Var 下 auth.log 第一次查詢 log 請教一下 [論壇 - 新手村]


正在瀏覽:   1 名遊客


 到底部   前一個主題   下一個主題  [無發表權] 請登錄或者註冊



Var 下 auth.log 第一次查詢 log 請教一下
會員一級
註冊日期:
7/27 14:06:32
所屬群組:
已註冊使用者
等級: 2
HP : 0 / 31
MP : 4 / 17
EXP: 25
離線
請教一下, 以下代表的意思可能性?? 不確定是不是自己連線進去, 不過中間有個 admin.....所以表示有其它人登入?? 底下有寫出個人猜測的解釋 >_<


Aug 1 02:07:17 ns sshd[22178]: pam_unix(sshd:auth): check pass; user unknown
Aug 1 02:07:17 ns sshd[22178]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=106.154.138.113
Aug 1 02:07:17 ns sshd[22179]: pam_unix(sshd:auth): check pass; user unknown
Aug 1 02:07:17 ns sshd[22179]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=106.154.138.113
Aug 1 02:07:20 ns sshd[22178]: Failed password for invalid user pi from 106.154.138.113 port 59292 ssh2
Aug 1 02:07:20 ns sshd[22179]: Failed password for invalid user pi from 106.154.138.113 port 59296 ssh2
Aug 1 02:07:21 ns sshd[22178]: Connection closed by invalid user pi 106.154.138.113 port 59292 [preauth]
Aug 1 02:07:21 ns sshd[22179]: Connection closed by invalid user pi 106.154.138.113 port 59296 [preauth]

Aug 1 02:17:01 ns CRON[22352]: pam_unix(cron:session): session opened for user root(uid=0) by (uid=0)
Aug 1 02:17:01 ns CRON[22352]: pam_unix(cron:session): session closed for user root
==> 表示正常 任務行程動作?? 所以這個沒有問題??

Aug 1 02:19:02 ns sshd[22392]: Invalid user admin from 185.196.220.70 port 46890
==> 有使用者透過 sshd 輸入使用者 admin ??
Aug 1 02:19:02 ns sshd[22392]: pam_unix(sshd:auth): check pass; user unknown
Aug 1 02:19:02 ns sshd[22392]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=185.196.220.70
Aug 1 02:19:05 ns sshd[22392]: Failed password for invalid user admin from 185.196.220.70 port 46890 ssh2
Aug 1 02:19:05 ns sshd[22392]: Received disconnect from 185.196.220.70 port 46890:11: end [preauth]
Aug 1 02:19:05 ns sshd[22392]: Disconnected from invalid user admin 185.196.220.70 port 46890 [preauth]
Aug 1 02:19:06 ns sshd[22395]: Invalid user admin from 185.196.220.70 port 44638

8/2 10:11:28
應用擴展 工具箱
回覆: Var 下 auth.log 第一次查詢 log 請教一下
版主
註冊日期:
2008/7/14 0:03
來自 螢幕的另一端
所屬群組:
網站管理員
已註冊使用者
討論區管理群
等級: 33
HP : 0 / 806
MP : 508 / 33505
EXP: 24
離線
我猜你的 ssh 還使用預設的 22port 沒有更改
幾個 ssh 加強安全的設定盡快設定起來

1 改 ssh 預設 port 為其它 port
2 限制登入IP
3 停用密碼登入,改用金鑰登入
以上第2、3點可擇一用之,也可都用,安全性會比較高
以上3點都做了,你就可不用擔心 auth.log 裡的 ssh 登入訊息了
沒對 ssh 加強安全防護的話,早晚會被入侵

我的ssh筆記,給你參考
http://note.zn2.us/ssh.htm

8/2 13:41:19
應用擴展 工具箱
回覆: Var 下 auth.log 第一次查詢 log 請教一下
會員五級
註冊日期:
2012/4/22 10:50
所屬群組:
已註冊使用者
等級: 36
HP : 177 / 885
MP : 642 / 27053
EXP: 43
離線
Jimmy.W 寫到:
請教一下, 以下代表的意思可能性?? 不確定是不是自己連線進去, 不過中間有個 admin.....所以表示有其它人登入?? 底下有寫出個人猜測的解釋 >_<


...

Aug 1 02:17:01 ns CRON[22352]: pam_unix(cron:session): session opened for user root(uid=0) by (uid=0)
Aug 1 02:17:01 ns CRON[22352]: pam_unix(cron:session): session closed for user root
==> 表示正常 任務行程動作?? 所以這個沒有問題??

