本文最后更新于 844 天前,其中的信息可能已经有所发展或是发生改变。
Liunx secure日志解读
常见secure日志
第一种登录不成功
Jul 7 08:18:46 exoa sshd[7666]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.0.12 user=root
Jul 7 08:18:46 exoa sshd[7666]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
Jul 7 08:18:48 exoa sshd[7666]: Failed password for root from 192.168.0.12 port 21378 ssh2
第二种登录成功
通过账号密码登录成功
正常登录
less /var/log/secure | grep 'Accepted'
[root@iZwz9bryvndk026nx3zcxxZ ~]# less /var/log/secure | grep 'Accepted'
Sep 27 21:36:46 iZwz9bryvndk026nx3zcxxZ sshd[29455]: Accepted password for root from 121.32.35.181 port 22347 ssh2
密码有误
less /var/log/secure | grep 'Failed password'
非法的登录尝试
less /var/log/secure | grep 'Did not receive'
哪些IP在爆破主机的root帐号
grep "Failed password for root" /var/log/secure | awk '{print $11}' | sort | uniq -c | sort -nr
哪些IP在爆破用户
grep "Failed password" /var/log/secure|perl -e 'while($_=<>){ /from(.*?) port/; print "$1\n";}'|sort -nr|uniq -c |sort -nr
爆破用户名字典
grep "Failed password" /var/log/secure|perl -e 'while($_=<>){ /for(.*?) from/; print "$1\n";}'|sort -nr|uniq -c |sort -nr
注意查看此文件下的文件
/var/spool/cron/*
/etc/crontab
/etc/cron.d/*
/etc/cron.daily/*
/etc/cron.hourly/*
/etc/cron.monthly/*
/etc/cron.weekly/
/etc/anacrontab
/var/spool/anacron/*
/etc/cron.daily/*