mpenning pts/19 Fri Nov 16 10:32 - 10:35 (00:03) mpenning pts/17 Fri Nov 16 10:21 - 10:42 (00:21) bill pts/15 sol-bill.local Fri Nov 16 10:19 - 10:36 (00:16) mpenning pts/1 192.0.2.91 Fri Nov 16 10:17 - 10:49 (12+00:31) kkim14 pts/14 192.0.2.225 Thu Nov 15 18:02 - 15:17 (4+21:15) gduarte pts/10 192.0.2.135 Thu Nov 15 12:33 - 08:10 (11+19:36) gduarte pts/9 192.0.2.135 Thu Nov 15 12:31 - 08:10 (11+19:38) kkim14 pts/0 :0.0 Thu Nov 15 12:27 - 15:17 (5+02:49) gduarte pts/6 192.0.2.135 Thu Nov 15 11:44 - 08:10 (11+20:25) kkim14 pts/13 192.0.2.225 Thu Nov 15 09:56 - 15:17 (5+05:20) kkim14 pts/12 192.0.2.225 Thu Nov 15 08:28 - 15:17 (5+06:49) kkim14 pts/11 192.0.2.225 Thu Nov 15 08:26 - 15:17 (5+06:50) dspencer pts/8 192.0.2.130 Wed Nov 14 18:24 still logged in mpenning pts/18 alpha-console-1. Mon Nov 12 14:41 - 14:46 (00:04)
您可以看到上面的两个pts登录条目没有与之关联的源IP地址.我的CentOS机器有多达六个共享系统的其他用户.我的登录大约有10%看到此问题,但没有其他用户名表现出此行为.对于没有源IP地址的条目,/ var / log / secure中没有条目.
问题
鉴于我保留在这些系统上的脚本(它控制着我们的大部分网络基础设施),我对此感到有点害怕,并希望了解什么会导致我的登录偶尔错过源地址.
>为什么最后-i显示0.0.0.0用于pts行条目(另见this answer)
>是否有合理解释行为的东西(除了恶意活动)?
>除了bash历史时间戳,还有其他我可以做的事情来跟踪问题吗?
信息化
自从这开始发生以来,我启用了bash历史时间戳(即.bash_profile中的HISTTIMEFORMAT =“%y-%m-%d%T”)并且还添加了few other bash history hacks;但是,这并没有提供前一次事件中发生的事情的线索.
所有系统都运行CentOS 6.3 ……
[mpenning@typo ~]$uname -a Linux typo.local 2.6.32-279.9.1.el6.x86_64 #1 SMP Tue Sep 25 21:43:11 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux [mpenning@typo ~]$
编辑
如果我使用last -i mpenning,我会看到这样的条目……
mpenning pts/19 0.0.0.0 Fri Nov 16 10:32 - 10:35 (00:03) mpenning pts/17 0.0.0.0 Fri Nov 16 10:21 - 10:42 (00:21)
请注意那些试图回答:我没有使用screen命令或GUI登录.我的所有登录都来自SSH;要获得赏金奖励,您必须引用权威参考资料来解释仅通过SSH获取的最后一个-i 0.0.0.0条目.
编辑2(关于ewwhite的问题)
/etc/resolv.conf(请注意,我在上面的上一个输出中使用了.local addrs来隐藏我公司的信息)
[mpenning@sasmars network]$cat /etc/resolv.conf nameserver 192.0.2.40 nameserver 192.0.2.60 domain mycompany.com search mycompany.com [mpenning@sasmars network]$
/ etc / hosts info(请注意,此自定义主机文件仅存在于存在这些问题的其中一台计算机上)
[mpenning@sasmars network]$cat /etc/hosts 127.0.0.1 localhost.localdomain localhost 192.0.2.44 sasmars.mycompany.com sasmars ::1 localhost6.localdomain6 localhost6 ## Temporary kludge until I add reverse hostname mappings... ## Firewalls 192.0.2.254 a2-inet-fw1 192.0.2.253 a2-inet-fw2 192.0.2.254 a2-wan-fw1 192.0.2.253 a2-wan-fw2 192.0.2.201 a2-fab-fw1 192.0.2.202 a2-fab-fw2 192.0.2.203 t1-eds-fw1 192.0.2.42 sasvpn 192.0.2.246 sasasa1 192.0.2.10 sasoutfw1 ## Wireless 192.0.2.6 saswcs1 192.0.2.2 l2wlc3 192.0.2.4 l2wlc4 192.0.2.12 f2wlc5 192.0.2.16 f2wlc6 192.0.2.14 f2wlc1 192.0.2.8 f2wlc2 [mpenning@sasmars network]$
sftp来自/ var / log / secure *的输出
