2
社区成员
发帖
与我相关
我的任务
分享监控Linux的登录日志、实时查看恶意访问者
1、查看历史登陆的日志
cat /var/log/secure
效果
Sep 25 13:45:55 k8s-master sshd[31818]: Failed password for invalid user unknown from 1.26.70.70 port 48165 ssh2
Sep 25 13:45:56 k8s-master sshd[31818]: Connection closed by 1.26.70.70 port 48165 [preauth]
Sep 25 13:54:33 k8s-master sshd[6466]: Bad protocol version identification 'GET / HTTP/1.1' from 59.82.135.80 port 15174
Sep 25 13:54:33 k8s-master sshd[6467]: Bad protocol version identification 'GET / HTTP/1.1' from 59.82.135.147 port 13485
Sep 25 13:58:40 k8s-master sshd[9639]: Invalid user support from 39.174.209.153 port 48787
Sep 25 13:58:40 k8s-master sshd[9639]: input_userauth_request: invalid user support [preauth]
Sep 25 13:58:40 k8s-master sshd[9639]: pam_unix(sshd:auth): check pass; user unknown
Sep 25 13:58:40 k8s-master sshd[9639]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=39.174.209.153
Sep 25 13:58:42 k8s-master sshd[9639]: Failed password for invalid user support from 39.174.209.153 port 48787 ssh2
Sep 25 13:58:43 k8s-master sshd[9639]: Connection closed by 39.174.209.153 port 48787 [preauth]
Sep 25 14:04:08 k8s-master sshd[13746]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=124.114.180.50 user=admin
Sep 25 14:04:09 k8s-master sshd[13746]: Failed password for admin from 124.114.180.50 port 49398 ssh2
Sep 25 14:04:10 k8s-master sshd[13746]: Connection closed by 124.114.180.50 port 49398 [preauth]
Sep 25 14:04:59 k8s-master sshd[14350]: Did not receive identification string from 165.232.60.17 port 44154
Sep 25 14:06:33 k8s-master sshd[15552]: Invalid user ubnt from 60.223.250.50 port 50330
Sep 25 14:06:33 k8s-master sshd[15552]: input_userauth_request: invalid user ubnt [preauth]
Sep 25 14:06:33 k8s-master sshd[15552]: pam_unix(sshd:auth): check pass; user unknown
Sep 25 14:06:33 k8s-master sshd[15552]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=60.223.250.50
Sep 25 14:06:35 k8s-master sshd[15552]: Failed password for invalid user ubnt from 60.223.250.50 port 50330 ssh2
Sep 25 14:06:35 k8s-master sshd[15552]: Connection closed by 60.223.250.50 port 50330 [preauth]
Sep 25 14:17:56 k8s-master sshd[24422]: Did not receive identification string from 139.199.80.137 port 57414
Sep 25 14:27:26 k8s-master sshd[31365]: Connection closed by 125.141.193.42 port 34827 [preauth]
Sep 25 14:50:01 k8s-master sshd[16599]: Invalid user support from 218.59.235.170 port 34162
Sep 25 14:50:01 k8s-master sshd[16599]: input_userauth_request: invalid user support [preauth]
Sep 25 14:50:01 k8s-master sshd[16599]: pam_unix(sshd:auth): check pass; user unknown
Sep 25 14:50:01 k8s-master sshd[16599]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=218.59.235.170
Sep 25 14:50:03 k8s-master sshd[16599]: Failed password for invalid user support from 218.59.235.170 port 34162 ssh2
