Problem: Want to find out unusual or dangerous usage of accounts on your system: dormant user accounts, recent logins to system accounts etc.
Solutions:
1. To print information about the last login for each uesr:
# lastlog -u username
# lastlog -u root
Username Port From Latest
root pts/2 192.168.1.3 Wed Aug 14 21:43:11 -0700 2013
# lastlog -u ctechz
Username Port From Latest
ctechz **Never logged in**
2. To print entire login history:
# last username
[root@localhost ~]# last ctechz
ctechz pts/3 192.168.0.30 Thu Jun 27 05:32 - 05:32 (00:00)
ctechz pts/3 192.168.0.30 Thu Jun 27 05:31 - 05:31 (00:00)
ctechz pts/2 192.168.0.30 Tue Jun 25 04:38 - 04:39 (00:01)
ctechz pts/2 192.168.0.30 Tue Jun 25 04:18 - down (00:04)
3. To print failed login attempts:
# lastb username
# lastb ctechz
ctechz ssh:notty 192.168.0.30 Tue Jun 25 04:38 - 04:38 (00:00)
ctechz ssh:notty 192.168.0.30 Tue Jun 25 04:18 - 04:18 (00:00)
ctechz ssh:notty 192.168.0.30 Mon Jun 24 22:42 - 22:42 (00:00)
To enable recording of bad logins:
# touch /var/log/btmp
# chown --reference=/var/log/wtmp /var/log/btmp
# chmod --reference=/var/log/wtmp /var/log/btmp
Note:-
Attackers look for inactive accounts that are still enables, in the hope that intrusions will escape detection for long periods of time.
Linux systems record each user's last login time in the database /var/log/lastlog. The terminal and remote system name, if any are also noted.
The /var/log/lastlog is a database not a log file.
In contrast, the btmp log file will grow slowly (unless you are under attack) but it should be rotated like other log file.
You can either add btmp to the wtmp entry in /etc/logrotate.conf or add a similar entry in a separate file in the /etc/logrotate.d dir
A history of all logins and logouts is recorded in the log file /var/log/wtmp. The "last" command scans this log file to produce a report of all login sessions,in reverse chronological order, sorted by login time.
Failed login attempts can also be recorded in the log file /var/log/btmp, but this is not done by default. To enable recording of bad logins, create the btmp file manually, using the same owner, group, and permissions as for the wtmp file. The "lastb" command prints the history of bad logins.
In Linux/Unix operating systems everything is logged some where.
Most of the system logs are logged in to /var/log folder. This folder contains logs related to different services and applications.
In this folder we have some files such as utmp, wtmp and btmp.
These files contains all the details about login’s and logout’s which are from local as well as from remote systems and system status such as uptime etc.
utmp will give you complete picture of users logins at which terminals, logouts, system events and current status of the system, system boot time etc.
wtmp gives historical data of utmp.
btmp records only failed login attempts.
Normally when we try to view these files using cat command or vi editor they used to throw some junk characters and garbage values or in encrypted form or hex values. The output of these files when open with vi or cat command are shown below to show how wtmp file look when opened with vi.
We can read this file with only last command.
"last" command is one of the important command which will give you how logged in, when they logged in and when they logged out etc info on the screen.
# last
This last command display many details about user login/logout activity. The same command can be used to view wtmp, utmp and btmp files.
To open wtmp file and view its content use below command
# last -f /var/log/wtmp
jeffin pts/2 192.168.0.30 Tue Jun 25 01:59 - down (00:23)
root pts/1 :0.0 Tue Jun 25 01:59 - down (00:24)
root :0 Tue Jun 25 01:59 - down (00:24)
root :0 Tue Jun 25 01:59 - 01:59 (00:00)
reboot system boot 2.6.18-194.el5 Tue Jun 25 01:57 (00:26)
jeffin pts/2 192.168.0.30 Tue Jun 25 01:43 - down (00:11)
jeffin pts/2 192.168.0.30 Tue Jun 25 01:41 - 01:43 (00:01)
ctechz pts/3 192.168.0.30 Mon Jun 24 23:38 - 23:38 (00:00)
ctechz pts/3 192.168.0.30 Mon Jun 24 23:31 - 23:31 (00:00)
To see still logged in users view utmp file use last command
# last -f /var/run/utmp
To view btmp file use same command
# last -f /var/log/btmp
gone - no logout
root ssh:notty 192.168.0.30 Tue Jun 25 03:49 - 04:18 (00:28)
root ssh:notty 192.168.0.30 Tue Jun 25 03:37 - 03:49 (00:12)
cteechz ssh:notty 192.168.0.30 Mon Jun 24 23:37-03:37 (04:00)
cteechz ssh:notty 192.168.0.30 Mon Jun 24 23:37 - 23:37 (00:00)
No comments:
Post a Comment