此处的登录日志,能否直接下载出来?
宿主机是 debain 系统,宿主机和容器里面,/var/log/ 文件夹下面都没找到 secure
其实主要是想看下来自那个地区的的攻击比较多,统计下每个ip、地区的攻击源头 ,一键拉黑名单。
1 个赞
刚刚在宿主机使用 lastb 导出系统登录失败日志,里面导出的全是9月份的数据,1panel里能看到8月的数据。
然后发现有些数据对不上。比如:141.98.11.90 这个ip,lastb 里面有178条记录,刚刚下载了 aurh.log 文件,里面也有相关的记录,但在1panel里,却搜索不到对应的记录。随机抽的有些ip记录能对应上,有些也对不上
lastb 部分原始记录
ubnt ssh:notty 141.98.11.90 Thu Sep 7 02:57 - 02:57 (00:00)
ubnt ssh:notty 141.98.11.90 Thu Sep 7 02:57 - 02:57 (00:00)
admin ssh:notty 141.98.11.90 Thu Sep 7 00:01 - 00:01 (00:00)
admin ssh:notty 141.98.11.90 Thu Sep 7 00:01 - 00:01 (00:00)
root ssh:notty 141.98.11.90 Wed Sep 6 23:31 - 23:31 (00:00)
admin ssh:notty 141.98.11.90 Wed Sep 6 22:42 - 22:42 (00:00)
admin ssh:notty 141.98.11.90 Wed Sep 6 22:42 - 22:42 (00:00)
root ssh:notty 141.98.11.90 Wed Sep 6 20:15 - 20:15 (00:00)
admin ssh:notty 141.98.11.90 Wed Sep 6 12:13 - 12:13 (00:00)
admin ssh:notty 141.98.11.90 Wed Sep 6 12:13 - 12:13 (00:00)
admin ssh:notty 141.98.11.90 Wed Sep 6 11:43 - 11:43 (00:00)
admin ssh:notty 141.98.11.90 Wed Sep 6 11:43 - 11:43 (00:00)
root ssh:notty 141.98.11.90 Wed Sep 6 11:19 - 11:19 (00:00)
ubuntu ssh:notty 141.98.11.90 Wed Sep 6 09:15 - 09:15 (00:00)
ubuntu ssh:notty 141.98.11.90 Wed Sep 6 09:15 - 09:15 (00:00)
ubuntu ssh:notty 141.98.11.90 Wed Sep 6 08:58 - 08:58 (00:00)
ubuntu ssh:notty 141.98.11.90 Wed Sep 6 08:58 - 08:58 (00:00)
anonymou ssh:notty 141.98.11.90 Wed Sep 6 06:56 - 06:56 (00:00)
anonymou ssh:notty 141.98.11.90 Wed Sep 6 06:56 - 06:56 (00:00)
operator ssh:notty 141.98.11.90 Wed Sep 6 05:32 - 05:32 (00:00)
operator ssh:notty 141.98.11.90 Wed Sep 6 05:32 - 05:32 (00:00)
admin ssh:notty 141.98.11.90 Wed Sep 6 02:50 - 02:50 (00:00)
lastb 手工处理后记录
1panel面板搜索
auth.log 文件部分原始数据
Sep 3 02:52:08 VM95644DE7B0561E2 sshd[3175122]: Invalid user user from 141.98.11.90 port 26342
Sep 3 02:52:08 VM95644DE7B0561E2 sshd[3175122]: pam_unix(sshd:auth): check pass; user unknown
Sep 3 02:52:08 VM95644DE7B0561E2 sshd[3175122]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=141.98.11.90
Sep 3 02:52:11 VM95644DE7B0561E2 sshd[3175122]: Failed password for invalid user user from 141.98.11.90 port 26342 ssh2
Sep 3 02:52:14 VM95644DE7B0561E2 sshd[3175122]: Received disconnect from 141.98.11.90 port 26342:11: Bye Bye [preauth]
Sep 3 02:52:14 VM95644DE7B0561E2 sshd[3175122]: Disconnected from invalid user user 141.98.11.90 port 26342 [preauth]
提供一下 Debian 具体版本。
root@VM95644DE7B0561E2:/var/log# lsb_release -a
No LSB modules are available.
Distributor ID: Debian
Description: Debian GNU/Linux 11 (bullseye)
Release: 11
Codename: bullseye
root@VM95644DE7B0561E2:/var/log# cat /etc/debian_version
11.7
root@VM95644DE7B0561E2:/var/log# cat /proc/version
Linux version 5.10.0-22-cloud-amd64 (debian-kernel@lists.debian.org) (gcc-10 (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2) #1 SMP Debian 5.10.178-3 (2023-04-22)
root@VM95644DE7B0561E2:/var/log# cat /proc/sys/kernel/osrelease
5.10.0-22-cloud-amd64
root@VM95644DE7B0561E2:/var/log# cat /etc/issue
Debian GNU/Linux 11 \n \l
我们使用的查询命令是:
cat /var/log/auth.log | grep -a ‘Connection closed by authenticating user’ | grep -a ‘preauth’