Sep 25 14:50:03 k8s-master sshd[16599]: Connection closed by 218.59.235.170 port 34162 [preauth]
Sep 25 14:52:25 k8s-master sshd[18705]: Invalid user debian from 223.99.212.58 port 50933
Sep 25 14:52:25 k8s-master sshd[18705]: input_userauth_request: invalid user debian [preauth]
Sep 25 14:52:25 k8s-master sshd[18705]: pam_unix(sshd:auth): check pass; user unknown
Sep 25 14:52:25 k8s-master sshd[18705]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=223.99.212.58
Sep 25 14:52:28 k8s-master sshd[18705]: Failed password for invalid user debian from 223.99.212.58 port 50933 ssh2
Sep 25 14:52:28 k8s-master sshd[18705]: Connection closed by 223.99.212.58 port 50933 [preauth]
Sep 25 14:54:21 k8s-master sshd[20203]: Accepted publickey for root from 218.1.181.21 port 55606 ssh2: RSA SHA256:LNL8O4SaiJXzZmE88eRt9wwKBt7bwKn05of+bBdHClA
Sep 25 14:54:21 k8s-master sshd[20203]: pam_unix(sshd:session): session opened for user root by (uid=0)
Sep 25 14:54:44 k8s-master sshd[20203]: pam_unix(sshd:session): session closed for user root
Sep 25 14:55:00 k8s-master sshd[21164]: Accepted publickey for root from 218.1.181.21 port 55672 ssh2: RSA SHA256:LNL8O4SaiJXzZmE88eRt9wwKBt7bwKn05of+bBdHClA
Sep 25 14:55:00 k8s-master sshd[21164]: pam_unix(sshd:session): session opened for user root by (uid=0)
Sep 25 14:59:09 k8s-master sshd[28928]: Accepted publickey for root from 218.1.181.21 port 56251 ssh2: RSA SHA256:LNL8O4SaiJXzZmE88eRt9wwKBt7bwKn05of+bBdHClA
Sep 25 14:59:09 k8s-master sshd[28928]: pam_unix(sshd:session): session opened for user root by (uid=0)
Sep 25 15:00:47 k8s-master sshd[32007]: Accepted publickey for root from 218.1.181.21 port 56385 ssh2: RSA SHA256:LNL8O4SaiJXzZmE88eRt9wwKBt7bwKn05of+bBdHClA
Sep 25 15:00:47 k8s-master sshd[32007]: pam_unix(sshd:session): session opened for user root by (uid=0)
Sep 25 15:14:54 k8s-master sshd[11388]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=1.28.87.38 user=root
Sep 25 15:14:54 k8s-master sshd[11388]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
Sep 25 15:14:56 k8s-master sshd[11388]: Failed password for root from 1.28.87.38 port 39542 ssh2
Sep 25 15:14:57 k8s-master sshd[11388]: Connection closed by 1.28.87.38 port 39542 [preauth]
Sep 25 15:16:03 k8s-master sshd[14607]: Connection closed by 111.74.9.84 port 58690 [preauth]
2、查看当前登录信息
last
效果
root pts/0 114.91.17.74 Thu Sep 12 10:48 - 09:28 (1+22:40)
root pts/1 114.91.17.74 Wed Sep 11 14:46 - 18:14 (03:27)
root pts/0 114.91.17.74 Wed Sep 11 14:46 - 18:14 (03:27)
root pts/3 114.91.17.74 Tue Sep 10 15:02 - 15:40 (00:38)
root pts/2 114.91.17.74 Tue Sep 10 15:02 - 15:40 (00:38)
root pts/1 114.91.17.74 Tue Sep 10 14:30 - 15:40 (01:09)
root pts/0 114.91.17.74 Tue Sep 10 14:30 - 15:40 (01:09)
root pts/1 114.91.17.74 Tue Sep 10 14:13 - 14:30 (00:17)
root pts/0 114.91.17.74 Tue Sep 10 14:13 - 14:30 (00:17)
root pts/1 114.91.17.74 Tue Sep 10 11:13 - 13:50 (02:36)
