如果发现了linux被可疑用户远程登录了,怎么解决呢?
1、先查看最近系统的登录情况
last -10
表示最近10个用户登录的信息,如果发现有可疑账户,就是密码被破解了
[root@localhost ~]# last -10
root pts/3 192.168.2.29 Fri Jul 31 10:16 - 10:17 (00:01)
root pts/2 192.168.2.29 Fri Jul 31 10:15 - 10:17 (00:01)
root pts/1 192.168.2.29 Fri Jul 31 10:15 - 10:17 (00:01)
root pts/0 192.168.2.20 Fri Jul 31 10:08 still logged in
root pts/2 192.168.2.29 Fri Jul 31 10:06 - 10:08 (00:02)
root pts/1 192.168.2.29 Fri Jul 31 10:06 - 10:08 (00:02)
root pts/0 192.168.2.20 Fri Jul 31 09:52 - 10:08 (00:15)
root pts/1 192.168.2.29 Fri Jul 31 09:48 - 09:53 (00:05)
root pts/0 192.168.2.20 Thu Jul 30 18:24 - 09:52 (15:27)
root tty1 :0 Thu Jul 30 18:24 still logged in
首先就是修改用户的密码,修改完之后,再把可疑用户踢下去
[root@localhost ~]# passwd
Changing password for user root.
New password:
BAD PASSWORD: it is too simplistic/systematic
BAD PASSWORD: is too simple
Retype new password:
passwd: all authentication tokens updated successfully.
因为你先踢下去这个可疑用户,他的远程工具会比你的修改密码时间连接你服务器的短的多。