Linux 登入安全性介紹,很多系統管理員都會忽略這塊,有興趣的可以參考看看
1. 登入記錄查詢
指令 | 說明 | 存放路徑 |
last | 查看登入登出重新開機紀錄 | /var/log/wtmp |
lastb | 查看登入失敗資訊 | /var/log/btmp |
lastlog | 查看所有使用者登入紀錄 | /var/log/lastlog |
w | 查看誰登入了並且正在做什麼 | /var/run/utmp |
```
#last
```
使用者 / tty / 登入IP /登入日期 /持續時間
```
root pts/0 192.168.1.129 Thu Mar 17 14:12 still logged in
root pts/1 10.0.0.3 Wed Mar 9 23:14 - 00:34 (01:20)
apple pts/0 10.0.0.3 Wed Mar 9 23:07 - 00:34 (01:26)
root pts/0 10.0.0.3 Wed Mar 9 22:15 - 22:59 (00:43)
root pts/0 10.0.0.3 Tue Mar 8 21:11 - 00:31 (03:20)
fred pts/0 192.168.1.129 Tue Mar 8 16:56 - 18:01 (01:04)
root pts/0 192.168.1.129 Tue Mar 8 10:16 - 14:51 (04:34)
tony pts/0 192.168.1.30 Mon Mar 7 14:46 - 18:01 (03:14)
```
```
#lastb
```
使用者 / SSH / 登入IP / 登入時間 /持續時間
```
root ssh:notty 192.168.1.129 Thu Mar 17 14:12 - 14:12 (00:00)
user ssh:notty 192.168.1.129 Tue Mar 8 10:16 - 10:16 (00:00)
user ssh:notty 192.168.1.129 Tue Mar 8 10:16 - 10:16 (00:00)
user ssh:notty 192.168.1.129 Tue Mar 8 10:16 - 10:16 (00:00)
root ssh:notty 192.168.1.30 Thu Mar 3 22:00 - 22:00 (00:00)
```
```
#lastlog
```
```
Username Port From Latest
root pts/1 192.168.1.129 Thu Mar 17 15:46:56 +0800 2016
bin **Never logged in**
daemon **Never logged in**
adm **Never logged in**
lp **Never logged in**
sync **Never logged in**
shutdown **Never logged in**
...以下省略...
```
```
#w
```
```
16:10:48 up 23 days, 22:58, 2 users, load average: 0.16, 0.05, 0.06
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
root pts/0 192.168.1.129 14:12 0.00s 0.02s 0.00s w
root pts/1 192.168.1.129 15:46 10:24 0.00s 0.00s -bash
```
**Note: 想要清除以上資料**
```
#cat /dev/null > /var/log/wtmp
```
```
#cat /dev/null > /var/log/btmp
```
```
#cat /dev/null > /var/log/lastlog
```
```
#cat /dev/null > /var/run/utmp
```
壞一點,鎖定檔案不能被修改 (其實這是怕檔案不小心誤刪或者修改所使用)
```
#chattr +i /var/log/wtmp
```
```
#chattr +i /var/log/btmp
```
```
#chattr +i /var/log/lastlog
```
```
#chattr +i /var/run/utmp
```