2019-01-04 14:11:50 u010705742 阅读数 1606
  • 玩转Linux:常用命令实例指南

    本课程以简洁易懂的语言手把手教你系统掌握日常所需的Linux知识,每个知识点都会配合案例实战让你融汇贯通 。课程通俗易懂,简洁流畅,适合0基础以及对Linux掌握不熟练的人学习; 注意: 1、本课程原价99元,现在仅需29元!购课就送5门价值300元的编程课! 2、购课后登陆csdn学院官网,在课程目录页面即可下载课件。 学完即可轻松应对工作中 85% 以上的 Linux 使用场景 【限时福利】 1)购课后按提示添加小助手,进答疑群,还可获得价值300元的编程大礼包! 2)本课程【现在享受秒杀价39元】 3)本月购买此套餐加入老师答疑交流群,可参加老师的免费分享活动,学习最新技术项目经验。 注意: 1)现在购买至少享受60元优惠; 2)购课后添加微信eduxy-1,发送订单截图领取300元编程礼包。 --------------------------------------------------------------- 这门课程,绝对不会让你觉得亏! 29元=掌握Linux必修知识+社群答疑+讲师社群分享会+300元编程礼包。   人工智能、物联网、大数据时代,Linux正有着一统天下的趋势,几乎每个程序员岗位,都要求掌握Linux。本课程零基础也能轻松入门。   在这门课中,我们保证你能收获到这些 1)快速掌握 Linux 常用命令及配置 2)Linux核心知识点 3) 文件、进程、磁盘、用户管理,以及网络工具命令、文件传输等 4)Vi/Vim编辑器用法  

    7034 人正在学习 去看看 良许

系统审计

系统审计日志

#将下面这段内容添加在/etc/profile文件末尾,完事后执行

 

source /etc/profile

 

HISTSIZE=1000

HISTTIMEFORMAT="%Y/%m/%d %T ";export HISTTIMEFORMAT

#审计文件保存路径

export HISTORY_FILE=/var/log/audit.log

#审计内容

export PROMPT_COMMAND='{ thisHistID=`history 1|awk "{print \\$1}"`;lastCommand=`history 1| awk "{\\$1=\"\" ;print}"`;user=`id -un`;whoStr=(`who -u am i`);realUser=${whoStr[0]};logMonth=${whoStr[2]};logDay=${whoStr[3]};logTime=${whoStr[4]};pid=${whoStr[6]};ip=${whoStr[7]};if [ ${thisHistID}x != ${lastHistID}x ];then echo -E `date "+%Y/%m/%d %H:%M:%S"` $user\($realUser\)@$ip[PID:$pid][LOGIN:$logMonth $logDay $logTime] --- $lastCommand ;lastHistID=$thisHistID;fi; } >> $HISTORY_FILE'

 

 

查看是否生效

cat /var/log/audit.log

数据库审计策略

插件下载地址(https://bintray.com/mcafee/mysql-audit-plugin/)

先下载好审计插件(audit-plugin-mysql-5.6-1.1.2-667.zip)

解压后进入文件夹下的lib目录,将内容复制到/app/apps/mysql-5.6.32-linux-glibc2.5-x86_64/lib/plugin/目录下

 

cp libaudit_plugin.so /app/apps/mysql-5.6.32-linux-glibc2.5-x86_64/lib/plugin/

 

进入plugin目录

cd /app/apps/mysql-5.6.32-linux-glibc2.5-x86_64/lib/plugin/

 

给该文件增加执行权限

chmod +x libaudit_plugin.so

 

修改配置文件

Vim /etc/my.cnf

在【mysqld】下面增加

plugin-load=AUDIT=libaudit_plugin.so

 

 

重启服务

service mysqld restart

 

 

在命令行进入mysql

mysql –uroot –p

输入密码进入

 

查看plugin

show plugins;

 

在最后一行会看到如下图即为按照成功

 

 

运行

SHOW GLOBAL VARIABLES LIKE 'audit%';

 

显示的是audit记录的命令,默认为记录所有命令,可以设置为任意dml、dcl、ddl的组合

 如:audit_record_cmds=select,insert,delete,update

audit_record_objs

 audit记录操作的对象,默认为记录所有对象,

 可以用SET GLOBAL audit_record_objs=NULL设置为默认

 也可以指定为下面的格式

  audit_record_objs=,test.*,mysql.*,information_schema.*

 

接下来查看是否开启audit功能

show variables like 'audit_json_file';

 

显示没有开启,接下来我没进行开启

set global audit_json_file=on;

 

 

 

show variables like 'audit_json_file';

 

已经开启

 

 

审计bjggzy库的所有对象

SET GLOBAL audit_record_objs='bjggzy.*';

 

 

审计test库的insert,update和delete操作

set global audit_record_cmds='insert,delete,update';

 

