今天因为某些原因需要查看下ssh登录日志。。打开日志文件一瞅发现有点乱,各种记录掺杂在一起,不是很方便排查。这里分别记录下不同情况下日志的记录格式。方便使用其他一些命令来分析排查。

linux下ssh登录日志文件位置:

/var/log/secure

1、每行信息各字段含义:

月份 日期 时分秒 服务器主机名 程序(sshd或则su) 模块 详细信息
1
月份 日期 时分秒 服务器主机名 程序(sshd或则su) 模块 详细信息

2、正常通过ssh连接进服务器的日志

Aug 8 02:20:09 imzcy sshd[18936]: Accepted password for root from 192.168.217.10 port 57516 ssh2
Aug 8 02:20:09 imzcy sshd[18936]: pam_unix(sshd:session): session opened for user root by (uid=0)
1
2
Aug 8 02:20:09 imzcy sshd[18936]: Accepted password for root from 192.168.217.10 port 57516 ssh2
Aug 8 02:20:09 imzcy sshd[18936]: pam_unix(sshd:session): session opened for user root by (uid=0)

3、正常登陆后,退出日志

Aug 8 02:01:38 imzcy sshd[18252]: pam_unix(sshd:session): session closed for user root
1
Aug 8 02:01:38 imzcy sshd[18252]: pam_unix(sshd:session): session closed for user root

4、切换到其他用户日志

Aug 8 02:20:54 imzcy su: pam_unix(su-l:session): session opened for user zcy by root(uid=0)
Aug 8 02:21:06 imzcy su: pam_unix(su-l:session): session closed for user zcy
1
2
Aug 8 02:20:54 imzcy su: pam_unix(su-l:session): session opened for user zcy by root(uid=0)
Aug 8 02:21:06 imzcy su: pam_unix(su-l:session): session closed for user zcy

5、使用root用户登录进系统户,切换到zcy用户,直接从zcy用户关掉连接窗口。

Aug 8 02:38:11 imzcy sshd[19167]: Accepted password for root from 192.168.217.10 port 58165 ssh2
Aug 8 02:38:11 imzcy sshd[19167]: pam_unix(sshd:session): session opened for user root by (uid=0)
Aug 8 02:38:13 imzcy su: pam_unix(su-l:session): session opened for user zcy by root(uid=0)
Aug 8 02:38:27 imzcy su: pam_unix(su-l:session): session closed for user zcy
Aug 8 02:38:27 imzcy sshd[19167]: pam_unix(sshd:session): session closed for user root
1
2
3
4
5
Aug 8 02:38:11 imzcy sshd[19167]: Accepted password for root from 192.168.217.10 port 58165 ssh2
Aug 8 02:38:11 imzcy sshd[19167]: pam_unix(sshd:session): session opened for user root by (uid=0)
Aug 8 02:38:13 imzcy su: pam_unix(su-l:session): session opened for user zcy by root(uid=0)
Aug 8 02:38:27 imzcy su: pam_unix(su-l:session): session closed for user zcy
Aug 8 02:38:27 imzcy sshd[19167]: pam_unix(sshd:session): session closed for user root

6、连接到服务器,提示输入密码时取消了

Aug 8 02:31:03 imzcy sshd[19046]: Received disconnect from 192.168.217.10: 13: The user canceled authentication.
1
Aug 8 02:31:03 imzcy sshd[19046]: Received disconnect from 192.168.217.10: 13: The user canceled authentication.

7、密码输入错误

Aug 8 02:33:28 imzcy sshd[19125]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.217.10 user=root
Aug 8 02:33:31 imzcy sshd[19125]: Failed password for root from 192.168.217.10 port 57994 ssh2
1
2
Aug 8 02:33:28 imzcy sshd[19125]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.217.10 user=root
Aug 8 02:33:31 imzcy sshd[19125]: Failed password for root from 192.168.217.10 port 57994 ssh2

8、密码错误次数太多

Aug 8 02:33:28 imzcy sshd[19125]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.217.10 user=root
Aug 8 02:33:31 imzcy sshd[19125]: Failed password for root from 192.168.217.10 port 57994 ssh2
Aug 8 02:34:06 imzcy last message repeated 3 times
Aug 8 02:34:13 imzcy last message repeated 2 times
Aug 8 02:34:47 imzcy sshd[19126]: Disconnecting: Too many authentication failures for root
Aug 8 02:34:47 imzcy sshd[19125]: Failed password for root from 192.168.217.10 port 57994 ssh2
Aug 8 02:34:47 imzcy sshd[19125]: PAM 6 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.217.10 user=root
Aug 8 02:34:47 imzcy sshd[19125]: PAM service(sshd) ignoring max retries; 7 > 3
1
2
3
4
5
6
7
8
Aug 8 02:33:28 imzcy sshd[19125]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.217.10 user=root
Aug 8 02:33:31 imzcy sshd[19125]: Failed password for root from 192.168.217.10 port 57994 ssh2
Aug 8 02:34:06 imzcy last message repeated 3 times
Aug 8 02:34:13 imzcy last message repeated 2 times
Aug 8 02:34:47 imzcy sshd[19126]: Disconnecting: Too many authentication failures for root
Aug 8 02:34:47 imzcy sshd[19125]: Failed password for root from 192.168.217.10 port 57994 ssh2
Aug 8 02:34:47 imzcy sshd[19125]: PAM 6 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.217.10 user=root
Aug 8 02:34:47 imzcy sshd[19125]: PAM service(sshd) ignoring max retries; 7 > 3

发表评论

邮箱地址不会被公开。 必填项已用*标注