لطفا منتظر باشید ...
Recipe 9.5 Checking for Suspicious Account Use
9.5.1 Problem
You want to discover unusual or
dangerous usage of accounts on your system:
dormant user
accounts, recent logins to system accounts, etc.
9.5.2 Solution
To print
information about the last
login for each user:
$ lastlog [-u username]
To print the entire login history:
$ last [username]
To print failed login attempts:
$ lastb [username]
To enable recording of bad logins:
# touch /var/log/btmp
# chown --reference=/var/log/wtmp /var/log/btmp
# chmod --reference=/var/log/wtmp /var/log/btmp
9.5.3 Discussion
Attackers look for
inactive accounts that are still enabled, in the hope that intrusions
will escape detection for long periods of time. If Joe retired and
left the organization last year, will anyone notice if his account
becomes compromised? Certainly not Joe! To avoid problems like this,
examine all accounts on your system for unexpected usage patterns.Linux systems record each user's last login time in
the database
/var/log/lastlog.
The terminal (or
X Window System display name)
and remote system name, if any, are also noted. The
lastlog command prints this information in a
convenient, human-readable format.
|
(interspersed with system events like
shutdowns,
reboots, runlevel changes, etc.) is recorded in the log file
/var/log/wtmp.
The last command scans
this log file to produce a report of all login sessions, in reverse
chronological order, sorted by login time.Failed login attempts can also be recorded in the log file
/var/log/btmp, but this is not done by default.
To enable recording of bad logins, create the
btmp file manually, using the same owner, group,
and permissions as for the wtmp file. The
lastb command prints a history of bad logins.The preceding methods do not scale well to multiple systems, so see
our more general solution. [Recipe 9.6]
9.5.4 See Also
lastlog(1), last(1), lastb(1).