查看记录文件的路径和名称信息:

show variables like 'audit_json_log_file';

 

 

 

文件路径如下:

system find / -name mysql-audit.json

 

2016-08-14 20:44:50 ShaoqunLiu 阅读数 1993
  • 玩转Linux:常用命令实例指南

    本课程以简洁易懂的语言手把手教你系统掌握日常所需的Linux知识,每个知识点都会配合案例实战让你融汇贯通 。课程通俗易懂,简洁流畅,适合0基础以及对Linux掌握不熟练的人学习; 注意: 1、本课程原价99元,现在仅需29元!购课就送5门价值300元的编程课! 2、购课后登陆csdn学院官网,在课程目录页面即可下载课件。 学完即可轻松应对工作中 85% 以上的 Linux 使用场景 【限时福利】 1)购课后按提示添加小助手,进答疑群,还可获得价值300元的编程大礼包! 2)本课程【现在享受秒杀价39元】 3)本月购买此套餐加入老师答疑交流群,可参加老师的免费分享活动,学习最新技术项目经验。 注意: 1)现在购买至少享受60元优惠; 2)购课后添加微信eduxy-1,发送订单截图领取300元编程礼包。 --------------------------------------------------------------- 这门课程,绝对不会让你觉得亏! 29元=掌握Linux必修知识+社群答疑+讲师社群分享会+300元编程礼包。   人工智能、物联网、大数据时代,Linux正有着一统天下的趋势,几乎每个程序员岗位,都要求掌握Linux。本课程零基础也能轻松入门。   在这门课中,我们保证你能收获到这些 1)快速掌握 Linux 常用命令及配置 2)Linux核心知识点 3) 文件、进程、磁盘、用户管理,以及网络工具命令、文件传输等 4)Vi/Vim编辑器用法  

    7034 人正在学习 去看看 良许

1. 日志与审计,审计提供了一种用来追踪用户活动的办法,在Unix/Linux中可以使用syslogd这样的一个守护进程来进行审计,通过配置这样的一个后台程序可以提供各种水平的系统审计和指定输出目录

a) 日志系统,Unix提供了3中日志系统

             i.     记录连接时间的日志,系统中的多个进程运行的时候,把记录写入到/var/log/wtmp和/var/run/utmp。这两个文件的更新由login等进程来完成,以便管理员跟踪谁在何时登陆了系统

            ii.     进程统计,用来记录进程的执行和终止,进程统计由系统内核来完成,目的是为了系统中的基本服务提供命令使用情况统计

          iii.     错误统计,由syslog来完成,各种系统守护进程。用户程序和内核通过syslog来向文件/var/log/message来报告值得注意的事件

b) 连续时间日志,有关用户当前的登陆信息都会被记录在文件/var/run/utmp中,登入登出的记录在文件/var/log/wtmp中,数据的交换可重启也记录在wtmp文件中,这些文件中的记录都包含时间戳。其中wtmp文件和utmp文件都是二进制文件,不能使用tail命令剪切也不能使用cat命令合并,用户需要使用几个特殊的命令来读取这两个文件所包含的信息,如下:

             i.     who命令,who命令用于查询utmp文件然后报告当前登录的每个账户,who的确性输出包括用户名、终端类型、登录日期以及远程主机。如果为who指明了wtmp文件即 who /var/log/wtmp,命令会报告从wtmp文件创建以来的每一次登录,然后我再Ubuntu下使用了这个命令但是什么也没有输出,即便我使用了sudo以root身份执行命令。我还试了试who /var/run/utmp这样跟缺省的who命令输出是一样的。

            ii.     W命令可以用来查询utmp文件并显示当前系统中每个用户和它所运行的进程的信息,就只要一个w就可以了

          iii.     users命令,users命令用单独的一行输出当前登录的用户,在我的测试中只输出了一个

            iv.     last命令用于查询wtmp文件第一次创建的时间,也就是开始记录的时间,如果指明用户,那么报告用户近期的活动,但是在ubuntu中指明用户与不直面用户并没有什么不一样

             v.     ac命令,ac这个命令用于根据/var/log/wtmp文件中的记录的登陆推出时间来报告用户连接的时间(小时),这个命令在ubuntu中是默认不存在的,需要自己安装,可以使用sudo apt install acct来安装(当然这是需要联网安装的)

c) 进程统计日志,当有一个进程终止的时候,为每个进程往进程统计文件pacct和acct中写一个记录,进程统计的基本目的就是为系统中基本服务提供命令使用统计。与连接时间日志不同的是,进程统计子系统默认是不激活的,它必须启动,在ubuntu中这个命令也是需要自己安装的,而且安装所使用的命令与ac命令是相同的。都是sudo apt install acct,accton命令必须使用root身份来运行,基本的命令形式是accton 文件,其中后面的这个文件是一个必须的参数,可以用touch命令来创建一个这样的日志文件,其中touch命令一般用于创建一个不存在的文件或修改一个文件的时间戳。一旦accton被激活,那么就可以使用lastcomm命令来检测系统中任何时候执行的任何命令。若要关闭统计那么可以使用不带参数的accton命令
进程统计日志会产生的一个问题就是pacct文件增长会特别快,这个时候就需要清理压缩这些日志文件,可以使用sa命令来保持日志数据的数量在系统的控制之内

