user登入時出現6個 -bash: /dev/null: Permission denied
用last指令查不到任何登入entry
$ last
wtmp begins Tue Mar 17 14:47:27 2020
$ lastb
btmp begins Thu Mar 12 12:22:03 2020
查 /var/log/wtmp 發現被symbolic link到 /dev/null 去了
$ ls -al wtmp
lrwxrwxrwx. 1 root root 9 Mar 6 2019
wtmp -> /dev/null
移除symbolic link並重建wtmp (權限為 -rw-rw-r--. 1 root utmp)
rm /var/log/wtmp
touch /var/log/wtmp
chgrp utmp /var/log/wtmp
chmod g+w /var/log/wtmp
查看 /dev/null
[sywang@kitty log]$ ls -al /dev/null
crw-rw-r--. 1 root utmp 1, 3 Mar 17 14:47
/dev/null
重建 /dev/null
# rm -f /dev/null
# mknod -m 666 /dev/null c 1 3
/var/log/btmp權限亦不對(正確為-rw-------. 1 root utmp)
$ ls -al /var/log/btmp
-rw-rw-rw-. 1 root utmp 0 Mar 12 12:22
/var/log/btmp
移除並重建 /var/log/btmp 就開始寫資料進來了
$ sudo rm btmp
$ sudo touch btmp
$ sudo chgrp utmp btmp
$ sudo chmod og-r btmp
$ ls -al btmp
-rw-------. 1 root utmp 0 Mar 24 17:22 btmp
$ sudo lastb
root
ssh:notty 51.91.136.174 Tue Mar 24 17:25 - 17:25 (00:00)
dave
ssh:notty 121.92.broadband Tue
Mar 24 17:24 - 17:24 (00:00)
dave
ssh:notty 121.92.broadband Tue
Mar 24 17:24 - 17:24 (00:00)
testing
ssh:notty 202.51.110.214 Tue Mar 24 17:24 - 17:24 (00:00)
testing
ssh:notty 202.51.110.214 Tue Mar 24 17:24 - 17:24 (00:00)
qh
ssh:notty 51.68.89.100 Tue Mar 24 17:24 - 17:24 (00:00)
qh
ssh:notty 51.68.89.100 Tue Mar 24 17:24 - 17:24 (00:00)
bettina
ssh:notty 16.ip-164-132-57 Tue
Mar 24 17:24 - 17:24 (00:00)
bettina
ssh:notty 16.ip-164-132-57 Tue
Mar 24 17:24 - 17:24 (00:00)
