Last Updated: 2023-11-07 11:24:34 Tuesday
-- TOC --
last和lastb这两个命令用来显示系统登录启停等相关信息,这些信息分别存放在两个不同的文件内,命令只是将它们显示出来。
last, lastb - show a listing of last logged in users
lastsearches back through the/var/log/wtmpfile (or the file designated by the-foption) and displays a list of all users logged in (and out) since that file was created. One or more usernames and/or ttys can be given, in which case last will show only the entries matching those arguments. Names of ttys can be abbreviated, thus last 0 is the same as last tty0.
显示或统计所有登录信息:
$ last | less
$ last | wc -l
显示某个用户的登录信息,在命令行直接提供用户名:
$ last root
$ last xinlin
显示某个tty的登录信息:
$ last tty1 # the same as last 1
root tty1 Sun Apr 17 21:38 - 09:03 (1+11:25)
root tty1 Sun Apr 17 17:47 - 17:49 (00:01)
wtmp begins Thu Mar 24 11:07:07 2022
last命令显示的内容来自/var/log/wtmp文件,但这个文件是二进制的,human unreadable,这也意味着基本上不可编辑。当然,用户可以备份这个文件,root可以删除这个文件。如果此文件被删除,last命令不会自动创建这个文件。
可以使用utmpdump命令,篡改伪造登录信息。
显示系统shutdown或reroot信息:
$ last -x
显示完整的time和date:
$ last -F
显示最近的N条记录:
$ last -n <N>
通过ssh直接远程执行命令,不算登录!顺手推荐一个自研开源小工具autopass,可以实现自动ssh密码输入。
b表示bad login
lastbis the same as last, except that by default it shows a log of the/var/log/btmpfile, which contains all the bad login attempts.
公网上的Server,bad login可能会很多:
$ sudo lastb | less
$ sudo lastb | wc -l
25191
什么情况会产生bad login?
看一下我的Server上的bad login,只看一小段:
$ sudo lastb | less
...
zhouyue ssh:notty 164.92.237.193 Wed Jun 29 18:33 - 18:33 (00:00)
zhangjin ssh:notty 164.92.237.193 Wed Jun 29 18:33 - 18:33 (00:00)
zhouliny ssh:notty 164.92.237.193 Wed Jun 29 18:33 - 18:33 (00:00)
ylb ssh:notty 164.92.237.193 Wed Jun 29 18:33 - 18:33 (00:00)
zhoub ssh:notty 164.92.237.193 Wed Jun 29 18:33 - 18:33 (00:00)
ZhouHong ssh:notty 164.92.237.193 Wed Jun 29 18:33 - 18:33 (00:00)
yingbl ssh:notty 164.92.237.193 Wed Jun 29 18:33 - 18:33 (00:00)
zhifu@gr ssh:notty 164.92.237.193 Wed Jun 29 18:33 - 18:33 (00:00)
Yjn ssh:notty 164.92.237.193 Wed Jun 29 18:33 - 18:33 (00:00)
# ssh:notty 164.92.237.193 Wed Jun 29 18:33 - 18:33 (00:00)
zheyu ssh:notty 164.92.237.193 Wed Jun 29 18:33 - 18:33 (00:00)
zheyu ssh:notty 164.92.237.193 Wed Jun 29 18:33 - 18:33 (00:00)
yinjihen ssh:notty 164.92.237.193 Wed Jun 29 18:33 - 18:33 (00:00)
# ssh:notty 164.92.237.193 Wed Jun 29 18:33 - 18:33 (00:00)
zhengzhe ssh:notty 164.92.237.193 Wed Jun 29 18:33 - 18:33 (00:00)
zhengshi ssh:notty 164.92.237.193 Wed Jun 29 18:33 - 18:33 (00:00)
yinjihen ssh:notty 164.92.237.193 Wed Jun 29 18:33 - 18:33 (00:00)
zhengshi ssh:notty 164.92.237.193 Wed Jun 29 18:33 - 18:33 (00:00)
yejc ssh:notty 164.92.237.193 Wed Jun 29 18:33 - 18:33 (00:00)
yfeng ssh:notty 164.92.237.193 Wed Jun 29 18:33 - 18:33 (00:00)
yejc ssh:notty 164.92.237.193 Wed Jun 29 18:33 - 18:33 (00:00)
yflv ssh:notty 164.92.237.193 Wed Jun 29 18:33 - 18:33 (00:00)
yangyami ssh:notty 164.92.237.193 Wed Jun 29 18:33 - 18:33 (00:00)
zhanziwe ssh:notty 164.92.237.193 Wed Jun 29 18:33 - 18:33 (00:00)
ydj ssh:notty 164.92.237.193 Wed Jun 29 18:33 - 18:33 (00:00)
zhangzh ssh:notty 164.92.237.193 Wed Jun 29 18:33 - 18:33 (00:00)
yawen ssh:notty 164.92.237.193 Wed Jun 29 18:33 - 18:33 (00:00)
zhangsa ssh:notty 164.92.237.193 Wed Jun 29 18:33 - 18:33 (00:00)
zhangpk ssh:notty 164.92.237.193 Wed Jun 29 18:33 - 18:33 (00:00)
...
