djwdj 发表于 2023-3-19 14:39

【bash】小学生学看登录日志

centos7.9

登录日志文件:/var/log/secure

看登录失败
```
grep "Failed password for invalid user" /var/log/secure
```
> Mar 19 12:46:52 UAqiUf33838 sshd: Failed password for invalid user admin from 94.156.161.57 port 43222 ssh2
Mar 19 12:46:56 UAqiUf33838 sshd: Failed password for root from 94.156.161.57 port 44154 ssh2
Mar 19 12:47:00 UAqiUf33838 sshd: Failed password for invalid user lenovo from 94.156.161.57 port 45090 ssh2
Mar 19 12:47:04 UAqiUf33838 sshd: Failed password for invalid user sugon from 94.156.161.57 port 46028 ssh2
Mar 19 12:47:08 UAqiUf33838 sshd: Failed password for invalid user inspur from 94.156.161.57 port 46956 ssh2
Mar 19 12:47:12 UAqiUf33838 sshd: Failed password for invalid user test from 94.156.161.57 port 47890 ssh2
Mar 19 12:47:16 UAqiUf33838 sshd: Failed password for root from 94.156.161.57 port 48824 ssh2
Mar 19 12:47:21 UAqiUf33838 sshd: Failed password for root from 94.156.161.57 port 49760 ssh2
Mar 19 12:47:25 UAqiUf33838 sshd: Failed password for invalid user inspur from 94.156.161.57 port 50692 ssh2
Mar 19 12:47:28 UAqiUf33838 sshd: Failed password for invalid user ubuntu from 94.156.161.57 port 51622 ssh2
Mar 19 12:47:34 UAqiUf33838 sshd: Failed password for root from 94.156.161.57 port 52560 ssh2
Mar 19 12:47:38 UAqiUf33838 sshd: Failed password for invalid user dell from 94.156.161.57 port 53490 ssh2
Mar 19 12:47:44 UAqiUf33838 sshd: Failed password for root from 94.156.161.57 port 54420 ssh2
Mar 19 12:47:47 UAqiUf33838 sshd: Failed password for invalid user lthpc from 94.156.161.57 port 55362 ssh2
Mar 19 12:47:51 UAqiUf33838 sshd: Failed password for invalid user lthpc from 94.156.161.57 port 56276 ssh2


可以简单点,可能会混入非ssh的日志

```
grep Failed /var/log/secure
```

看最后10行
```
grep Failed /var/log/secure | tail
```


看最后20行
```
grep Failed /var/log/secure | tail -20
```

筛选出ip,用户名
```
grep "Failed password for invalid user" /var/log/secure | awk '{print $13" "$11}'
```

统计
```
grep "Failed password for invalid user" /var/log/secure | awk '{print $13" "$11}' | sort | uniq -c | sort -nr
```
sort排序,-n根据数字排序,-r将结果倒序排列
uniq显示或忽略重复的行。-c在每行开头增加重复次数。


输出:
>      14 94.156.161.57 inspur
   12 94.156.161.57 sugon
   11 94.156.161.57 dell
   10 94.156.161.57 ubuntu
      9 94.156.161.57 ps


# 查看最后10行带时间
```
grep "Failed password for invalid user" /var/log/secure | awk '{ print $3"\t"$13" "$11}' | tail -10

```

# 看登录成功的
```
grep "Accepted" /var/log/secure
```

zero57 发表于 2023-3-20 17:23

应急响应知识点,顺便贴一下,常规日志的目录:
日志都放在这里面/var/log/下
系统报错日志:/var/log/messages
邮件系统日志:/var/log/maillog
FTP系统日志:/var/log/xferlog
用户的登录记录:/var/log/wtmp
当前登录的全部用户:/var/run/utmp
查看所有失败登录信息:/var/log/btmp
安全信息和系统登录与网络连接的信息:/var/log/secure

rainerosion 发表于 2023-3-19 14:48

感谢分享

xianggu 发表于 2023-3-19 15:02

感谢分享

travel1996 发表于 2023-3-19 15:13

非常的不錯,感謝分享

alaben 发表于 2023-3-19 15:54

感谢分享

180652397 发表于 2023-3-19 15:57

感謝分享

yuanjufeng 发表于 2023-3-19 16:02

HUAJIEN 发表于 2023-3-19 16:06

感谢分享

kl0123 发表于 2023-3-19 16:19

感谢分享

milo2050 发表于 2023-3-19 16:56

感谢分享
页: [1] 2 3 4 5 6 7
查看完整版本: 【bash】小学生学看登录日志


免责声明:
吾爱破解所发布的一切破解补丁、注册机和注册信息及软件的解密分析文章仅限用于学习和研究目的;不得将上述内容用于商业或者非法用途,否则,一切后果请用户自负。本站信息来自网络,版权争议与本站无关。您必须在下载后的24个小时之内,从您的电脑中彻底删除上述内容。如果您喜欢该程序,请支持正版软件,购买注册,得到更好的正版服务。如有侵权请邮件与我们联系处理。

Mail To:Service@52pojie.cn