On Wednesday 03 January 2007 07:27, Carl Hartung wrote: > Hi All, > > This is actually a two part question. a) Is there a 100% > proof-positive way to determine if someone has previously broken into > a system via ssh... before remote root logins were disabled and a > weak password replaced... and b) how do I correct the apparent > inability of 'who', given any parameters, to return something more > informative than just a prompt? > > ... > > All ideas/hints gratefully appreciated and a happy new year to all of > you!
I think you're looking for "last," which produces human-readable reports of the history of logins. The file it uses, /var/log/wtmp, is subject to log rotation (older copies are kept compressed in /var/log) so you don't get unlimited history without some manual intervention to access older parts of the history archived in the compressed wtmp files. The wtmp file also records reboots and crashes: % last reboot reboot system boot 2.6.13-15.11-smp Thu Dec 21 10:52 (12+20:42) reboot system boot 2.6.13-15.11-smp Wed Oct 11 22:50 (70+12:59) reboot system boot 2.6.13-15.11-smp Wed Oct 11 20:51 (00:38) reboot system boot 2.6.13-15.11-smp Wed Oct 11 20:41 (00:08) reboot system boot 2.6.13-15.11-smp Wed Oct 11 15:13 (05:25) reboot system boot 2.6.13-15.11-smp Wed Oct 11 13:23 (01:47) reboot system boot 2.6.13-15.11-smp Tue Oct 10 23:53 (11:36) reboot system boot 2.6.13-15.11-smp Thu Aug 10 06:00 (61+11:58) wtmp begins Wed Jul 12 15:21:25 2006 If you have a limited complement of authorized users, you can do something like this: % 19761> last |egrep -v 'XYZ|QRS|reboot' wtmp begins Wed Jul 12 15:21:25 2006 Not even a single crash or unwanted visitor! > regards, > > Carl Randall Schulz -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