...



我猜測,這一段應該是正常的,是屬於「pam」的機制,

不過我還沒去深究「pam」的機制,

以下提供一些探索紀錄,給您參考。

我測試的環境是「Ubuntu 22.04 Desktop」。

================================================================================

執行下面指令,


grep pam_unix /var/log/auth.log | less



應該會看到很多「pam_unix( )」,不是只有「cron」,還有其他的。


...

Aug 3 14:12:04 sam-anywhere lightdm: pam_unix(lightdm-greeter:session): session opened for user lightdm(uid=128) by (uid=0)
Aug 3 14:12:04 sam-anywhere systemd: pam_unix(systemd-user:session): session opened for user lightdm(uid=128) by (uid=0)
Aug 3 14:14:40 sam-anywhere lightdm: pam_unix(lightdm:session): session opened for user sam(uid=1000) by (uid=0)
Aug 3 14:14:40 sam-anywhere systemd: pam_unix(systemd-user:session): session opened for user sam(uid=1000) by (uid=0)
Aug 3 14:14:51 sam-anywhere pkexec: pam_unix(polkit-1:session): session opened for user root(uid=0) by (uid=1000)
Aug 3 14:17:01 sam-anywhere CRON[2198]: pam_unix(cron:session): session opened for user root(uid=0) by (uid=0)
Aug 3 14:17:01 sam-anywhere CRON[2198]: pam_unix(cron:session): session closed for user root
Aug 3 14:30:01 sam-anywhere CRON[2882]: pam_unix(cron:session): session opened for user root(uid=0) by (uid=0)
Aug 3 14:30:01 sam-anywhere CRON[2882]: pam_unix(cron:session): session closed for user root

...



================================================================================

可以使用「sudo」來做實驗

執行下面指令


sudo ls



接著執行下面指令


grep pam_unix /var/log/auth.log



應該可以看到最下面兩行類似如下


Aug 3 15:26:38 sam-anywhere sudo: pam_unix(sudo:session): session opened for user root(uid=0) by (uid=1000)
Aug 3 15:26:38 sam-anywhere sudo: pam_unix(sudo:session): session closed for user root



================================================================================

執行


dpkg -L cron | sort



顯示


/.
/etc
/etc/cron.d
/etc/cron.daily
/etc/cron.daily/.placeholder
/etc/cron.d/.placeholder
/etc/cron.hourly
/etc/cron.hourly/.placeholder
/etc/cron.monthly
/etc/cron.monthly/.placeholder
/etc/crontab
/etc/cron.weekly
/etc/cron.weekly/.placeholder
/etc/default
/etc/default/cron
/etc/init.d
/etc/init.d/cron
/etc/pam.d
/etc/pam.d/cron
/lib
/lib/systemd
/lib/systemd/system
/lib/systemd/system/cron.service
/usr
/usr/bin
/usr/bin/crontab
/usr/sbin
/usr/sbin/cron
/usr/share
/usr/share/bug
/usr/share/bug/cron
/usr/share/bug/cron/control
/usr/share/bug/cron/script
/usr/share/doc
/usr/share/doc/cron
/usr/share/doc/cron/changelog.Debian.gz
/usr/share/doc/cron/copyright
/usr/share/doc/cron/examples
/usr/share/doc/cron/examples/cron-stats.pl
/usr/share/doc/cron/examples/crontab2english.pl
/usr/share/doc/cron/examples/cron-tasks-review.sh
/usr/share/doc/cron/FEATURES
/usr/share/doc/cron/NEWS.Debian.gz
/usr/share/doc/cron/README
/usr/share/doc/cron/README.anacron
/usr/share/doc/cron/README.Debian
/usr/share/doc/cron/THANKS
/usr/share/doc/cron/TODO.Debian
/usr/share/man
/usr/share/man/man1
/usr/share/man/man1/crontab.1.gz
/usr/share/man/man5
/usr/share/man/man5/crontab.5.gz
/usr/share/man/man8
/usr/share/man/man8/cron.8.gz
/var
/var/spool
/var/spool/cron
/var/spool/cron/crontabs


================================================================================

執行


dpkg -L cron | grep 'pam'