d) 错误日志,由syslogd来执行,多数的syslog信息被写入了/var/log目录下的信息文件中,syslogd通过/etc/syslog.conf文件指明的来记录日志的行为,该程序在启动的时候查询配置文件。该文件由不同的程序或消息分类的单个条目组成,每个占一行,对每一类消息提供一个选择域或一个动作域,选择域指明消息的类型和优先级,动作域指明syslogd接受到的一个与选择标准相匹配的消息时所执行的动作。syslogd仅记录一个拥有相同或更高优先级的消息,而且每行的行动域指明了选择一个给定的消息后应该把它发送到哪

e) 远程日志记录方式,syslogd的默认配置是不接受来自网络上的消息的,远程日志记录就是在本机上记录一份,另外还会自动把日志发送到指定的主机名,这样即便攻击者破坏了日志,那么通过远程主机的日志也可以分析出这个事件

首发于我的个人网站: 点击打开链接

2019-01-03 14:32:21 u010705742 阅读数 1160
  • 玩转Linux:常用命令实例指南

    本课程以简洁易懂的语言手把手教你系统掌握日常所需的Linux知识,每个知识点都会配合案例实战让你融汇贯通 。课程通俗易懂,简洁流畅,适合0基础以及对Linux掌握不熟练的人学习; 注意: 1、本课程原价99元,现在仅需29元!购课就送5门价值300元的编程课! 2、购课后登陆csdn学院官网,在课程目录页面即可下载课件。 学完即可轻松应对工作中 85% 以上的 Linux 使用场景 【限时福利】 1)购课后按提示添加小助手,进答疑群,还可获得价值300元的编程大礼包! 2)本课程【现在享受秒杀价39元】 3)本月购买此套餐加入老师答疑交流群,可参加老师的免费分享活动,学习最新技术项目经验。 注意: 1)现在购买至少享受60元优惠; 2)购课后添加微信eduxy-1,发送订单截图领取300元编程礼包。 --------------------------------------------------------------- 这门课程,绝对不会让你觉得亏! 29元=掌握Linux必修知识+社群答疑+讲师社群分享会+300元编程礼包。   人工智能、物联网、大数据时代,Linux正有着一统天下的趋势,几乎每个程序员岗位,都要求掌握Linux。本课程零基础也能轻松入门。   在这门课中,我们保证你能收获到这些 1)快速掌握 Linux 常用命令及配置 2)Linux核心知识点 3) 文件、进程、磁盘、用户管理,以及网络工具命令、文件传输等 4)Vi/Vim编辑器用法  

    7034 人正在学习 去看看 良许

Linux syslog进程退出日志审计

一、syslog正常关闭

二、syslog正常启动

 

三、syslog正常重启

 

四、kill掉sylsog进程(没有产生任何日志)

 

 

五、nessus扫描产生的日志

Jan  9 15:17:36 localhost sshd[4838]: Did not receive identification string from UNKNOWN

Jan  9 15:18:21 localhost sshd[4845]: fatal: Read from socket failed: Connection reset by peer

Jan  9 15:20:56 localhost sshd[4860]: Did not receive identification string from UNKNOWN

Jan  9 15:21:45 localhost sshd[4882]: fatal: Read from socket failed: Connection reset by peer

Jan  9 15:21:46 localhost sshd[4886]: fatal: Read from socket failed: Connection reset by peer

Jan  9 15:21:46 localhost sshd[4883]: Invalid user emailswitch from 192.168.31.27

Jan  9 15:21:46 localhost sshd[4891]: Protocol major versions differ for UNKNOWN: SSH-2.0-OpenSSH_4.3 vs. SSH-9.9-OpenSSH_5.0

Jan  9 15:21:46 localhost sshd[4887]: Invalid user anonymous from 192.168.31.27

Jan  9 15:21:46 localhost sshd[4885]: input_userauth_request: invalid user emailswitch

Jan  9 15:21:46 localhost sshd[4883]: pam_unix(sshd:auth): check pass; user unknown

Jan  9 15:21:46 localhost sshd[4883]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.31.27

Jan  9 15:21:46 localhost sshd[4883]: pam_succeed_if(sshd:auth): error retrieving information about user emailswitch

Jan  9 15:21:46 localhost sshd[4888]: input_userauth_request: invalid user anonymous

Jan  9 15:21:46 localhost sshd[4887]: pam_unix(sshd:auth): check pass; user unknown