root pts/0 114.91.17.74 Tue Sep 10 11:13 - 13:50 (02:36)
root pts/1 114.91.17.74 Tue Sep 10 10:57 - 11:13 (00:16)
root pts/0 114.91.17.74 Tue Sep 10 10:57 - 11:13 (00:16)
root pts/1 114.91.17.74 Mon Sep 9 17:45 - 10:04 (16:18)
root pts/0 114.91.17.74 Mon Sep 9 17:45 - 10:04 (16:18)
root pts/1 114.91.17.74 Mon Sep 9 09:51 - 17:43 (07:52)
root pts/0 114.91.17.74 Mon Sep 9 09:51 - 17:43 (07:52)
root pts/1 114.91.17.74 Fri Sep 6 09:52 - 03:46 (17:53)
root pts/0 114.91.17.74 Fri Sep 6 09:52 - 03:46 (17:53)
root pts/1 114.91.17.74 Wed Sep 4 16:35 - 17:08 (1+00:32)
root pts/0 114.91.17.74 Wed Sep 4 16:35 - 17:08 (1+00:32)
root pts/1 101.228.82.186 Tue Sep 3 21:42 - 22:02 (00:19)
root pts/0 101.228.82.186 Tue Sep 3 21:42 - 22:02 (00:19)
root pts/1 114.91.17.74 Mon Sep 2 09:57 - 14:21 (1+04:23)
root pts/0 114.91.17.74 Mon Sep 2 09:57 - 14:21 (1+04:23)
root pts/1 218.1.180.183 Fri Aug 30 17:54 - 17:16 (23:22)
root pts/0 218.1.180.183 Fri Aug 30 17:54 - 17:16 (23:22)
root pts/1 218.1.180.183 Fri Aug 30 09:53 - 13:52 (03:59)
root pts/0 218.1.180.183 Fri Aug 30 09:53 - 13:52 (03:59)
root pts/1 218.1.180.183 Thu Aug 29 15:23 - 17:22 (01:59)
root pts/0 218.1.180.183 Thu Aug 29 15:23 - 17:22 (01:59)
root pts/1 218.1.180.183 Wed Aug 28 16:39 - 17:58 (01:19)
root pts/0 218.1.180.183 Wed Aug 28 16:39 - 17:58 (01:19)
root pts/1 218.1.180.183 Mon Aug 26 19:29 - 14:28 (18:59)
root pts/0 218.1.180.183 Mon Aug 26 19:29 - 14:28 (18:59)
root pts/1 116.230.178.99 Mon Aug 26 15:05 - 16:59 (01:53)
root pts/0 116.230.178.99 Mon Aug 26 15:05 - 16:59 (01:53)
root pts/1 116.230.178.99 Fri Aug 23 16:37 - 10:27 (17:49)
root pts/0 116.230.178.99 Fri Aug 23 16:37 - 10:27 (17:49)
root pts/3 116.230.178.99 Fri Aug 23 16:29 - 16:37 (00:07)
root pts/2 116.230.178.99 Fri Aug 23 16:29 - 16:37 (00:07)
root pts/1 116.230.178.99 Fri Aug 23 16:27 - 16:37 (00:09)
root pts/0 116.230.178.99 Fri Aug 23 16:27 - 16:37 (00:09)
root pts/1 116.230.178.99 Thu Aug 22 09:54 - 14:39 (04:45)
root pts/0 116.230.178.99 Thu Aug 22 09:54 - 14:39 (04:45)
root pts/1 114.84.0.98 Wed Aug 21 22:58 - 00:25 (01:26)
root pts/0 114.84.0.98 Wed Aug 21 22:58 - 00:25 (01:26)
root pts/1 114.84.0.98 Wed Aug 21 19:46 - 20:35 (00:48)
root pts/0 114.84.0.98 Wed Aug 21 19:46 - 20:35 (00:48)
root pts/1 116.230.178.99 Wed Aug 21 14:20 - 15:48 (01:28)
root pts/0 116.230.178.99 Wed Aug 21 14:20 - 15:48 (01:28)
3、查看SSH具体详细日志
journalctl _COMM=sshd
效果
-- Logs begin at 五 2024-06-14 19:10:01 CST, end at 三 2024-09-25 15:25:45 CST. --
6月 15 05:37:17 k8s-master sshd[12200]: pam_unix(sshd:session): session closed for user root
6月 15 05:38:02 k8s-master sshd[13646]: Timeout, client not responding.
6月 15 05:38:02 k8s-master sshd[13646]: pam_unix(sshd:session): session closed for user root
6月 15 08:35:56 k8s-master sshd[31558]: Bad protocol version identification 'GET / HTTP/1.1' from 35.203.211.240 port 59734
...全文
请发表友善的回复…
发表回复
