Professional hackers probably will not leave obvious fingerprints. But there still benefits to check if your Linux server is under attack from malicious hackers. Here are a few ways to check.
1. /var/log/auth.log file. This log file logs all the log in information in and out of the system, including system processes, and users log in.
grep 'Failed password' /var/log/auth.log: this command checks if someone is trying to brute force a login via password enumeration;
grep 'Accepted password' /var/log/auth.log: this command checks if anyone managed to log into the system without your knowledge.
2. lastlog command. This command, extracts information from the auth.log file and display them to the terminal. It also shows system processes as well. So if you are only interested as human login, we can use the following command line to filter out system processes:
lastlog | sed '/Never/d' | less
No comments:
Post a Comment