安全日誌:/var/log/secure**
轉自: https://www.cnblogs.com/pzk7788/p/10184740.html
/var/log/secure 一般用來記錄安全相關的信息,記錄最多的是哪些用戶登錄服務器的相關日誌,如果該文件很大,說明有人在破解你的 root 密碼
[root@localhost ~]$ tail /var/log/secure
Dec 27 14:04:51 139 sshd[30956]: Disconnecting: Too many authentication failures [preauth]
Dec 27 14:04:53 139 sshd[30968]: Invalid user user from 193.201.224.12 port 26133
Dec 27 14:04:53 139 sshd[30968]: input_userauth_request: invalid user user [preauth]
Dec 27 14:05:01 139 sshd[30968]: Disconnecting: Change of username or service not allowed: (user,ssh-connection) -> (User,ssh-connection) [preauth]
Dec 27 14:05:03 139 sshd[30996]: Invalid user User from 193.201.224.12 port 43273
可以分爲幾個字段來描述這些事件信息:
1. 事件的日期和時間
2. 事件的來源主機 ( 通常是寫主機名 )
3. 產生這個事件的程序[進程號]
4. 實際的日誌信息
常見信息:
在這裏插入代碼片
Jan 17 12:27:36 139 sshd[12812]: pam_unix(sshd:session): session closed for user root # 表示root用戶關閉了會話(也就是關閉了終端)
Jan 17 12:28:59 139 sshd[14064]: Accepted publickey for root from 14.23.168.10 port 36637 ssh2 # 表示接受來自14.23.168.10的root用戶的公鑰登錄
Jan 17 12:28:59 139 sshd[14064]: pam_unix(sshd:session): session opened for user root by (uid=0) # 表示給root用戶打開一個終端
Jan 17 14:41:10 Mir2_Center sshd[9913]: Received disconnect from 183.60.122.237: 11: disconnected by user # 表示已經連着的終端主動斷開連接,並關閉終端
Jan 17 14:41:10 Mir2_Center sshd[9913]: pam_unix(sshd:session): session closed for user root
Jan 17 14:39:48 139 sshd[31261]: Invalid user redis from 45.115.45.3 port 33274 # 表示對端使用無效的用戶redis來連接
Jan 17 14:39:48 139 sshd[31261]: input_userauth_request: invalid user redis [preauth] # 本機對redis用戶進行認證,認證失敗,發送錯誤信號給對端
Jan 17 14:39:48 139 sshd[31261]: Received disconnect from 45.115.45.3 port 33274:11: Bye Bye [preauth] # 對端接收到錯誤信號主動斷開連接
Jan 17 14:39:48 139 sshd[31261]: Disconnected from 45.115.45.3 port 33274 [preauth] # 連接關閉`