Jan  9 15:21:46 localhost sshd[4887]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.31.27

Jan  9 15:21:46 localhost sshd[4887]: pam_succeed_if(sshd:auth): error retrieving information about user anonymous

Jan  9 15:21:46 localhost sshd[4889]: Invalid user _9hwH87a from 192.168.31.27

Jan  9 15:21:46 localhost sshd[4890]: input_userauth_request: invalid user _9hwH87a

Jan  9 15:21:46 localhost sshd[4889]: pam_unix(sshd:auth): check pass; user unknown

Jan  9 15:21:46 localhost sshd[4889]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.31.27

Jan  9 15:21:46 localhost sshd[4889]: pam_succeed_if(sshd:auth): error retrieving information about user _9hwH87a

Jan  9 15:21:47 localhost sshd[4892]: Protocol major versions differ for UNKNOWN: SSH-2.0-OpenSSH_4.3 vs. SSH-1.33-OpenSSH_5.0

Jan  9 15:21:48 localhost sshd[4893]: Protocol major versions differ for UNKNOWN: SSH-2.0-OpenSSH_4.3 vs. SSH-1.5-OpenSSH_5.0

Jan  9 15:21:48 localhost sshd[4895]: fatal: Read from socket failed: Connection reset by peer

Jan  9 15:21:49 localhost sshd[4883]: Failed password for invalid user emailswitch from 192.168.31.27 port 62201 ssh2

Jan  9 15:21:49 localhost sshd[4885]: fatal: Read from socket failed: Connection reset by peer

Jan  9 15:21:49 localhost sshd[4887]: Failed password for invalid user anonymous from 192.168.31.27 port 62203 ssh2

Jan  9 15:21:49 localhost sshd[4888]: fatal: Read from socket failed: Connection reset by peer

Jan  9 15:21:49 localhost sshd[4889]: Failed password for invalid user _9hwH87a from 192.168.31.27 port 62204 ssh2

Jan  9 15:21:49 localhost sshd[4890]: fatal: Read from socket failed: Connection reset by peer

Jan  9 15:21:49 localhost sshd[4896]: Invalid user product from 192.168.31.27

Jan  9 15:21:49 localhost sshd[4898]: Invalid user guest from 192.168.31.27

Jan  9 15:21:49 localhost sshd[4899]: input_userauth_request: invalid user guest

Jan  9 15:21:49 localhost sshd[4898]: pam_unix(sshd:auth): check pass; user unknown

Jan  9 15:21:49 localhost sshd[4898]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.31.27

Jan  9 15:21:49 localhost sshd[4898]: pam_succeed_if(sshd:auth): error retrieving information about user guest

Jan  9 15:21:49 localhost sshd[4900]: Invalid user VWWjRsTx from 192.168.31.27

Jan  9 15:21:49 localhost sshd[4902]: Invalid user n3ssus from 192.168.31.27

Jan  9 15:21:49 localhost sshd[4903]: input_userauth_request: invalid user n3ssus

Jan  9 15:21:49 localhost sshd[4902]: pam_unix(sshd:auth): check pass; user unknown

Jan  9 15:21:49 localhost sshd[4902]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.31.27

Jan  9 15:21:49 localhost sshd[4902]: pam_succeed_if(sshd:auth): error retrieving information about user n3ssus

Jan  9 15:21:49 localhost sshd[4905]: fatal: Read from socket failed: Connection reset by peer

Jan  9 15:21:50 localhost sshd[4907]: fatal: Read from socket failed: Connection reset by peer

Jan  9 15:21:51 localhost sshd[4898]: Failed password for invalid user guest from 192.168.31.27 port 62236 ssh2

Jan  9 15:21:51 localhost sshd[4899]: fatal: Read from socket failed: Connection reset by peer

Jan  9 15:21:51 localhost sshd[4902]: Failed password for invalid user n3ssus from 192.168.31.27 port 62238 ssh2

Jan  9 15:21:51 localhost sshd[4903]: fatal: Read from socket failed: Connection reset by peer

Jan  9 15:21:51 localhost sshd[4909]: fatal: Read from socket failed: Connection reset by peer

Jan  9 15:21:51 localhost sshd[4911]: fatal: Read from socket failed: Connection reset by peer

Jan  9 15:21:51 localhost sshd[4913]: fatal: Read from socket failed: Connection reset by peer

Jan  9 15:21:52 localhost sshd[4914]: Invalid user admin from 192.168.31.27

Jan  9 15:21:52 localhost sshd[4915]: input_userauth_request: invalid user admin

Jan  9 15:21:52 localhost sshd[4914]: pam_unix(sshd:auth): check pass; user unknown

Jan  9 15:21:52 localhost sshd[4914]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.31.27

Jan  9 15:21:52 localhost sshd[4914]: pam_succeed_if(sshd:auth): error retrieving information about user admin

