1. 使用last命令查看登录服务器的用户记录。
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
|
[root@centos8 ~]# lastrusking pts/2 192.168.1.102 Sun Aug 23 18:38 still logged inrusking pts/2 192.168.1.102 Sun Aug 23 18:08 - 18:14 (00:05)rusking pts/2 192.168.1.102 Sun Aug 23 18:05 - 18:07 (00:01)rusking pts/2 192.168.1.102 Sun Aug 23 17:38 - 17:58 (00:19)rusking pts/2 192.168.1.102 Sun Aug 23 16:41 - 17:38 (00:56)rusking pts/1 192.168.1.82 Sun Aug 23 16:33 still logged inroot web console Sun Aug 23 15:03 - 15:18 (00:15)rusking pts/0 192.168.1.82 Sun Aug 23 14:49 still logged inroot tty1 Sun Aug 23 14:49 still logged inreboot system boot 4.18.0-193.14.2. Sun Aug 23 14:48 still runningrusking pts/0 192.168.1.82 Sat Aug 15 09:07 - 18:30 (2+09:22)rusking tty1 Sat Aug 15 09:07 - crash (8+05:40)reboot system boot 4.18.0-193.14.2. Sat Aug 15 09:06 still running |
2. 使用who命令查看当前登录的用户。
|
1
2
3
4
5
6
7
8
|
[root@centos8 ~]# who -a system boot 2020-08-23 14:48root + tty1 2020-08-23 14:49 03:59 2059rusking + pts/0 2020-08-23 14:49 00:51 3193 (192.168.1.82) web console 2020-08-23 15:18 9190 id=919 term=0 exit=0rusking + pts/1 2020-08-23 16:33 . 3193 (192.168.1.82)rusking + pts/2 2020-08-23 18:38 00:10 96080 (192.168.1.102)[root@centos8 ~]# |
3.查看命令执行记录 。
# tail -n 200 ~/.bash_history | more #查看当前帐户的操作命令。-n 200显示最近200条记录。
# tail -n 200 /home/rusking/.bash_history | more #查看指定用户名为rusking的操作命令记录。 可以将rusking替换成其它用户。
4. 查看最近2天修改过的文件
# find /etc /var -mtime -2
5.使用netstat 命令查看本机各端口连接情况。
#netstat -aplunt 常用命令,关注LISTEN和ESTABLISHED情况。
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
|
[root@centos8 ~]# netstat -apluntActive Internet connections (servers and established)Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:9090 0.0.0.0:* LISTEN 1/systemd tcp 0 0 0.0.0.0:5355 0.0.0.0:* LISTEN 1972/systemd-resolvtcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 1/systemd tcp 0 0 192.168.122.1:53 0.0.0.0:* LISTEN 2400/dnsmasq tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 1415/cupsd tcp 0 0 0.0.0.0:8888 0.0.0.0:* LISTEN 1414/sshd tcp 0 248 192.168.1.101:8888 192.168.1.82:54949 ESTABLISHED 3193/sshd: rusking tcp 0 0 192.168.1.101:8888 192.168.1.102:53426 ESTABLISHED 96080/sshd: ruskingudp 0 0 0.0.0.0:45742 0.0.0.0:* 1029/avahi-daemon: udp 0 0 0.0.0.0:5353 0.0.0.0:* 1029/avahi-daemon: udp 0 0 0.0.0.0:5355 0.0.0.0:* 1972/systemd-resolvudp 0 0 192.168.122.1:53 0.0.0.0:* 2400/dnsmasq udp 0 0 127.0.0.53:53 0.0.0.0:* 1972/systemd-resolvudp 0 0 0.0.0.0:67 0.0.0.0:* 2400/dnsmasq udp 0 0 0.0.0.0:111 0.0.0.0:* 1/systemd |
6. 使用lsof命令查看打开的文件。
