewed with the strings command, and the output is closer to the text content. View the contents of the file separately as follows:

Execute command: strings lastlog

The main concern is to check for suspicious IP addresses.

[root@test log] # strings lastlog ^ pts / 2182.207.162.59 [pts/ 1 ^ pts / 0182.207.162.59 ^ pts / 0 ^ pts / 7

Execute command: strings wtmp

Because there is too much output, intercepting part of the display, the main point of concern is whether the user and IP address are suspicious.

Ts/0cams182.207.177.97pts/0pts/0ts/0root182.207.177.122pts/0pts/0ts/0cams182.119.114.218pts/0pts/0ts/0cams182.207.162.59

Execute the command: strings / run/utmp

Check whether there are other IP addresses connected to the server.

[cams@test log] $strings / run/utmp reboot3.10.0-693.el7.x86_64runlevel3.10.0-693.el7.x86_64pts/0ts/0cams182.207.162.59pts/1ts/1pts/2ts/2root182.207.162.59

03

-

Other circumstances

However, there may also be situations where some system logs do not have permission to access.

[cams@test log] $strings btmpstrings: btmp: insufficient permissions [cams@test log] $strings securestrings: secure: insufficient permissions

For files that do not have enough permissions to execute cat command prompts, you can see them if you have sudo cat permissions, and you cannot see them without sudo cat permissions. In general, the production environment inspection users have sudo cat rights.

For btmp files, you can combine secure files to determine whether there is an attempt to log in, and focus on whether the IP address in the log is suspicious, whether the access behavior is compliant, and so on!

If you intercept and display part of the / var/log/secure text file, you can clearly see the log information with a timestamp, the failed login information is the beginning of Failed, the successful login information is the beginning of Accepted, and the IP address and user information are also clearly visible.

Jun 18 19:13:09 test sshd [24648]: pam_unix (sshd:auth): authentication failure Logname= uid=0 euid=0 tty=ssh ruser= rhost=182.207.162.59 user=rootJun 18 19:13:09 test sshd [24648]: pam_succeed_if (sshd:auth): requirement "uid > = 1000" not met by user "root" Jun 18 19:13:11 test sshd [24648]: Failed password for root from 182.207.162.59 port 28680 ssh3Jun 18 19:13:16 test sshd [24648]: error: Received disconnect from 182.207.162.59 port 28680 test sshd 0: [preauth] Jun 18 19:13:16 test sshd [ 24648]: Disconnected from 182.207.162.59 port 28680 [preauth] Jun 18 19:13:59 test sshd [24683]: Accepted password for root from 182.207.162.59 port 28814 ssh3Jun 18 19:13:59 test sshd [24683]: pam_unix (sshd:session): session opened for user root by (uid=0)

Some students may ask, why not use grep, awk, sed and other commands to match the IP address in the log file, or execute a shell script and output the results?

A: because the general production environment has a whitelist of commands, which limits the use of many commands, the most basic commands can be applied to most production environments. In addition, patrolling users only have read permissions, and creating and executing shell scripts will not be allowed.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.