检查登录日志
不怕一万,就怕万一,没有攻不破的城堡,有些小偷可能是小白,或者来也匆匆,去也匆匆,在服务器上做完坏事没有擦除痕迹,所以经常检查登录日志,也是一种安全手段

who /var/log/wtmp

如下:

root@MRtancp:~# who /var/log/wtmp
root     tty1         2018-10-07 13:00
root     pts/0        2018-10-29 17:12 (117.136.32.98)
root     pts/1        2018-10-29 17:16 (117.136.32.98)
root     pts/2        2018-10-29 17:16 (117.136.32.98)
root     pts/3        2018-10-29 17:17 (117.136.32.98)
root     pts/4        2018-10-29 17:17 (117.136.32.98)
root     pts/5        2018-10-29 17:17 (117.136.32.98)
root     pts/6        2018-10-29 17:17 (117.136.32.98)
root     pts/7        2018-10-29 17:17 (117.136.32.98)
root     pts/8        2018-10-29 17:21 (117.136.32.98)
root     pts/9        2018-10-29 17:21 (117.136.32.98)
root     pts/10       2018-10-29 17:21 (117.136.32.98)
root     pts/11       2018-10-29 17:21 (117.136.32.98)
root     pts/12       2018-10-29 17:22 (117.136.32.98)
root     pts/13       2018-10-29 17:27 (117.136.32.98)
root@MRtancp:~# 

怎样检测暴力破解攻击?
1、查看近期登陆日志:

cat /var/log/secure

2、计算近期失败的登陆次数:

cat /var/log/secure|grep 'Failed password for root'|wc -l