Jan  9 15:21:54 localhost sshd[4897]: input_userauth_request: invalid user product

Jan  9 15:21:54 localhost sshd[4896]: pam_unix(sshd:auth): check pass; user unknown

Jan  9 15:21:54 localhost sshd[4896]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.31.27

Jan  9 15:21:54 localhost sshd[4896]: pam_succeed_if(sshd:auth): error retrieving information about user product

Jan  9 15:21:54 localhost sshd[4901]: input_userauth_request: invalid user VWWjRsTx

Jan  9 15:21:54 localhost sshd[4901]: fatal: Read from socket failed: Connection reset by peer

Jan  9 15:21:54 localhost sshd[4914]: Failed password for invalid user admin from 192.168.31.27 port 62275 ssh2

Jan  9 15:21:54 localhost sshd[4915]: fatal: Read from socket failed: Connection reset by peer

Jan  9 15:21:55 localhost sshd[4916]: Invalid user admin from 192.168.31.27

Jan  9 15:21:55 localhost sshd[4917]: input_userauth_request: invalid user admin

Jan  9 15:21:55 localhost sshd[4916]: pam_unix(sshd:auth): check pass; user unknown

Jan  9 15:21:55 localhost sshd[4916]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.31.27

Jan  9 15:21:55 localhost sshd[4916]: pam_succeed_if(sshd:auth): error retrieving information about user admin

Jan  9 15:21:55 localhost sshd[4920]: Invalid user guest from 192.168.31.27

Jan  9 15:21:55 localhost sshd[4923]: fatal: Read from socket failed: Connection reset by peer

Jan  9 15:21:55 localhost sshd[4918]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.31.27  user=root

Jan  9 15:21:56 localhost sshd[4896]: Failed password for invalid user product from 192.168.31.27 port 62234 ssh2

Jan  9 15:21:56 localhost sshd[4897]: fatal: Read from socket failed: Connection reset by peer

Jan  9 15:21:56 localhost sshd[4926]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.31.27  user=root

Jan  9 15:21:57 localhost sshd[4926]: Failed password for root from 192.168.31.27 port 62305 ssh2

Jan  9 15:21:57 localhost sshd[4927]: fatal: Read from socket failed: Connection reset by peer

Jan  9 15:21:57 localhost sshd[4916]: Failed password for invalid user admin from 192.168.31.27 port 62296 ssh2

Jan  9 15:21:57 localhost sshd[4917]: fatal: Read from socket failed: Connection reset by peer

Jan  9 15:21:57 localhost sshd[4929]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.31.27  user=root

Jan  9 15:21:57 localhost sshd[4931]: Invalid user admin from 192.168.31.27

Jan  9 15:21:57 localhost sshd[4918]: Failed password for root from 192.168.31.27 port 62297 ssh2

Jan  9 15:21:57 localhost sshd[4919]: fatal: Read from socket failed: Connection reset by peer

Jan  9 15:21:57 localhost sshd[4932]: input_userauth_request: invalid user admin

Jan  9 15:21:58 localhost sshd[4931]: pam_unix(sshd:auth): check pass; user unknown

Jan  9 15:21:58 localhost sshd[4931]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.31.27

Jan  9 15:21:58 localhost sshd[4931]: pam_succeed_if(sshd:auth): error retrieving information about user admin

Jan  9 15:21:59 localhost sshd[4929]: Failed password for root from 192.168.31.27 port 62319 ssh2

Jan  9 15:21:59 localhost sshd[4930]: fatal: Read from socket failed: Connection reset by peer

Jan  9 15:21:59 localhost sshd[4934]: Invalid user admin1 from 192.168.31.27

Jan  9 15:21:59 localhost sshd[4935]: input_userauth_request: invalid user admin1

Jan  9 15:21:59 localhost sshd[4934]: pam_unix(sshd:auth): check pass; user unknown

Jan  9 15:21:59 localhost sshd[4934]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.31.27

Jan  9 15:21:59 localhost sshd[4934]: pam_succeed_if(sshd:auth): error retrieving information about user admin1

Jan  9 15:22:00 localhost sshd[4931]: Failed password for invalid user admin from 192.168.31.27 port 62320 ssh2

Jan  9 15:22:00 localhost sshd[4932]: fatal: Read from socket failed: Connection reset by peer

Jan  9 15:22:00 localhost sshd[4936]: Invalid user Jh_Z_Oa0 from 192.168.31.27

Jan  9 15:22:00 localhost sshd[4937]: input_userauth_request: invalid user Jh_Z_Oa0

Jan  9 15:22:00 localhost sshd[4936]: pam_unix(sshd:auth): check pass; user unknown

Jan  9 15:22:00 localhost sshd[4936]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.31.27

Jan  9 15:22:00 localhost sshd[4936]: pam_succeed_if(sshd:auth): error retrieving information about user Jh_Z_Oa0

