【bash】小学生学看登录日志

djwdj · 发表于 2023-3-19 14:39

centos7.9

登录日志文件：/var/log/secure

看登录失败

grep "Failed password for invalid user" /var/log/secure

Mar 19 12:46:52 UAqiUf33838 sshd[5172]: Failed password for invalid user admin from 94.156.161.57 port 43222 ssh2
Mar 19 12:46:56 UAqiUf33838 sshd[5174]: Failed password for root from 94.156.161.57 port 44154 ssh2
Mar 19 12:47:00 UAqiUf33838 sshd[5176]: Failed password for invalid user lenovo from 94.156.161.57 port 45090 ssh2
Mar 19 12:47:04 UAqiUf33838 sshd[5178]: Failed password for invalid user sugon from 94.156.161.57 port 46028 ssh2
Mar 19 12:47:08 UAqiUf33838 sshd[5180]: Failed password for invalid user inspur from 94.156.161.57 port 46956 ssh2
Mar 19 12:47:12 UAqiUf33838 sshd[5182]: Failed password for invalid user test from 94.156.161.57 port 47890 ssh2
Mar 19 12:47:16 UAqiUf33838 sshd[5184]: Failed password for root from 94.156.161.57 port 48824 ssh2
Mar 19 12:47:21 UAqiUf33838 sshd[5186]: Failed password for root from 94.156.161.57 port 49760 ssh2
Mar 19 12:47:25 UAqiUf33838 sshd[5188]: Failed password for invalid user inspur from 94.156.161.57 port 50692 ssh2
Mar 19 12:47:28 UAqiUf33838 sshd[5191]: Failed password for invalid user ubuntu from 94.156.161.57 port 51622 ssh2
Mar 19 12:47:34 UAqiUf33838 sshd[5193]: Failed password for root from 94.156.161.57 port 52560 ssh2
Mar 19 12:47:38 UAqiUf33838 sshd[5195]: Failed password for invalid user dell from 94.156.161.57 port 53490 ssh2
Mar 19 12:47:44 UAqiUf33838 sshd[5197]: Failed password for root from 94.156.161.57 port 54420 ssh2
Mar 19 12:47:47 UAqiUf33838 sshd[5199]: Failed password for invalid user lthpc from 94.156.161.57 port 55362 ssh2
Mar 19 12:47:51 UAqiUf33838 sshd[5201]: Failed password for invalid user lthpc from 94.156.161.57 port 56276 ssh2

可以简单点，可能会混入非ssh的日志

grep Failed /var/log/secure

看最后10行

grep Failed /var/log/secure | tail

看最后20行

grep Failed /var/log/secure | tail -20

筛选出ip，用户名

grep "Failed password for invalid user" /var/log/secure | awk '{print $13" "$11}'

统计

grep "Failed password for invalid user" /var/log/secure | awk '{print $13" "$11}' | sort | uniq -c | sort -nr

sort排序，-n根据数字排序，-r将结果倒序排列
uniq显示或忽略重复的行。-c在每行开头增加重复次数。

输出：

 14 94.156.161.57 inspur
12 94.156.161.57 sugon
11 94.156.161.57 dell
10 94.156.161.57 ubuntu
9 94.156.161.57 ps

查看最后10行带时间

grep "Failed password for invalid user" /var/log/secure | awk '{ print $3"\t"$13" "$11}' | tail -10

看登录成功的

grep "Accepted" /var/log/secure

zero57 · 发表于 2023-3-20 17:23

应急响应知识点，顺便贴一下，常规日志的目录：
日志都放在这里面/var/log/下
系统报错日志：/var/log/messages
邮件系统日志：/var/log/maillog
FTP系统日志：/var/log/xferlog
用户的登录记录：/var/log/wtmp
当前登录的全部用户：/var/run/utmp
查看所有失败登录信息：/var/log/btmp
安全信息和系统登录与网络连接的信息：/var/log/secure

rainerosion · 发表于 2023-3-19 14:48

感谢分享

xianggu · 发表于 2023-3-19 15:02

感谢分享

travel1996 · 发表于 2023-3-19 15:13

非常的不錯，感謝分享

alaben · 发表于 2023-3-19 15:54

感谢分享

180652397 · 发表于 2023-3-19 15:57

感謝分享

yuanjufeng · 发表于 2023-3-19 16:02

提示: 作者被禁止或删除内容自动屏蔽

HUAJIEN · 发表于 2023-3-19 16:06

感谢分享

kl0123 · 发表于 2023-3-19 16:19

感谢分享

milo2050 · 发表于 2023-3-19 16:56

感谢分享

帐号		自动登录	找回密码
密码			注册[Register]

[讨论] 【bash】小学生学看登录日志

查看最后10行带时间

看登录成功的

免费评分

yuanjufeng yuanjufeng 当前离线好友阅读权限 0 听众最后登录 1970-1-1 头像被屏蔽	yuanjufeng 发表于 2023-3-19 16:02 提示: 作者被禁止或删除内容自动屏蔽

	回复支持举报