# lsof -i
# lsof -p pid
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
|
[root@centos8 ~]# lsof -iCOMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAMEsystemd 1 root 42u IPv4 18941 0t0 TCP *:sunrpc (LISTEN)systemd 1 root 43u IPv4 18942 0t0 UDP *:sunrpcsystemd 1 root 51u IPv4 22690 0t0 TCP *:websm (LISTEN)rpcbind 960 rpc 4u IPv4 18941 0t0 TCP *:sunrpc (LISTEN)rpcbind 960 rpc 5u IPv4 18942 0t0 UDP *:sunrpcavahi-dae 1029 avahi 15u IPv4 25088 0t0 UDP *:mdnsavahi-dae 1029 avahi 16u IPv4 25099 0t0 UDP *:45742sshd 1414 root 5u IPv4 27123 0t0 TCP *:ddi-tcp-1 (LISTEN)cupsd 1415 root 10u IPv4 27305 0t0 TCP localhost:ipp (LISTEN)systemd-r 1972 systemd-resolve 12u IPv4 29589 0t0 UDP *:hostmonsystemd-r 1972 systemd-resolve 13u IPv4 29590 0t0 TCP *:hostmon (LISTEN)systemd-r 1972 systemd-resolve 16u IPv4 29593 0t0 UDP 127.0.0.53:domaindnsmasq 2400 dnsmasq 3u IPv4 32237 0t0 UDP *:bootpsdnsmasq 2400 dnsmasq 5u IPv4 32240 0t0 UDP centos8.test.com:domaindnsmasq 2400 dnsmasq 6u IPv4 32241 0t0 TCP centos8.test.com:domain (LISTEN)sshd 3193 root 5u IPv4 34113 0t0 TCP centos8.test.com:ddi-tcp-1->UltraPower:54949 (ESTABLISHED)sshd 3210 rusking 5u IPv4 34113 0t0 TCP centos8.test.com:ddi-tcp-1->UltraPower:54949 (ESTABLISHED)sshd 96080 root 5u IPv4 252937 0t0 TCP centos8.test.com:ddi-tcp-1->192.168.1.102:53426 (ESTABLISHED)sshd 96083 rusking 5u IPv4 252937 0t0 TCP centos8.test.com:ddi-tcp-1->192.168.1.102:53426 (ESTABLISHED)[root@centos8 ~]# lsof -p 96083COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAMEsshd 96083 rusking cwd DIR 253,0 265 128 /sshd 96083 rusking rtd DIR 253,0 265 128 /sshd 96083 rusking txt REG 253,0 1228192 3786429 /usr/sbin/sshdsshd 96083 rusking mem REG 253,0 906648 640148 /usr/lib64/libnss_systemd.so.2sshd 96083 rusking mem REG 253,0 10406312 34621674 /var/lib/sss/mc/initgroups...... |
7. 使用ps命令查看当前系统中正在运行的进程信息。
#ps -aux
|
1
2
3
4
5
6
7
8
9
10
11
12
13
|
[root@centos8 ~]# ps -aux | grep ruskingroot 3193 0.0 0.3 161180 10768 ? Ss 14:49 0:00 sshd: rusking [priv]rusking 3197 0.0 0.3 93812 9400 ? Ss 14:49 0:00 /usr/lib/systemd/systemd --userrusking 3199 0.0 0.1 251456 3760 ? S 14:49 0:00 (sd-pam)rusking 3208 0.0 0.3 300224 9324 ? Ssl 14:49 0:00 /usr/bin/pulseaudio --daemonize=norusking 3210 0.0 0.2 161180 6084 ? S 14:49 0:01 sshd: rusking@pts/0,pts/1rusking 3211 0.0 0.1 24696 5432 pts/0 Ss 14:49 0:00 -bashrusking 3266 0.0 0.1 74292 4480 ? Ss 14:49 0:00 /usr/bin/dbus-daemon --session --address=systemd: --nofork --nopidfile --systemd-activation --syslog-onlyrusking 46209 0.0 0.1 24696 5220 pts/1 Ss 16:33 0:00 -bashroot 96080 0.0 0.3 161180 10760 ? Ss 18:38 0:00 sshd: rusking [priv]rusking 96083 0.0 0.1 161180 5352 ? S 18:38 0:00 sshd: rusking@pts/2rusking 96084 0.0 0.1 24712 5336 pts/2 Ss+ 18:38 0:00 -bashroot 102735 0.0 0.0 12108 1072 pts/1 S+ 18:55 0:00 grep --color=auto rusking |
