Linux 登入安全性紀錄

Linux 登入安全性介紹,很多系統管理員都會忽略這塊,有興趣的可以參考看看

1. 登入記錄查詢

指令 說明 存放路徑
last 查看登入登出重新開機紀錄 /var/log/wtmp
lastb 查看登入失敗資訊 /var/log/btmp
lastlog 查看所有使用者登入紀錄 /var/log/lastlog
w 查看誰登入了並且正在做什麼 /var/run/utmp

#last

使用者 / tty / 登入IP /登入日期 /持續時間

root pts/0 192.168.1.129 Thu Mar 17 14:12 still logged in 
root pts/1 10.0.0.3 Wed Mar 9 23:14 - 00:34 (01:20) 
apple pts/0 10.0.0.3 Wed Mar 9 23:07 - 00:34 (01:26) 
root pts/0 10.0.0.3 Wed Mar 9 22:15 - 22:59 (00:43) 
root pts/0 10.0.0.3 Tue Mar 8 21:11 - 00:31 (03:20) 
fred pts/0 192.168.1.129 Tue Mar 8 16:56 - 18:01 (01:04) 
root pts/0 192.168.1.129 Tue Mar 8 10:16 - 14:51 (04:34) 
tony pts/0 192.168.1.30 Mon Mar 7 14:46 - 18:01 (03:14)
#lastb

使用者 / SSH / 登入IP / 登入時間  /持續時間

root ssh:notty 192.168.1.129 Thu Mar 17 14:12 - 14:12 (00:00) 
user ssh:notty 192.168.1.129 Tue Mar 8 10:16 - 10:16 (00:00) 
user ssh:notty 192.168.1.129 Tue Mar 8 10:16 - 10:16 (00:00) 
user ssh:notty 192.168.1.129 Tue Mar 8 10:16 - 10:16 (00:00) 
root ssh:notty 192.168.1.30 Thu Mar 3 22:00 - 22:00 (00:00)
#lastlog
Username     Port  From               Latest
root pts/1 192.168.1.129 Thu Mar 17 15:46:56 +0800 2016
bin                           **Never logged in**
daemon                        **Never logged in**
adm                           **Never logged in**
lp                            **Never logged in**
sync                          **Never logged in**
shutdown                      **Never logged in**
...以下省略...
#w
 16:10:48 up 23 days, 22:58, 2 users, load average: 0.16, 0.05, 0.06
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
root pts/0 192.168.1.129 14:12 0.00s 0.02s 0.00s w
root pts/1 192.168.1.129 15:46 10:24 0.00s 0.00s -bash

Note: 想要清除以上資料

#cat /dev/null > /var/log/wtmp
#cat /dev/null > /var/log/btmp
#cat /dev/null > /var/log/lastlog
#cat /dev/null > /var/run/utmp

壞一點,鎖定檔案不能被修改 (其實這是怕檔案不小心誤刪或者修改所使用)

#chattr +i  /var/log/wtmp
#chattr +i  /var/log/btmp
#chattr +i  /var/log/lastlog
#chattr +i  /var/run/utmp
Facebook Comments