日志查看登录用户

这里只讲解日志的安全问题，也就是通过日志来查看那些可疑的用户登陆过机器

三个重要的日志文件
/var/log/wtmp 记录每个用户登陆和推出时间的永久记录.
/var/run/utmp 记录当前登陆到系统的每个用户信息.
/var/log/lastlog 每个用户最后一次登陆的信息(最新的信息)
wtmp和utmp都是二进制文件,它们要用命令来查看内容.
1,命令who,查看utmp文件当前的每个用户的信息,它默认输出包括用户名,终端类型,登陆时间及远程主机.
如下:
[root@tp log]# who
root pts/0 May 4 22:10 (192.168.0.5)
如果指明了文件,则回显示自wtmp创建以来所有登陆的用户信息.
[root@tp log]# who /var/log/wtmp
root tty1 May 4 20:44
root pts/0 May 4 20:52 (211.101.46.195)
root tty1 May 4 21:05
root pts/0 May 4 21:05 (211.101.46.195)
root pts/1 May 4 21:09 (192.168.0.5)
root pts/0 May 4 21:38 (192.168.0.5)
root pts/0 May 4 22:10 (192.168.0.5)
2,命令w,查看utmp文件并显示当前系统中每个用户和它所运行的进程信息.
如:
[root@tp log]# w
23:00:48 up 54 min, 1 user, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
root pts/0 192.168.0.5 22:10 0.00s 0.03s 0.00s w
3,users,显示当前当前登陆的用户数量.
如,
[root@tp log]# users
root root
这表明两个root用户在同时登陆这台机器.
4,last命令,用来显示wtmp文件第一次 创建以来所有登陆过的用户.
如:
[root@tp log]# last
root pts/1 192.168.0.5 Fri May 4 23:01 - 23:02 (00:00)
root pts/0 192.168.0.5 Fri May 4 22:10 still logged in
reboot system boot 2.6.9-34.EL Fri May 4 22:07 (00:59)
root pts/0 192.168.0.5 Fri May 4 21:38 - down (00:27)
reboot system boot 2.6.9-34.EL Fri May 4 21:36 (00:29)
root pts/1 192.168.0.5 Fri May 4 21:09 - down (00:25)
root pts/0 211.101.46.195 Fri May 4 21:05 - down (00:29)
root tty1 Fri May 4 21:05 - down (00:30)
reboot system boot 2.6.9-34.EL Fri May 4 21:03 (00:31)
root pts/0 211.101.46.195 Fri May 4 20:52 - crash (00:11)
root tty1 Fri May 4 20:44 - crash (00:18)
reboot system boot 2.6.9-34.EL Fri May 4 20:32 (01:02)
reboot system boot 2.6.9-34.EL Tue May 1 08:32 (3+13:02)
reboot system boot 2.6.9-34.EL Tue May 1 08:27 (3+13:07)
reboot system boot 2.6.9-34.EL Tue May 1 08:24 (3+13:10)
reboot system boot 2.6.9-34.EL Tue May 1 08:13 (3+13:22)
wtmp begins Tue May 1 08:13:04 2007
我们也可以指明用户,[root@tp log]# last root
root pts/1 192.168.0.5 Fri May 4 23:01 - 23:02 (00:00)
root pts/0 192.168.0.5 Fri May 4 22:10 still logged in
root pts/0 192.168.0.5 Fri May 4 21:38 - down (00:27)
root pts/1 192.168.0.5 Fri May 4 21:09 - down (00:25)
root pts/0 211.101.46.195 Fri May 4 21:05 - down (00:29)
root tty1 Fri May 4 21:05 - down (00:30)
root pts/0 211.101.46.195 Fri May 4 20:52 - crash (00:11)
root tty1 Fri May 4 20:44 - crash (00:18)
wtmp begins Tue May 1 08:13:04 2007
5,命令ac,根据wtmp文件中每个用户进入和退出时间.(以小时计算),不用参数代表全部
[root@tp log]# ac
total 2.88
[root@tp log]# ac -d 代表每天总连接时间
Today total 2.89
[root@tp log]# ac -p 代表每个用户总连接时间
root 2.89
total 2.89
我们要养成经常查看日志来观察有无可疑用户等问题的存在.