On Wednesday 03 January 2007 07:27, Carl Hartung wrote:
Hi All,
This is actually a two part question. a) Is there a 100% proof-positive way to determine if someone has previously broken into a system via ssh... before remote root logins were disabled and a weak password replaced... and b) how do I correct the apparent inability of 'who', given any parameters, to return something more informative than just a prompt?
...
All ideas/hints gratefully appreciated and a happy new year to all of you!
I think you're looking for "last," which produces human-readable reports of the history of logins. The file it uses, /var/log/wtmp, is subject to log rotation (older copies are kept compressed in /var/log) so you don't get unlimited history without some manual intervention to access older parts of the history archived in the compressed wtmp files. The wtmp file also records reboots and crashes: % last reboot reboot system boot 2.6.13-15.11-smp Thu Dec 21 10:52 (12+20:42) reboot system boot 2.6.13-15.11-smp Wed Oct 11 22:50 (70+12:59) reboot system boot 2.6.13-15.11-smp Wed Oct 11 20:51 (00:38) reboot system boot 2.6.13-15.11-smp Wed Oct 11 20:41 (00:08) reboot system boot 2.6.13-15.11-smp Wed Oct 11 15:13 (05:25) reboot system boot 2.6.13-15.11-smp Wed Oct 11 13:23 (01:47) reboot system boot 2.6.13-15.11-smp Tue Oct 10 23:53 (11:36) reboot system boot 2.6.13-15.11-smp Thu Aug 10 06:00 (61+11:58) wtmp begins Wed Jul 12 15:21:25 2006 If you have a limited complement of authorized users, you can do something like this: % 19761> last |egrep -v 'XYZ|QRS|reboot' wtmp begins Wed Jul 12 15:21:25 2006 Not even a single crash or unwanted visitor!
regards,
Carl
Randall Schulz -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org