查看Linux云服务器SSH登录记录
下面是在Linux云服务器上查看SSH登录记录的一些方法
-
查看成功登录的SSH记录
last
命令显示了系统最近的登录信息,包括SSH登录(也包括vnc连接,系统重启等)。last
会输出如下格式的结果
root pts/0 111.111.111.111 Mon Sep 9 20:10 still logged in root pts/0 111.111.111.111 Mon Sep 9 15:01 - 15:03 (00:02)
-
查看所有SSH登录尝试
日志文件记录了所有SSH登录尝试,包括成功的和不成功的
Debian系的系统查看
/var/log/auth.log
sudo cat /var/log/auth.log | grep sshd
或者CentOS系的系统查看
/var/log/secure
sudo cat /var/log/secure | grep sshd
运行后可能能看到如下格式的成功和失败SSH登录记录
Sep 9 20:01:46 localhost sshd[2107391]: Accepted password for root from 111.111.111.111 port 48318 ssh2 Sep 9 20:01:46 localhost sshd[2107391]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0) Sep 9 20:01:46 localhost sshd[2107398]: Accepted password for root from 111.111.111.111 port 48319 ssh2 Sep 9 20:01:46 localhost sshd[2107398]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0) Sep 9 20:23:20 localhost sshd[2118516]: Failed password for root from 218.97.0.97 port 61674 ssh2 Sep 9 20:23:23 localhost sshd[2118516]: Failed password for root from 218.97.0.97 port 61674 ssh2 Sep 9 20:23:25 localhost sshd[2118516]: Failed password for root from 218.97.0.97 port 61674 ssh2 Sep 9 20:23:25 localhost sshd[2118516]: Received disconnect from 218.97.0.97 port 61674:11: [preauth] Sep 9 20:23:25 localhost sshd[2118516]: Disconnected from authenticating user root 218.97.0.97 port 61674 [preauth] Sep 9 20:23:25 localhost sshd[2118516]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=218.97.0.97 user=root
-
查看当前登录的用户
who
命令显示了当前登录的用户。last
会输出如下格式的结果
root pts/0 2024-09-09 20:01 (111.111.111.111)