Dec 26 10:36:37 sasmars sshd[26016]: pam_sm_authenticate: called (pam_tacplus v1.3.7) Dec 26 10:36:37 sasmars sshd[26016]: pam_sm_authenticate: user [mpenning] obtained Dec 26 10:36:37 sasmars sshd[26016]: tacacs_get_password: called Dec 26 10:36:37 sasmars sshd[26016]: tacacs_get_password: obtained password Dec 26 10:36:37 sasmars sshd[26016]: pam_sm_authenticate: password obtained Dec 26 10:36:37 sasmars sshd[26016]: pam_sm_authenticate: tty [ssh] obtained Dec 26 10:36:37 sasmars sshd[26016]: pam_sm_authenticate: rhost [192.0.2.91] obtained Dec 26 10:36:37 sasmars sshd[26016]: pam_sm_authenticate: trying srv 0 Dec 26 10:36:38 sasmars sshd[26016]: Accepted password for mpenning from 192.0.2.91 port 55118 ssh2 Dec 26 10:36:38 sasmars sshd[26016]: pam_sm_setcred: called (pam_tacplus v1.3.7) Dec 26 10:36:38 sasmars sshd[26016]: pam_unix(sshd:session): session opened for user mpenning by (uid=0) Dec 26 10:36:38 sasmars sshd[26018]: pam_sm_setcred: called (pam_tacplus v1.3.7) Dec 26 10:36:38 sasmars sshd[26018]: subsystem request for sftp Dec 26 10:37:20 sasmars sshd[26016]: pam_unix(sshd:session): session closed for user mpenning Dec 26 10:37:20 sasmars sshd[26016]: pam_sm_setcred: called (pam_tacplus v1.3.7)
最终解决方案
解决方法
链接库
CentOS 6.3 – 脚本(util-linux-ng 2.17.2)
#ldd /usr/bin/script linux-vdso.so.1 => (0x00007fff077ff000) libutil.so.1 => /lib64/libutil.so.1 (0x00007f309f5d1000) libutempter.so.0 => /usr/lib64/libutempter.so.0 (0x00007f309f3cf000) libc.so.6 => /lib64/libc.so.6 (0x00007f309f03b000) /lib64/ld-linux-x86-64.so.2 (0x00007f309f7e1000)
Ubuntu 12.04 – 脚本(util-linux 2.20.1)
#ldd /usr/bin/script linux-vdso.so.1 => (0x00007fff375ff000) libutil.so.1 => /lib/x86_64-linux-gnu/libutil.so.1 (0x00007fc0d7ab0000) libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fc0d76f1000) /lib64/ld-linux-x86-64.so.2 (0x00007fc0d7cdc000)
PTY
基于upstream source code,两个版本的脚本都会打开新的pty.以下是测试.
Ubuntu 12.04
john@U64D211:~/tmp$ls /dev/pts 0 1 5 8 ptmx john@U64D211:~/tmp$script Script started,file is typescript john@U64D211:~/tmp$ls /dev/pts 0 1 2 5 8 ptmx john@U64D211:~/tmp$last -i john pts/0 0.0.0.0 Sat Jan 5 09:09 still logged in reboot system boot 0.0.0.0 Sat Jan 5 09:08 - 09:52 (00:44) john pts/0 0.0.0.0 Thu Jan 3 00:50 - 01:42 (00:52) reboot system boot 0.0.0.0 Thu Jan 3 00:48 - 01:43 (00:54) wtmp begins Tue Jan 1 20:48:28 2013 john@U64D211:~/tmp$exit exit Script done,file is typescript john@U64D211:~/tmp$ls /dev/pts 0 1 5 8 ptmx john@U64D211:~/tmp$
Ubuntu 12.04脚本确实开了一个新的pts(2).它只是没有更新/ var / log / wtmp.
CentOS 6
我正在跳过测试,因为我们已经知道脚本会打开pty并注册wtmp.
libutemper
>项目:http://freecode.com/projects/libutempter
>描述:libutempter为终端模拟器(如screen和xterm)提供了一个库接口,用于将用户会话记录到utmp和wtmp文件.
所以主要区别似乎是额外的库(libutempter.so.0)与CentOS脚本相关联.