Jan  9 15:22:00 localhost sshd[4938]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.31.27  user=root

Jan  9 15:22:00 localhost sshd[4922]: input_userauth_request: invalid user guest

Jan  9 15:22:00 localhost sshd[4922]: fatal: Read from socket failed: Connection reset by peer

Jan  9 15:22:01 localhost sshd[4934]: Failed password for invalid user admin1 from 192.168.31.27 port 62334 ssh2

Jan  9 15:22:01 localhost sshd[4935]: fatal: Read from socket failed: Connection reset by peer

Jan  9 15:22:01 localhost sshd[4940]: Invalid user shelladmin from 192.168.31.27

Jan  9 15:22:01 localhost sshd[4941]: input_userauth_request: invalid user shelladmin

Jan  9 15:22:01 localhost sshd[4940]: pam_unix(sshd:auth): check pass; user unknown

Jan  9 15:22:01 localhost sshd[4940]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.31.27

Jan  9 15:22:01 localhost sshd[4940]: pam_succeed_if(sshd:auth): error retrieving information about user shelladmin

Jan  9 15:22:02 localhost sshd[4936]: Failed password for invalid user Jh_Z_Oa0 from 192.168.31.27 port 62336 ssh2

Jan  9 15:22:02 localhost sshd[4937]: fatal: Read from socket failed: Connection reset by peer

Jan  9 15:22:02 localhost sshd[4938]: Failed password for root from 192.168.31.27 port 62349 ssh2

Jan  9 15:22:02 localhost sshd[4939]: fatal: Read from socket failed: Connection reset by peer

Jan  9 15:22:02 localhost sshd[4942]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.31.27  user=root

Jan  9 15:22:03 localhost sshd[4940]: Failed password for invalid user shelladmin from 192.168.31.27 port 62356 ssh2

Jan  9 15:22:03 localhost sshd[4941]: fatal: Read from socket failed: Connection reset by peer

Jan  9 15:22:04 localhost sshd[4942]: Failed password for root from 192.168.31.27 port 62359 ssh2

Jan  9 15:22:04 localhost sshd[4943]: fatal: Read from socket failed: Connection reset by peer

Jan  9 15:22:05 localhost sshd[4951]: Invalid user manage from 192.168.31.27

Jan  9 15:22:05 localhost sshd[4953]: input_userauth_request: invalid user manage

Jan  9 15:22:05 localhost sshd[4951]: pam_unix(sshd:auth): check pass; user unknown

Jan  9 15:22:05 localhost sshd[4951]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.31.27

Jan  9 15:22:05 localhost sshd[4951]: pam_succeed_if(sshd:auth): error retrieving information about user manage

Jan  9 15:22:06 localhost sshd[4924]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.31.27  user=root

Jan  9 15:22:07 localhost sshd[4951]: Failed password for invalid user manage from 192.168.31.27 port 62440 ssh2

Jan  9 15:22:07 localhost sshd[4953]: fatal: Read from socket failed: Connection reset by peer

Jan  9 15:22:07 localhost sshd[4960]: Invalid user monitor from 192.168.31.27

Jan  9 15:22:07 localhost sshd[4961]: input_userauth_request: invalid user monitor

Jan  9 15:22:07 localhost sshd[4960]: pam_unix(sshd:auth): check pass; user unknown

Jan  9 15:22:07 localhost sshd[4960]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.31.27

Jan  9 15:22:07 localhost sshd[4960]: pam_succeed_if(sshd:auth): error retrieving information about user monitor

Jan  9 15:22:07 localhost sshd[4924]: Failed password for root from 192.168.31.27 port 62304 ssh2

Jan  9 15:22:07 localhost sshd[4925]: fatal: Read from socket failed: Connection reset by peer

Jan  9 15:22:09 localhost sshd[4960]: Failed password for invalid user monitor from 192.168.31.27 port 62543 ssh2

Jan  9 15:22:09 localhost sshd[4961]: fatal: Read from socket failed: Connection reset by peer

Jan  9 15:22:09 localhost sshd[4974]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.31.27  user=ftp

Jan  9 15:22:11 localhost sshd[4985]: Invalid user admin from 192.168.31.27

Jan  9 15:22:11 localhost sshd[4986]: input_userauth_request: invalid user admin

Jan  9 15:22:11 localhost sshd[4985]: pam_unix(sshd:auth): check pass; user unknown

Jan  9 15:22:11 localhost sshd[4985]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.31.27

Jan  9 15:22:11 localhost sshd[4985]: pam_succeed_if(sshd:auth): error retrieving information about user admin

Jan  9 15:22:11 localhost sshd[4974]: Failed password for ftp from 192.168.31.27 port 62697 ssh2

Jan  9 15:22:11 localhost sshd[4975]: fatal: Read from socket failed: Connection reset by peer

