1.在linux /var/log/wtmp 日志中以二进制的形式记录了用户登陆的时间和登陆IP,用who 命令可以查看
who /var/log/wtmp
mtpt pts/0 2014-02-07 08:43 (192.168.0.5)
yunji pts/0 2014-02-08 09:29 (192.168.0.8)
langshi pts/1 2014-02-08 10:54 (192.168.0.7)
fanghui pts/0 2014-02-10 09:07 (192.168.0.11)
2.通过shell脚本可以分析出用户名,登陆时间,次数以及登陆ip
以html 格式输出,代码如下
#!/bin/bash
dt=$( date -dlast-day +%Y-%m-%d )
mkdir -p /usr/local/src/shellcode
u=('echo"$@"')
t=('echo"$@"')
i=('echo"$@"')
ur=('echo"$@"')
ti=('echo"$@"')
ip=('echo"$@"')
ci=('echo"$@"')
s=0
df=$(who /var/log/wtmp |grep "$dt"|awk ' { print $1 } '|sort |uniq|wc -l) #不同用户的个数
touch /usr/local/src/shellcode/ti.txt
touch /usr/local/src/shellcode/ip.txt
getUsermessage()
{
who /var/log/wtmp |grep "$dt" > /usr/local/src/shellcode/userlist
m=0
while read line
do
u[$m]=$( echo $line |awk ' { print $1 } ' )
t[$m]=$( echo $line |awk ' { print $4 } ' )
i[$m]=$( echo $line |awk '{ print $5 } '| sed -n "s/(//p"|sed -n "s/)//p" )
m=$[ $m + 1 ]
done < /usr/local/src/shellcode/userlist
}
getusername()
{
who /var/log/wtmp |grep "$dt"|awk ' { print $1 } ' |sort|uniq >/usr/local/src/shellcode/users
cat>/usr/local/src/shellcode/report.html<
序号 | 时间 | 用户 | 登陆次数 | 登陆时间 | 登陆地址 |
---|
eof
while read line
do
num=0
tm=0
pi=0
cat /dev/null > /usr/local/src/shellcode/ti.txt
cat /dev/null > /usr/local/src/shellcode/ip.txt
for (( n=0;n
do
usr=${u[$n]}
if [ "$line" = "$usr" ]
then
let num++
echo ${t[$n]}>> /usr/local/src/shellcode/ti.txt
echo ${i[$n]}>> /usr/local/src/shellcode/ip.txt
fi
done
ci[$s]=$num
ur[$s]=$line
echo ${ur[$s]}
echo ${ci[$s]}
while read line
do
tm+=$line+
done
ti[$s]=$tm
echo "hello ${ti[$s]}"
cat /dev/null >/usr/local/src/shellcode/ti.txt
while read line
do
pi+=$line+
done < /usr/local/src/shellcode/ip.txt
ip[$s]=$pi
echo "hello ${ip[$s]}"
cat >>/usr/local/src/shellcode/report.html<$s$dt${ur[$s]}${ci[$s]}${ti[$s]}${ip[$s]}
eof
let s++
done < /usr/local/src/shellcode/users
cat >>/usr/local/src/shellcode/report.html <
here
}
report()
{
i=0
cat>/usr/local/src/shellcode/report.html<
序号 | 时间 | 用户 | 登陆次数 | 登陆时间 | 登陆地址 |
---|
eof
for (( ;i
do
echo $i
echo ${ur[$i]}
cat >>/usr/local/src/shellcode/report.html<$i2013-11-27${ur[$i]}${ci[$i]}${ti[$i]}${ip[$i]}
eof
done
cat >>/usr/local/src/shellcode/report.html <
here
}
getUsermessage
getusername
sed -i "s/+/;/g" /usr/local/src/shellcode/report.html