Liunx secure日志解读

常见secure日志

第一种登录不成功

Jul  7 08:18:46 exoa sshd[7666]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.0.12  user=root
Jul  7 08:18:46 exoa sshd[7666]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
Jul  7 08:18:48 exoa sshd[7666]: Failed password for root from 192.168.0.12 port 21378 ssh2

第二种登录成功

通过账号密码登录成功

正常登录

less /var/log/secure | grep 'Accepted'

[root@iZwz9bryvndk026nx3zcxxZ ~]# less /var/log/secure | grep 'Accepted'
Sep 27 21:36:46 iZwz9bryvndk026nx3zcxxZ sshd[29455]: Accepted password for root from 121.32.35.181 port 22347 ssh2

密码有误

less /var/log/secure | grep 'Failed password'

非法的登录尝试

less /var/log/secure | grep 'Did not receive'

哪些IP在爆破主机的root帐号

grep "Failed password for root" /var/log/secure | awk '{print $11}' | sort | uniq -c | sort -nr

哪些IP在爆破用户

grep "Failed password" /var/log/secure|perl -e 'while($_=<>){ /from(.*?) port/; print "$1\n";}'|sort -nr|uniq -c |sort -nr

爆破用户名字典

grep "Failed password" /var/log/secure|perl -e 'while($_=<>){ /for(.*?) from/; print "$1\n";}'|sort -nr|uniq -c |sort -nr

注意查看此文件下的文件

/var/spool/cron/* 
/etc/crontab
/etc/cron.d/*
/etc/cron.daily/* 
/etc/cron.hourly/* 
/etc/cron.monthly/*
/etc/cron.weekly/
/etc/anacrontab
/var/spool/anacron/*
/etc/cron.daily/*