Linux 登入安全性介紹,很多系統管理員都會忽略這塊,有興趣的可以參考看看
1. 登入記錄查詢
指令 | 說明 | 存放路徑 |
last | 查看登入登出重新開機紀錄 | /var/log/wtmp |
lastb | 查看登入失敗資訊 | /var/log/btmp |
lastlog | 查看所有使用者登入紀錄 | /var/log/lastlog |
w | 查看誰登入了並且正在做什麼 | /var/run/utmp |
使用者 / tty / 登入IP /登入日期 /持續時間
root pts/0 192.168.1.129 Thu Mar 17 14:12 still logged in root pts/1 10.0.0.3 Wed Mar 9 23:14 - 00:34 (01:20) apple pts/0 10.0.0.3 Wed Mar 9 23:07 - 00:34 (01:26) root pts/0 10.0.0.3 Wed Mar 9 22:15 - 22:59 (00:43) root pts/0 10.0.0.3 Tue Mar 8 21:11 - 00:31 (03:20) fred pts/0 192.168.1.129 Tue Mar 8 16:56 - 18:01 (01:04) root pts/0 192.168.1.129 Tue Mar 8 10:16 - 14:51 (04:34) tony pts/0 192.168.1.30 Mon Mar 7 14:46 - 18:01 (03:14) #lastb使用者 / SSH / 登入IP / 登入時間 /持續時間
root ssh:notty 192.168.1.129 Thu Mar 17 14:12 - 14:12 (00:00) user ssh:notty 192.168.1.129 Tue Mar 8 10:16 - 10:16 (00:00) user ssh:notty 192.168.1.129 Tue Mar 8 10:16 - 10:16 (00:00) user ssh:notty 192.168.1.129 Tue Mar 8 10:16 - 10:16 (00:00) root ssh:notty 192.168.1.30 Thu Mar 3 22:00 - 22:00 (00:00) #lastlog Username Port From Latest root pts/1 192.168.1.129 Thu Mar 17 15:46:56 +0800 2016 bin **Never logged in** daemon **Never logged in** adm **Never logged in** lp **Never logged in** sync **Never logged in** shutdown **Never logged in** ...以下省略... #w 16:10:48 up 23 days, 22:58, 2 users, load average: 0.16, 0.05, 0.06 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT root pts/0 192.168.1.129 14:12 0.00s 0.02s 0.00s w root pts/1 192.168.1.129 15:46 10:24 0.00s 0.00s -bashNote: 想要清除以上資料
#cat /dev/null > /var/log/wtmp #cat /dev/null > /var/log/btmp #cat /dev/null > /var/log/lastlog #cat /dev/null > /var/run/utmp壞一點,鎖定檔案不能被修改 (其實這是怕檔案不小心誤刪或者修改所使用)
#chattr +i /var/log/wtmp #chattr +i /var/log/btmp #chattr +i /var/log/lastlog #chattr +i /var/run/utmp