实验三:日志分析

实验要求

  • 查看、分析日志文件,并判断故障原因

实验过程

  1. 在终端 tty3 中尝试以不存在的用户账号 administrator 进行登录
  2. 新建用户账号 kitty 并在终端 tty4 登录
  3. 第一次输入错误的密码
  4. 第二次输入正确的密码
  5. 查看前述用户的登录记录(成功、失败)
  6. 查看/var/log/secure文件中新增的安全消息

在终端 tty3 中尝试以不存在的用户账号 administrator 进行登录

登录失败的用户

[root@Daring ~]# lastb
kitty    tty3                          Wed Jun 29 10:54 - 10:54  (00:00)    
administ tty3                          Wed Jun 29 10:53 - 10:53  (00:00)    
jason    pts/1        192.168.0.1      Tue Jun 28 11:19 - 11:19  (00:00)    
jason    pts/3        192.168.0.1      Mon Jun 27 16:44 - 16:44  (00:00)    
jasoh    pts/1        192.168.0.1      Wed Jun 22 12:43 - 12:43  (00:00)    
jaon     pts/1        192.168.0.1      Wed Jun 22 12:43 - 12:43  (00:00)    
JASO**** pts/0        192.168.0.1      Wed Jun 15 22:33 - 22:33  (00:00)    
         pts/2        192.168.0.1      Mon Jun 13 15:51 - 15:51  (00:00)    
         pts/2        192.168.0.1      Mon Jun 13 15:51 - 15:51  (00:00)    
JASON    pts/2        192.168.0.1      Mon Jun 13 15:51 - 15:51  (00:00)    
jaao**   pts/1        192.168.0.1      Mon Jun 13 13:54 - 13:54  (00:00)    
123123   pts/0        192.168.0.1      Fri Jun 10 10:55 - 10:55  (00:00)    
jaso     pts/0        192.168.0.1      Fri Jun 10 10:54 - 10:54  (00:00)
  • adiminist 就是使用adimistrator不存在的用户在tty3上登录
  • kitty是创建后第一次使用错误密在tty3上进行登录
[root@Daring ~]# cat /var/log/secure
... //前面的省略
Jun 29 10:53:17 Daring login: FAILED LOGIN 1 FROM (null) FOR administrator, User not known to   the underlying authentication module  
Jun 29 10:53:43 Daring login: pam_unix(login:session): session opened for user root by   LOGIN(uid=0)  
Jun 29 10:53:43 Daring login: ROOT LOGIN ON tty3  
Jun 29 10:53:53 Daring useradd[29482]: new group: name=kitty, GID=1003  
Jun 29 10:53:53 Daring useradd[29482]: new user: name=kitty, UID=506, GID=1003,   home=/home/kitty, shell=/bin/bash  
Jun 29 10:54:02 Daring passwd: pam_unix(passwd:chauthtok): password changed for kitty  
Jun 29 10:54:02 Daring passwd: gkr-pam: couldn't update the 'login' keyring password: no old   password was entered  
Jun 29 10:54:23 Daring login: pam_unix(login:session): session closed for user root  
Jun 29 10:54:29 Daring login: pam_unix(login:auth): authentication failure; logname=LOGIN uid=0   euid=0 tty=tty3 ruser= rhost=  user=kitty  
Jun 29 10:54:31 Daring login: FAILED LOGIN 1 FROM (null) FOR kitty, Authentication failure  
Jun 29 10:54:44 Daring login: pam_unix(login:session): session opened for user kitty by   LOGIN(uid=0)  
Jun 29 10:54:44 Daring login: LOGIN ON tty3 BY kitty  
[root@Daring ~]#
  • 使用不存在的administrator在tty3登录时候的记录
Jun 29 10:53:17 Daring login: FAILED LOGIN 1 FROM (null) FOR administrator, 
User not known to     the underlying authentication module
  • kitty使用错误密码登录时的两条记录 
Jun 29 10:54:29 Daring login: pam_unix(login:auth): authentication failure; logname=LOGIN
uid=0   euid=0 tty=tty3 ruser= rhost=  user=kitty   
Jun 29 10:54:31 Daring login: FAILED LOGIN 1 FROM (null) FOR kitty, Authentication failure
  • kitty使用正确密码登录
Jun 29 10:54:44 Daring login: pam_unix(login:session): session opened for user kitty by   LOGIN(uid=0)  
Jun 29 10:54:44 Daring login: LOGIN ON tty3 BY kitty

results matching ""

    No results matching ""