顯示


/etc/pam.d
/etc/pam.d/cron



================================================================================

執行


cat /etc/pam.d/cron



顯示


# The PAM configuration file for the cron daemon

@include common-auth

# Sets the loginuid process attribute
session    required     pam_loginuid.so

# Read environment variables from pam_env's default files, /etc/environment
# and /etc/security/pam_env.conf.
session       required   pam_env.so

# In addition, read system locale information
session       required   pam_env.so envfile=/etc/default/locale

@include common-account
@include common-session-noninteractive

# Sets up user limits, please define limits for cron tasks
# through /etc/security/limits.conf
session    required   pam_limits.so




================================================================================

執行


dpkg -L sudo | grep pam



顯示


/etc/pam.d
/etc/pam.d/sudo
/etc/pam.d/sudo-i
/usr/share/doc/sudo/examples/pam.conf



================================================================================

執行


cat /etc/pam.d/sudo



顯示


#%PAM-1.0

# Set up user limits from /etc/security/limits.conf.
session    required   pam_limits.so

session    required   pam_env.so readenv=1 user_readenv=0
session    required   pam_env.so readenv=1 envfile=/etc/default/locale user_readenv=0

@include common-auth
@include common-account
@include common-session-noninteractive




================================================================================


執行


cat /etc/pam.d/sudo-i



顯示


#%PAM-1.0

# Set up user limits from /etc/security/limits.conf.
session    required   pam_limits.so

session    required   pam_env.so readenv=1 user_readenv=0
session    required   pam_env.so readenv=1 envfile=/etc/default/locale user_readenv=0

@include common-auth
@include common-account
@include common-session




================================================================================

執行


dpkg -S /etc/pam.d/



顯示


gdm3, gnome-screensaver, suckless-tools, i3lock, mate-screensaver, util-linux, sudo, ppp, polkitd, passwd, login, libpam-runtime, cron, cinnamon-screensaver, gnome-flashback, cups-daemon, lightdm, xscreensaver, xfce4-screensaver: /etc/pam.d



表示在我的系統裡,

已經有安裝「gdm3, gnome-screensaver, suckless-tools, i3lock, mate-screensaver, util-linux, sudo, ppp, polkitd, passwd, login, libpam-runtime, cron, cinnamon-screensaver, gnome-flashback, cups-daemon, lightdm, xscreensaver, xfce4-screensaver」這些「Package」。

而「/etc/pam.d」裡面的檔案,是來自於這些「Package」。

================================================================================

執行


dpkg -L libpam-runtime



顯示


/.
/etc
/etc/pam.conf
/etc/pam.d
/etc/pam.d/other
/usr
/usr/sbin
/usr/sbin/pam-auth-update
/usr/sbin/pam_getenv
/usr/share
/usr/share/doc
/usr/share/doc/libpam-runtime
/usr/share/doc/libpam-runtime/changelog.Debian.gz
/usr/share/doc/libpam-runtime/copyright
/usr/share/doc/libpam-runtime/NEWS.Debian.gz
/usr/share/lintian
/usr/share/lintian/overrides
/usr/share/lintian/overrides/libpam-runtime
/usr/share/man
/usr/share/man/man5
/usr/share/man/man5/pam.conf.5.gz
/usr/share/man/man5/pam.d.5.gz
/usr/share/man/man7
/usr/share/man/man7/pam.7.gz
/usr/share/man/man7/PAM.7.gz
/usr/share/man/man8
/usr/share/man/man8/pam-auth-update.8.gz
/usr/share/man/man8/pam_getenv.8.gz
/usr/share/pam
/usr/share/pam/common-account
/usr/share/pam/common-account.md5sums
/usr/share/pam/common-auth
/usr/share/pam/common-auth.md5sums
/usr/share/pam/common-password
/usr/share/pam/common-password.md5sums
/usr/share/pam/common-session
/usr/share/pam/common-session.md5sums
/usr/share/pam/common-session-noninteractive
/usr/share/pam/common-session-noninteractive.md5sums
/usr/share/pam-configs
/usr/share/pam-configs/unix
/var
/var/lib
/var/lib/pam



================================================================================

以上提供參考

報告完畢


8/3 16:36:04
應用擴展 工具箱


 [無發表權] 請登錄或者註冊


可以查看帖子.
不可發帖.
不可回覆.
不可編輯自己的帖子.
不可刪除自己的帖子.
不可發起投票調查.
不可在投票調查中投票.
不可上傳附件.
不可不經審核直接發帖.