8. 使用top或htop命令查看进程对CPU/内存的消耗情况。
注意消耗CPU/内存较高的进程。
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
|
[root@centos8 ~]# toptop - 18:56:58 up 4:08, 4 users, load average: 0.00, 0.00, 0.00Tasks: 145 total, 1 running, 144 sleeping, 0 stopped, 0 zombie%Cpu(s): 0.2 us, 0.3 sy, 0.0 ni, 99.2 id, 0.0 wa, 0.2 hi, 0.2 si, 0.0 stMiB Mem : 2834.8 total, 1845.2 free, 301.6 used, 688.0 buff/cacheMiB Swap: 3072.0 total, 3072.0 free, 0.0 used. 2356.1 avail Mem PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND 103380 root 20 0 64536 4452 3768 R 0.3 0.2 0:00.01 top 1 root 20 0 177912 11676 8100 S 0.0 0.4 0:11.04 systemd 2 root 20 0 0 0 0 S 0.0 0.0 0:00.00 kthreadd 3 root 0 -20 0 0 0 I 0.0 0.0 0:00.00 rcu_gp 4 root 0 -20 0 0 0 I 0.0 0.0 0:00.00 rcu_par_gp 6 root 0 -20 0 0 0 I 0.0 0.0 0:00.00 kworker/0:0H-kblockd 8 root 0 -20 0 0 0 I 0.0 0.0 0:00.00 mm_percpu_wq 9 root 20 0 0 0 0 S 0.0 0.0 0:00.25 ksoftirqd/0 10 root 20 0 0 0 0 I 0.0 0.0 0:01.49 rcu_sched 11 root rt 0 0 0 0 S 0.0 0.0 0:00.03 migration/0 12 root rt 0 0 0 0 S 0.0 0.0 0:00.01 watchdog/0 13 root 20 0 0 0 0 S 0.0 0.0 0:00.00 cpuhp/0 14 root 20 0 0 0 0 S 0.0 0.0 0:00.00 cpuhp/1 15 root rt 0 0 0 0 S 0.0 0.0 0:00.01 watchdog/1 16 root rt 0 0 0 0 S 0.0 0.0 0:00.04 migration/1 17 root 20 0 0 0 0 S 0.0 0.0 0:00.15 ksoftirqd/1 19 root 0 -20 0 0 0 I 0.0 0.0 0:00.00 kworker/1:0H-kblockd ... |
9. 查看SSH登录日志。
centos/RHEL Linux查看Secure和audit日志。
/var/log/secure
关键字”Accepted password“
/var/log/audit/audit.log
关键字:”type=USER_AUTH“
其它LInux查看auto.log日志
/var/log/auth.log
10. 查看以下目录下是否有特殊文件。
# ls /tmp/ -la
# ls /dev/shm -la
# ls /var/tmp -la
11. 查看cronjob配置文件是否有异常的job
# crontab -l
# cat /etc/crontab
# ls /etc/cron 查看以下所有目录下是否有异常文件,以及这些文件的内容是否被修改。
cron.d/ cron.daily/ cron.deny cron.hourly/ cron.monthly/ crontab cron.weekly/
12. 使用nmap命令查看打开的端口
#nmap localhost 注意是否有异常开启的端口。
|
1
2
3
4
5
6
7
8
9
10
11
12
13
|
[root@centos8 ~]# nmap localhostStarting Nmap 7.70 ( https://nmap.org ) at 2020-08-23 19:00 +04Nmap scan report for localhost (127.0.0.1)Host is up (0.0000080s latency).Other addresses for localhost (not scanned): ::1Not shown: 996 closed portsPORT STATE SERVICE111/tcp open rpcbind631/tcp open ipp8888/tcp open sun-answerbook9090/tcp open zeus-adminNmap done: 1 IP address (1 host up) scanned in 1.70 seconds |
浙公网安备 33010602011771号