本地检测方法
云平台的检测方法
查看系统日志
查看安全相关日志
-
ssh远程登录失败日志
[root@instructor ~]# grep -i Failed /var/log/secure
May 20 12:15:35 instructor sshd[12070]: Failed password for root from 192.168.1.12 port
50720 ssh2
May 20 12:15:48 instructor sshd[12086]: Failed password for root from 192.168.1.144
port 52765 ssh2
ssh远程登录成功日志
[root@instructor ~]# grep -i Accepted /var/log/secure
Oct 24 12:18:06 chao sshd[7086]: Accepted password for root from 172.16.130.91 port
41415 ssh2
Oct 24 12:18:06 chao sshd[7084]: Accepted password for root from 172.16.130.81 port
42986 ssh2
统计登录成功或登录失败的ip,并进行去重降序排列
grep -i Accepted /var/log/secure |awk '{print $(NF-3)}' |grep '^[0-9]' |sort |uniq -c
|sort -rn
grep -i Failed /var/log/secure |awk '{print $(NF-3)}' |egrep '^[0-9]' |sort |uniq -c
|sort -rn
查看历史用户登录信息 last
查看最后5条登录信息
[root@localhost ~]# last -a -5
root pts/2 Mon Feb 25 06:21 still logged in 192.168.2.1
root pts/1 Mon Feb 25 01:10 still logged in :0
root :0 Mon Feb 25 01:09 still logged in :0
root pts/0 Sun Feb 24 23:39 still logged in 192.168.2.1
reboot system boot Sun Feb 24 23:36 - 06:21 (06:45) 3.10.0-862.el7.x86_64
查看指定时间之前登录信息
[root@localhost ~]# last -a -t 20240210123030
#2024-02-10 12:30:30之前
查看登录系统的用