内网存在一些服务器根本找不到归属人,想要找到,就得需要想点办法了。
1-给history加时间戳
vim /etc/bash.bashrc
添加内容如下:
# Enable timestamp in bash history
export HISTTIMEFORMAT="%F %T "
source /etc/bash.bashrc
这样一个简单操作,时间戳就打上了,有了时间我们就知道执行命令行的具体时间了,后续有人执行命令我们就知道是谁在用。
2-查看账户最后一次登录的时间点
lastlog 查看不同有登陆权限的用户最后一次登录时间
root pts/1 10.10.10.24 五 11月 22 15:14:12 +0800 2024
3-查看账户成功登录的历史时间
last
root pts/2 10.10.11.187 Tue Nov 3 18:43 - 23:07 (04:24)
root pts/1 10.10.11.187 Tue Nov 3 18:43 - 23:23 (04:40)
root pts/2 10.10.11.187 Tue Nov 3 15:23 - 18:19 (02:55)
root pts/1 10.10.11.187 Tue Nov 3 14:01 - 18:19 (04:18)
root pts/1 10.10.11.187 Tue Nov 3 13:06 - 13:55 (00:48)
root pts/2 10.10.11.187 Tue Nov 3 09:29 - 09:29 (00:00)
root pts/1 10.10.11.187 Tue Nov 3 09:28 - 13:02 (03:34)
root pts/1 10.10.10.238 Mon Nov 2 16:40 - 20:59 (04:18)
4-查看登录失败的历史时间
lastb
joon ssh:notty 47.74.25.98 Fri Nov 1 16:08 - 16:08 (00:00)
joon ssh:notty 47.74.25.98 Fri Nov 1 16:08 - 16:08 (00:00)
acunning ssh:notty 180.184.36.192 Fri Nov 1 11:07 - 11:07 (00:00)
acunning ssh:notty 180.184.36.192 Fri Nov 1 11:07 - 11:07 (00:00)
ads ssh:notty 185.74.4.17 Fri Nov 1 10:13 - 10:13 (00:00)
ads ssh:notty 185.74.4.17 Fri Nov 1 10:13 - 10:13 (00:00)
tchanif ssh:notty 113.137.34.212 Fri Nov 1 06:20 - 06:20 (00:00)
tchanif ssh:notty 113.137.34.212 Fri Nov 1 06:20 - 06:20 (00:00)
5-当前在线用户
who
root pts/0 2024-11-22 15:14 (10.10.10.24) root pts/1 2024-11-22 15:14 (10.10.10.24)
6-计划任务
crontab -u abc -l 指定用户的计划任务
crontab -l 当前用户的计划任务
7-检查成功登录日志来判断用户,提取相应的IP
cat /var/log/secure | grep "Accepted"
cat /var/log/secure | grep "Failed"
Oct 12 03:32:38 VM-12-7-centos sshd[25763]: Failed password for invalid user samba from 106.255.231.10 port 55527 ssh2
Oct 29 16:59:36 VM-12-7-centos sshd[6177]: Accepted password for root from 120.10.90.160 port 30259 ssh2