Jan  9 15:22:13 localhost sshd[4985]: Failed password for invalid user admin from 192.168.31.27 port 62820 ssh2

Jan  9 15:22:13 localhost sshd[4986]: fatal: Read from socket failed: Connection reset by peer

Jan  9 15:22:13 localhost sshd[5009]: Did not receive identification string from UNKNOWN

Jan  9 15:22:14 localhost sshd[5015]: Invalid user cisco from 192.168.31.27

Jan  9 15:22:14 localhost sshd[5016]: input_userauth_request: invalid user cisco

Jan  9 15:22:15 localhost sshd[5015]: pam_unix(sshd:auth): check pass; user unknown

Jan  9 15:22:15 localhost sshd[5015]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.31.27

Jan  9 15:22:15 localhost sshd[5015]: pam_succeed_if(sshd:auth): error retrieving information about user cisco

Jan  9 15:22:15 localhost sshd[5017]: Invalid user __user from 192.168.31.27

Jan  9 15:22:16 localhost sshd[5015]: Failed password for invalid user cisco from 192.168.31.27 port 63129 ssh2

Jan  9 15:22:16 localhost sshd[5016]: fatal: Read from socket failed: Connection reset by peer

Jan  9 15:22:17 localhost sshd[5023]: Invalid user Cisco from 192.168.31.27

Jan  9 15:22:17 localhost sshd[5024]: input_userauth_request: invalid user Cisco

Jan  9 15:22:17 localhost sshd[5023]: pam_unix(sshd:auth): check pass; user unknown

Jan  9 15:22:17 localhost sshd[5023]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.31.27

Jan  9 15:22:17 localhost sshd[5023]: pam_succeed_if(sshd:auth): error retrieving information about user Cisco

Jan  9 15:22:19 localhost sshd[5023]: Failed password for invalid user Cisco from 192.168.31.27 port 63226 ssh2

Jan  9 15:22:19 localhost sshd[5024]: fatal: Read from socket failed: Connection reset by peer

Jan  9 15:22:19 localhost sshd[5030]: Invalid user  from 192.168.31.27

Jan  9 15:22:19 localhost sshd[5031]: input_userauth_request: invalid user

Jan  9 15:22:19 localhost sshd[5031]: fatal: Read from socket failed: Connection reset by peer

Jan  9 15:22:20 localhost sshd[5040]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.31.27  user=root

Jan  9 15:22:22 localhost sshd[5040]: Failed password for root from 192.168.31.27 port 63387 ssh2

Jan  9 15:22:22 localhost sshd[5041]: fatal: Read from socket failed: Connection reset by peer

Jan  9 15:22:22 localhost sshd[5053]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.31.27  user=root

Jan  9 15:22:24 localhost sshd[5053]: Failed password for root from 192.168.31.27 port 63413 ssh2

Jan  9 15:22:24 localhost sshd[5054]: fatal: Read from socket failed: Connection reset by peer

Jan  9 15:22:25 localhost sshd[5018]: input_userauth_request: invalid user __user

Jan  9 15:22:25 localhost sshd[5017]: pam_unix(sshd:auth): check pass; user unknown

Jan  9 15:22:25 localhost sshd[5017]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.31.27

Jan  9 15:22:25 localhost sshd[5017]: pam_succeed_if(sshd:auth): error retrieving information about user __user

Jan  9 15:22:27 localhost sshd[5017]: Failed password for invalid user __user from 192.168.31.27 port 63140 ssh2

Jan  9 15:22:27 localhost sshd[5018]: fatal: Read from socket failed: Connection reset by peer

Jan  9 15:22:27 localhost sshd[5108]: Invalid user __super from 192.168.31.27

Jan  9 15:22:27 localhost sshd[5109]: input_userauth_request: invalid user __super

Jan  9 15:22:27 localhost sshd[5108]: pam_unix(sshd:auth): check pass; user unknown

Jan  9 15:22:27 localhost sshd[5108]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.31.27

Jan  9 15:22:27 localhost sshd[5108]: pam_succeed_if(sshd:auth): error retrieving information about user __super

Jan  9 15:22:29 localhost sshd[5108]: Failed password for invalid user __super from 192.168.31.27 port 63566 ssh2

Jan  9 15:22:29 localhost sshd[5109]: fatal: Read from socket failed: Connection reset by peer

Jan  9 15:23:12 localhost sshd[5670]: fatal: Read from socket failed: Connection reset by peer

Jan  9 15:23:12 localhost sshd[5675]: fatal: Read from socket failed: Connection reset by peer

Jan  9 15:23:12 localhost sshd[5678]: fatal: Read from socket failed: Connection reset by peer

Jan  9 15:23:13 localhost sshd[5680]: fatal: Read from socket failed: Connection reset by peer

