在 CentOS 8 下,我尝试查找 SSH 失败的登录尝试。Lastb 返回:
# lastb
btmp begins Thu Jul 9 10:53:49 2020
Aureport 返回一些记录(一个例子是):
# aureport -au -i --failed
Authentication Report
============================================
# date time acct host term exe success event
============================================
1. 06/25/2020 13:46:36 root 10.10.0.2 ssh /usr/sbin/sshd no 66
当我尝试使用错误凭证登录时,aureport 或 lastb 不会显示新记录。我在哪里可以找到失败的 SSH 登录?
答案1
由于 sshd 服务由 systemd 管理,因此您应该查看日志。例如:
$ journalctl -u sshd
Jul 19 05:24:07 xx-1 sshd[30983]: Received disconnect from 43.254.220.207 port 59846:11: Bye Bye [preauth]
Jul 19 05:24:07 xx-fsn1-1 sshd[30983]: Disconnected from invalid user ik 43.254.220.207 port 59846 [preauth]
Jul 19 05:26:25 xx-1 sshd[30986]: Invalid user test from 139.213.220.70 port 62857
Jul 19 05:26:25 xx-1 sshd[30986]: Received disconnect from 139.213.220.70 port 62857:11: Bye Bye [preauth]
Jul 19 05:26:25 xx-1 sshd[30986]: Disconnected from invalid user test 139.213.220.70 port 62857 [preauth]
答案2
您始终可以查看日志/var/log/secure以查找 ssh 日志。您可以使用 grep 列出确切的详细信息。例如,如果您要查找失败的尝试,您可以使用类似
grep -i "failed" /var/log/secure