安全运营--centos7.6查看ssh登录日志分析服务器安全情况

linux服务器在挂到外网的时候，很容易受到黑客的扫描，攻击，拿到服务器权限。所以，如有异常账户ip登录服务器，就应该高度警惕，更换密码，检查漏洞等。

1.wtmp日志

查看所有SSH登陆日志 包括IP，输出的内容包括：用户名、终端位置、登录源信息、开始时间、结束时间、持续时间。注意最后一行输出的是wtmp文件起始记录的时间。当然也可以通过last -f参数指定读取文件

命令：last

[root@localhost ~]# last    
root     pts/0        192.168.8.88     Wed Jan  4 11:03   still logged in
root     pts/1        10.10.10.253     Tue Jan  3 21:23 - 21:39  (00:16)
root     pts/0        192.168.8.88     Tue Jan  3 21:09 - 10:55  (13:46)
reboot   system boot  3.10.0-957.el7.x Tue Jan  3 09:43 - 16:46 (2+07:02)
root     pts/0        192.168.8.88     Tue Jan  3 09:12 - down   (00:08)
reboot   system boot  3.10.0-957.el7.x Tue Jan  3 09:11 - 09:20  (00:08)
wtmp begins Mon Dec 12 16:35:12 2022

命令：last -x -F

[root@localhost ~]# last -x -F
root     pts/0        192.168.8.88     Wed Jan  4 11:03:55 2023   still logged in
root     pts/1        10.10.10.253     Tue Jan  3 21:23:34 2023 - Tue Jan  3 21:39:38 2023  (00:16)
runlevel (to lvl 3)   3.10.0-957.el7.x Mon Dec 12 16:36:28 2022 - Mon Dec 12 16:49:59 2022  (00:13)
reboot   system boot  3.10.0-957.el7.x Mon Dec 12 16:35:12 2022 - Mon Dec 12 16:49:59 2022  (00:14)

wtmp begins Mon Dec 12 16:35:12 2022

2.查看在线用户情况

（1）w 命令用于显示已经登陆系统的用户列表，并显示用户正在执行的指令。单独执行w命令会显示所有的用户，也可指定用户名称，仅显示某位用户的相关信息：

w 用户名

[root@localhost ~]# w
 16:49:36 up 2 days,  7:12,  1 user,  load average: 0.06, 0.03, 0.05
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
root     pts/0    192.168.8.88     三11    0.00s  2.57s  0.00s w

（2）who am i 显示出口IP地址，该地址用于SSH连接的源IP

[root@localhost ~]# who am i
root     pts/0        2023-01-04 11:03 (192.168.8.88)

3.lastlog 列出所有用户最近登录的信息

lastlog引用的是/var/log/lastlog文件中的信息，包括login-name、port、last login time

[root@localhost ~]# lastlog
用户名           端口     来自             最后登陆时间
root             pts/0    192.168.8.88     三 1月  4 11:03:55 +0800 2023
bin                                        **从未登录过**
daemon                                     **从未登录过**
adm                                        **从未登录过**
lp                                         **从未登录过**
sync                                       **从未登录过**
shutdown                                   **从未登录过**
halt                                       **从未登录过**
mail                                       **从未登录过**
operator                                   **从未登录过**
games                                      **从未登录过**
ftp                                        **从未登录过**
nobody                                     **从未登录过**
systemd-network                            **从未登录过**
dbus                                       **从未登录过**
polkitd                                    **从未登录过**
libstoragemgmt                             **从未登录过**
abrt                                       **从未登录过**
rpc                                        **从未登录过**
sshd                                       **从未登录过**
postfix                                    **从未登录过**
ntp                                        **从未登录过**
chrony                                     **从未登录过**
tcpdump                                    **从未登录过**
apache                                     **从未登录过**
mabos                                      **从未登录过**

4.lastb 列出失败尝试的登录信息

和last命令功能完全相同，只不过它默认读取的是/var/log/btmp文件的信息。

[root@localhost ~]# lastb

btmp begins Wed Jan  4 20:18:51 2023

5.SSH登录日志分析

检查/var/log目录下的secure（CentOS），存在大量异常IP高频率尝试登录，且有成功登录记录（重点查找事发时间段）。

cat /var/log/secure |more
Jan  4 11:03:55 localhost sshd[7648]: Accepted password for root from 192.168.8.88 port 56455 ssh2
Jan  4 11:03:55 localhost sshd[7648]: pam_unix(sshd:session): session opened for user root by (uid=0)
Jan  4 11:03:55 localhost sshd[7650]: Accepted password for root from 192.168.8.88 port 56458 ssh2
Jan  4 11:03:55 localhost sshd[7650]: pam_unix(sshd:session): session opened for user root by (uid=0)
Jan  4 15:34:34 localhost polkitd[4857]: Registered Authentication Agent for unix-process:8161:10782133 (system bus name :1.458 [/usr/bin/pkttyagent --notif
y-fd 5 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale zh_CN.UTF-8)
Jan  4 15:34:34 localhost polkitd[4857]: Unregistered Authentication Agent for unix-process:8161:10782133 (system bus name :1.458, object path /org/freedesk
top/PolicyKit1/AuthenticationAgent, locale zh_CN.UTF-8) (disconnected from bus)
Jan  4 20:18:49 localhost useradd[20139]: failed adding user 'dbus', exit code: 9
Jan  4 20:18:51 localhost polkitd[4857]: Reloading rules

less /var/log/secure|grep'Accepted'  
[root@localhost ~]#  less /var/log/secure | grep 'Accepted'
Jan  3 09:12:14 localhost sshd[5901]: Accepted password for root from 192.168.8.88 port 57536 ssh2
Jan  3 09:12:14 localhost sshd[5903]: Accepted password for root from 192.168.8.88 port 57539 ssh2
Jan  3 21:09:05 localhost sshd[6674]: Accepted password for root from 192.168.8.88 port 58119 ssh2
Jan  3 21:09:06 localhost sshd[6676]: Accepted password for root from 192.168.8.88 port 58122 ssh2
Jan  3 21:23:28 localhost sshd[6736]: Accepted password for root from 10.10.10.253 port 52502 ssh2
Jan  3 21:23:30 localhost sshd[6738]: Accepted password for root from 10.10.10.253 port 52790 ssh2
Jan  4 11:03:55 localhost sshd[7648]: Accepted password for root from 192.168.8.88 port 56455 ssh2
Jan  4 11:03:55 localhost sshd[7650]: Accepted password for root from 192.168.8.88 port 56458 ssh2

/var/log/其他日志说明：

/var/log/message  一般信息和系统信息
/var/log/secure  登陆信息
/var/log/maillog  mail记录
/var/log/utmp 
/var/log/wtmp登陆记录信息（last命令即读取此日志）