日志查看
日志的具体位置和配置有关系,和系统的(CentOS/Debian)/etc/rsyslog.conf或者/etc/syslog.conf也有关系
- CentOS 系统中 ssh/sshd 日志文件位置
/var/log/secure
- Debian 系统中 ssh/sshd 日志文件位置
/var/log/auth.log
1
2
3
4
5
6
7
8
9
10
11
12
| grep "Failed password for invalid user" /var/log/secure | awk '{print $13}' | sort | uniq -c | sort -nr | more
grep "Failed password for root" /var/log/secure | awk '{print $11}' | sort | uniq -c | sort -nr | more
grep "refused connect from " /var/log/secure | awk '{print $9}'
# 查看接受的连接
grep "Accepted publickey for root from" /var/log/secure* | awk '{print $11}'
# 证书情况
grep "Did not receive identification string from" /var/log/secure | awk '{print $11}' | sort | uniq -c | sort -nr | more
# Debian 系统 - 接受证书登录
grep "Accepted publickey for root from" /var/log/auth.log* | awk '{print $11}'
grep "]: Connection closed by" /var/log/auth.log | awk '{print $9}' | sort | uniq -c | sort -nr
|
查看有可疑IP的连接请求,可以用 host.allow和host.deny 来禁用 IP 访问;
Linux-host.allow和host.deny