To view the log file
Linux view the/var/log/wtmp file the suspicious IP login
last -f /var/log/wtmp
Permanent records of the log file for each user login, logout and system, shutdownevent. With increasing system uptime, the file size will increase,
Increase the number of speeds depending on the system of the user logged on. This log file can be used to view a user‘s login record
Last command to access the file for these information and displayed in reverse order from back to front user login record, last can according to user, TTY terminal or time to display the corresponding record.
View the/var/log/secure file to find suspicious number IP login
2 script operation history of the production of all logged in users
In an environment of Linux systems, whether root user or other users login with access we can through the command history to view the history, but if more than one server who landed a day because someone deleted important data misuse. By looking at the history (command: history) is meaningless (because history is valid only for logged in users perform, even if the root user cannot have other user histotry history). Is there any way to achieve that record after the landing of IP address and operation by the user name of the historical record? The answer: Yes.
By/etc/profile can be achieved by adding the following code inside:
PS1=”‘whoami’@’hostname’:”‘[$PWD]’
history
USER_IP=’who -u am i 2>/dev/null| awk ‘{print $NF}’|sed -e ‘s/[()]//g”
if [ “$USER_IP” = “” ]
then
USER_IP=’hostname’
fi
if [ ! -d /tmp/dbasky ]
then
mkdir /tmp/dbasky
chmod 777 /tmp/dbasky
fi
if [ ! -d /tmp/dbasky/${LOGNAME} ]
then
mkdir /tmp/dbasky/${LOGNAME}
chmod 300 /tmp/dbasky/${LOGNAME}
fi
export HISTSIZE=4096
DT=’date “+%Y-%m-%d_%H:%M:%S”‘
export HISTFILE=”/tmp/dbasky/${LOGNAME}/${USER_IP} dbasky.$DT”
chmod 600 /tmp/dbasky/${LOGNAME}/*dbasky* 2>/dev/null
Source/etc/profile entry into force using a script
Exit the user, log in again
Scripted/tmp create a dbasky directory in the system above, record all landed on the system and the IP address of the user (file name), whenever a user login/logoutwill create the appropriate file, save the file the history period of operation a user logs on, this method can be used to monitor the system‘s security.
root@zsc6:[/tmp/dbasky/root]ls
10.1.80.47 dbasky.2013-10-24_12:53:08
root@zsc6:[/tmp/dbasky/root]cat 10.1.80.47 dbasky.2013-10-24_12:53:08