1、查看ssh端口（默认22）可疑连接
[root@host ~]#netstat -anplt |grep 22

2、查看除root外是否有特权账户
awk -F: ‘$3==0{print $1}’ /etc/passwd

3、查看可疑远程登录的账号信息
awk ‘/$1|$6/{print $1}’ /etc/shadow

4、查看ssh登录失败的记录
grep -o “Failed password” /var/log/secure|uniq -c

5、查看登录爆破的时间范围
grep “Failed password” /var/log/secure|head -1
grep “Failed password” /var/log/secure|tail -1

6、查看爆破的源IP
grep “Failed password” /var/log/secure|grep -E -o
“(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?).(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?).(25
[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?).(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)”|uniq -c
| sort -nr

7、查看爆破用户名字典
grep “Failed password” /var/log/secure|
perl -e ‘while($_=<>){ /for(.*?) from/; print “$1n”;}’
|uniq -c|sort -nr

8、查看登录成功的日期、用户名、IP日志
grep “Accepted ” /var/log/secure | awk
‘{print $1,$2,$3,$9,$11}’

9、查看登录成功的IP
grep “Accepted ” /var/log/secure | awk ‘{print $11}’
| sort | uniq -c | sort -nr | more