Jan  9 15:23:18 localhost sshd[5682]: fatal: Read from socket failed: Connection reset by peer

Jan  9 15:23:18 localhost sshd[5694]: fatal: Read from socket failed: Connection reset by peer

Jan  9 15:23:18 localhost sshd[5697]: fatal: Read from socket failed: Connection reset by peer

Jan  9 15:23:18 localhost sshd[5699]: fatal: Read from socket failed: Connection reset by peer

Jan  9 15:23:18 localhost sshd[5700]: Invalid user vagrant from 192.168.31.27

Jan  9 15:23:19 localhost sshd[5701]: input_userauth_request: invalid user vagrant

Jan  9 15:23:19 localhost sshd[5701]: fatal: Read from socket failed: Connection reset by peer

 

六、进行history命令记录清理

1、修改 /etc/profile 将 HISTSIZE=1000改成0或1

清除用户home路径下 bash_history

 

2、立即清空history当前历史命令的记录

history –c

 

3、bash执行命令时不是马上把命令名称写入history文件的,二是放在内部的buffer中,等bash退出时会一并写入。不过调用history –w命令要求bash立即更新history文件。

history –w

 

七、介绍一款清理入侵痕迹工具——logtamper

注意使用logtamper,只能清除日志痕迹,而且主要针对utmp,wtmp,lastlog。而事实上,linux系统重要的会留下你的痕迹的日志有:lastlog、utmp、wtmp、message、syslog、sulog以及各种shell记录用户使用命令历史(history)

logtamper是一款*修改*linux日志的工具,在修改日志文件的同时,能够保留被修改文件的时间信息。

 

 

2016-11-21 17:15:46 Hwh1231 阅读数 4286
  • 玩转Linux:常用命令实例指南

    本课程以简洁易懂的语言手把手教你系统掌握日常所需的Linux知识,每个知识点都会配合案例实战让你融汇贯通 。课程通俗易懂,简洁流畅,适合0基础以及对Linux掌握不熟练的人学习; 注意: 1、本课程原价99元,现在仅需29元!购课就送5门价值300元的编程课! 2、购课后登陆csdn学院官网,在课程目录页面即可下载课件。 学完即可轻松应对工作中 85% 以上的 Linux 使用场景 【限时福利】 1)购课后按提示添加小助手,进答疑群,还可获得价值300元的编程大礼包! 2)本课程【现在享受秒杀价39元】 3)本月购买此套餐加入老师答疑交流群,可参加老师的免费分享活动,学习最新技术项目经验。 注意: 1)现在购买至少享受60元优惠; 2)购课后添加微信eduxy-1,发送订单截图领取300元编程礼包。 --------------------------------------------------------------- 这门课程,绝对不会让你觉得亏! 29元=掌握Linux必修知识+社群答疑+讲师社群分享会+300元编程礼包。   人工智能、物联网、大数据时代,Linux正有着一统天下的趋势,几乎每个程序员岗位,都要求掌握Linux。本课程零基础也能轻松入门。   在这门课中,我们保证你能收获到这些 1)快速掌握 Linux 常用命令及配置 2)Linux核心知识点 3) 文件、进程、磁盘、用户管理,以及网络工具命令、文件传输等 4)Vi/Vim编辑器用法  

    7034 人正在学习 去看看 良许

目的:监控登陆上linux 系统服务器的用户,所使用过的命令。


采用以下步骤配置用户命令日志审计功能:

1.创建用户审计文件存放目录和审计日志文件 ; 
mkdir -p /var/log/usermonitor/
2.创建用户审计日志文件;
echo usermonitor >/var/log/usermonitor/usermonitor.log
3.将日志文件所有者赋予一个最低权限的用户;
chown nobody:nobody /var/log/usermonitor/usermonitor.log
4.给该日志文件赋予所有人的写权限; 
chmod 002 /var/log/usermonitor/usermonitor.log
5.设置文件权限,使所有用户对该文件只有追加权限 ;
chattr +a /var/log/usermonitor/usermonitor.log
6.编辑vim /etc/profile文件,添加如下脚本命令;
export HISTORY_FILE=/var/log/usermonitor/usermonitor.log
export PROMPT_COMMAND='{ date "+%y-%m-%d %T ##### $(who am i |awk "{print \$1\" \"\$2\" \"\$5}")  #### $(whoami)  #### $(history 1 | { read x cmd; echo "$cmd"; })"; } >>$HISTORY_FILE'
7.使配置生效
source  /etc/profile

审计时查看/var/log/usermonitor/usermonitor.log文件即可,它会记录登上服务器所有用户使用的命令。为了更安全,还可以将改文件打包压缩,ftp至其它本地。

linux日志分析研究

阅读数 318

Linux审计日志

阅读数 8512

Linux 日志服务器

阅读数 34

Linux日志分类

阅读数 37

没有更多推荐了,返回首页