用Ubuntu 12.04测试
使用libutempter编译脚本
john@U64D211:~/tmp/util-linux-2.20.1$sudo apt-get install libutempter-dev john@U64D211:~/tmp/util-linux-2.20.1$./configure --with-utempter john@U64D211:~/tmp/util-linux-2.20.1$make john@U64D211:~/tmp/util-linux-2.20.1$cd term-utils/ john@U64D211:~/tmp/util-linux-2.20.1/term-utils$ldd ./script linux-vdso.so.1 => (0x00007fff54dff000) libutil.so.1 => /lib/x86_64-linux-gnu/libutil.so.1 (0x00007f289e635000) libutempter.so.0 => /usr/lib/libutempter.so.0 (0x00007f289e432000) libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f289e072000) /lib64/ld-linux-x86-64.so.2 (0x00007f289e861000)
测试
在运行脚本之前
john@U64D211:~/tmp/util-linux-2.20.1/term-utils$ls /dev/pts 0 1 5 8 ptmx john@U64D211:~/tmp/util-linux-2.20.1/term-utils$last -i john pts/0 0.0.0.0 Sat Jan 5 09:09 still logged in reboot system boot 0.0.0.0 Sat Jan 5 09:08 - 10:37 (01:28) john pts/0 0.0.0.0 Thu Jan 3 00:50 - 01:42 (00:52) reboot system boot 0.0.0.0 Thu Jan 3 00:48 - 01:43 (00:54) wtmp begins Tue Jan 1 20:48:28 2013
在脚本中
john@U64D211:~/tmp/util-linux-2.20.1/term-utils$./script Script started,file is typescript john@U64D211:~/tmp/util-linux-2.20.1/term-utils$ls /dev/pts 0 1 2 5 8 ptmx john@U64D211:~/tmp/util-linux-2.20.1/term-utils$last -i john pts/2 0.0.0.0 Sat Jan 5 10:37 still logged in john pts/0 0.0.0.0 Sat Jan 5 09:09 still logged in reboot system boot 0.0.0.0 Sat Jan 5 09:08 - 10:37 (01:29) john pts/0 0.0.0.0 Thu Jan 3 00:50 - 01:42 (00:52) reboot system boot 0.0.0.0 Thu Jan 3 00:48 - 01:43 (00:54) wtmp begins Tue Jan 1 20:48:28 2013 john@U64D211:~/tmp/util-linux-2.20.1/term-utils$exit exit Script done,file is typescript
脚本结束后
john@U64D211:~/tmp/util-linux-2.20.1/term-utils$ls /dev/pts 0 1 5 8 ptmx john@U64D211:~/tmp/util-linux-2.20.1/term-utils$last -i john pts/2 0.0.0.0 Sat Jan 5 10:37 - 10:37 (00:00) john pts/0 0.0.0.0 Sat Jan 5 09:09 still logged in reboot system boot 0.0.0.0 Sat Jan 5 09:08 - 10:37 (01:29) john pts/0 0.0.0.0 Thu Jan 3 00:50 - 01:42 (00:52) reboot system boot 0.0.0.0 Thu Jan 3 00:48 - 01:43 (00:54) wtmp begins Tue Jan 1 20:48:28 2013 john@U64D211:~/tmp/util-linux-2.20.1/term-utils$last john pts/2 Sat Jan 5 10:37 - 10:37 (00:00) john pts/0 :0 Sat Jan 5 09:09 still logged in reboot system boot 3.2.0-35-generic Sat Jan 5 09:08 - 10:38 (01:30) john pts/0 :0 Thu Jan 3 00:50 - 01:42 (00:52) reboot system boot 3.2.0-35-generic Thu Jan 3 00:48 - 01:43 (00:54) wtmp begins Tue Jan 1 20:48:28 2013
emtpy主机名的根本原因
是的,script.c确实创建了具有空主机名的wtmp条目.请参阅util-linux-2.20.1 / term-utils / script.c中的以下代码块.行:245-247
#ifdef HAVE_LIBUTEMPTER utempter_add_record(master,NULL); #endif
基于libutempter-1.1.5 / utempter.h
extern int utempter_add_record (int master_fd,const char *hostname);
所以script.c实际上是将空主机名传递给utempter_add_record.
RedHat Backport
有趣的是,上游util-linux-ng-2.17.2实际上不支持libutempter.似乎Redhat决定补充支持.
john@U64D211:~/tmp/util-linux-ng-2.17.2$./configure --help|grep utemp
上面的命令返回空结果.
结论
因此,两个发行版之间的行为差异不是错误,而是一个选择. RedHat决定支持该功能,而Debian则跳过它.
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。