Journalctl 溢出并重新启动后停止记录

tag-icon tag-icon sshd journalctl
Journalctl 溢出并重新启动后停止记录

我的电脑从今天起停止记录06:54:07

$ journalctl --verify
24af830: Invalid data object at hash entry 4203 of 233016
File corruption detected at /var/log/journal/32d0d5fb253f44a692fd0e09b4893fe2/system.journal:24af6b0 (of 41943040 bytes, 91%).
FAIL: /var/log/journal/32d0d5fb253f44a692fd0e09b4893fe2/system.journal (Bad message)

命令输出的某些部分journalctl --boot=-2 -r

Jul 17 06:44:40 asdf sshd[7661]: ^[[0;1;39mPAM 1 more authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.0.5.7  user=root
Jul 17 06:44:40 asdf sshd[7661]: Disconnected from 10.0.5.7 port 41364 [preauth]
Jul 17 06:44:40 asdf sshd[7661]: Received disconnect from 10.0.5.7 port 41364:11:  [preauth]
Jul 17 06:44:40 asdf sshd[7661]: Failed password for root from 10.0.5.7 port 41364 ssh2
Jul 17 06:44:38 asdf sshd[7661]: pam_tally(sshd:auth): Tally overflowed for user root
Jul 17 06:44:37 asdf sshd[7661]: Failed password for root from 10.0.5.7 port 41364 ssh2
Jul 17 06:44:36 asdf sshd[7661]: ^[[0;1;39mpam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.0.5.7  user=root
Jul 17 06:44:36 asdf sshd[7661]: pam_tally(sshd:auth): Tally overflowed for user root
Jul 17 06:44:34 asdf sshd[7658]: ^[[0;1;39mPAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.0.5.7  user=root
Jul 17 06:44:34 asdf sshd[7658]: Disconnected from 10.0.5.7 port 33277 [preauth]
Jul 17 06:44:34 asdf sshd[7658]: Received disconnect from 10.0.5.7 port 33277:11:  [preauth]
Jul 17 06:44:34 asdf sshd[7658]: Failed password for root from 10.0.5.7 port 33277 ssh2
Jul 17 06:44:32 asdf sshd[7658]: pam_tally(sshd:auth): Tally overflowed for user root
Jul 17 06:44:32 asdf sshd[7658]: Failed password for root from 10.0.5.7 port 33277 ssh2
Jul 17 06:44:29 asdf sshd[7658]: pam_tally(sshd:auth): Tally overflowed for user root
Jul 17 06:44:29 asdf sshd[7658]: Failed password for root from 10.0.5.7 port 33277 ssh2
Jul 17 06:44:27 asdf sshd[7658]: ^[[0;1;39mpam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.0.5.7  user=root
Jul 17 06:44:27 asdf sshd[7658]: pam_tally(sshd:auth): Tally overflowed for user root
Jul 17 06:44:25 asdf sshd[7656]: ^[[0;1;39mPAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.0.5.7  user=root
Jul 17 06:44:25 asdf sshd[7656]: Disconnected from 10.0.5.7 port 36290 [preauth]
Jul 17 06:44:25 asdf sshd[7656]: Received disconnect from 10.0.5.7 port 36290:11:  [preauth]
Jul 17 06:44:25 asdf sshd[7656]: Failed password for root from 10.0.5.7 port 36290 ssh2
Jul 17 06:44:24 asdf sshd[7656]: pam_tally(sshd:auth): Tally overflowed for user root

之后我的电脑重新启动。

问题是:

  1. 我的电脑受到威胁了吗?如果是,如何防止将来再次发生这种情况而不使用fail2ban/sshguard因为该 IP (10.0.5.7) 已被所有尝试连接到我的计算机的人使用(由网络管理员进行 NAT)?

  2. 如何修复日志?我已将损坏的文件移动到另一个目录。如何读取损坏的日志进行诊断?

相关内容