居然有人直接用#来当做用户名,显示是攻击脚本有Bug....
如果大量bad login显示的用户名是正确的,可以推测,攻击者已经获取了正确的用户名。
ssh:notty表示这不是从某个已经登录的terminal过来的bad login,比如su命令失败,看到的就是某个tty或pts。所以,一般网络攻击过来的bad login,都是ssh:notty。由于lastb与last命令的输出一样,bad login每一行最后都应该是(00:00)。
lastb命令实际上就是last命令:
$ sudo last -f /var/log/btmp
$ ll /usr/bin/last*
-rwxr-xr-x 1 root root 36K Feb 14 19:21 /usr/bin/last*
lrwxrwxrwx 1 root root 4 Feb 14 19:21 /usr/bin/lastb -> last*
-rwxr-xr-x 1 root root 30K Jan 21 2022 /usr/bin/lastlog*
$ readlink /usr/bin/lastb
last
还有个lastlog命令:
lastlog - reports the most recent login of all users or of a given user.
lastlog formats and prints the contents of the last login log
/var/log/lastlogfile. The login-name, port, and last login time will be printed. The default (no flags) causes lastlog entries to be printed, sorted by their order in /etc/passwd.
这个命令将所有用户最后成功登录的信息显示出来:
$ lastlog
Username Port From Latest
root pts/0 Sat Jul 30 15:41:08 +0800 2022
bin **Never logged in**
daemon **Never logged in**
adm **Never logged in**
lp **Never logged in**
sync **Never logged in**
shutdown **Never logged in**
halt **Never logged in**
mail **Never logged in**
operator **Never logged in**
games **Never logged in**
ftp **Never logged in**
nobody **Never logged in**
dbus **Never logged in**
systemd-network **Never logged in**
systemd-oom **Never logged in**
systemd-resolve **Never logged in**
systemd-timesync **Never logged in**
systemd-coredump **Never logged in**
tss **Never logged in**
sshd **Never logged in**
chrony **Never logged in**
nscd **Never logged in**
tcpdump **Never logged in**
unbound **Never logged in**
polkitd **Never logged in**
xii pts/1 117.89.129.68 Sat Aug 6 13:42:54 +0800 2022
怎么有一条root的记录,而且没有From信息,
$ last root
root pts/2 114.222.187.198 Mon Jun 27 18:02 - 18:04 (00:01)
root pts/0 58.212.135.81 Mon Apr 18 10:58 - 14:05 (03:06)
root pts/0 112.2.229.53 Sun Apr 17 21:48 - 22:21 (00:32)
root tty1 Sun Apr 17 21:38 - 09:03 (1+11:25)
root tty1 Sun Apr 17 17:47 - 17:49 (00:01)
wtmp begins Thu Mar 24 11:07:07 2022
跟last命令对应不上,应该是用其它用户名登录后,su进行的一次切换,因此没有from信息。
本文链接:https://cs.pynote.net/sf/linux/shell/202112022/
-- EOF --
-- MORE --