- 终端登录情况
last
- ssh登录情况
cat /var/log/secure | grep -i "accepted password"
- 定时任务
cat /var/log/cron
- 统计尝试入侵的IP
cat /var/log/secure|awk '/Failed/{print $(NF-3)}'|sort|uniq -c|awk '{print $2"="$1;}'
- 禁用IP
echo sshd:183.40.138.224:deny >> /etc/hosts.deny
crontab -e
/var/spool/cron/crontabs
- cat /var/log/secure
正常登录退出日志
Apr 11 16:36:06 bc2 sshd[11280]: Accepted password for root from 13.111.211.40 port 54560 ssh2
Apr 11 16:36:07 bc2 sshd[11280]: pam_unix(sshd:session): session opened for user root by (uid=0)
Apr 11 16:36:07 bc2 sshd[11283]: Accepted password for root from 13.111.211.40 port 54563 ssh2
Apr 11 16:36:07 bc2 sshd[11283]: pam_unix(sshd:session): session opened for user root by (uid=0)
Apr 11 16:36:17 bc2 sshd[11280]: pam_unix(sshd:session): session closed for user root
Apr 11 16:36:17 bc2 sshd[11283]: pam_unix(sshd:session): session closed for user root
密码枚举日志
Apr 11 16:38:52 bc2 sshd[12063]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
Apr 11 16:38:53 bc2 sshd[12063]: Failed password for root from 111.23.72.25 port 45486 ssh2
Apr 11 16:39:07 bc2 sshd[12063]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
Apr 11 16:39:09 bc2 sshd[12063]: Failed password for root from 111.23.72.25 port 45486 ssh2
Apr 11 16:39:09 bc2 sshd[12063]: Connection closed by 111.23.72.25 port 45486 [preauth]
Apr 11 16:39:09 bc2 sshd[12063]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=111.23.72.25 user=root
Apr 11 16:39:19 bc2 sshd[7663]: pam_unix(sshd:session): session closed for user root
Apr 11 16:39:28 bc2 sshd[12351]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=111.23.72.25 user=root
Apr 11 16:39:28 bc2 sshd[12351]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
Apr 11 16:39:30 bc2 sshd[12351]: Failed password for root from 111.23.72.25 port 45524 ssh2
Apr 11 16:39:55 bc2 sshd[12493]: refused connect from 36.153.0.228 (36.153.0.228)