How to know if someone is doing something bad under Linux?

Time:2020-11-20

Viewing user behavior under Linux is not only a network management to do, but also one of the basic skills that developers should have. Why? Because sometimes other colleagues are doing things that consume a lot of resources, such as compiling large programs, it may cause the server to become very slow, thus affecting our normal operation. At this time, we can use the method described in this article to find out the colleague and beat him up. Then we can resume the normal use of the server.

Who am I?

“Who am I? Where am I from? Where am I going? There are three problems in philosophical classics. Similarly, in our work, sometimes we often switch accounts, and sometimes we forget to switch to which user. At this point, you need to know what the current login user is. We can use itwhoamiTo view.

[[email protected]_0_16_centos ~]$ whoami
alvin

Who is currently logged into the system?

There are usually only a few servers in a company, and programmers usually work in these servers. We can use itwhoCommand to see which users are currently logged on to the server.

[[email protected]_0_16_centos ~]$ who
alvin    pts/0        2018-12-09 07:25 (116.199.***.***)
root     pts/1        2018-12-09 11:05 (116.199.***.***)
alvin    pts/2        2018-12-09 11:05 (116.199.***.***)
harry    pts/3        2018-12-09 11:06 (116.199.***.***)
kate     pts/4        2018-12-09 11:08 (116.199.***.***)
alvin    pts/5        2018-12-09 11:53 (116.199.***.***)

In the display results, the first column is the user name; the second column is the connected terminal, TTY is the display, PTS is the remote connection; and the third column is the login time.

There’s a little bit more information here, but what if we just want to know who’s online? Just use itusersCommand to view.

[[email protected]_0_16_centos ~]$ users
alvin alvin alvin harry kate root

What are the people who log in to the system?

Knowing who is logged into the system, we can further investigate what they are doing.wThe command is used to display the names of users who have logged into the system and what they are doing. The information used by this command comes from the / var / run / utmp file.

[[email protected]_0_16_centos ~]$ w
 16:25:54 up 29 days,  6:05,  6 users,  load average: 0.00, 0.01, 0.05
USER     TTY      FROM             [email protected]   IDLE   JCPU   PCPU WHAT
alvin    pts/0    116.199.***.**   07:25    2.00s  0.11s  0.00s w
root     pts/1    116.199.***.**   11:05    5:20m  0.02s  0.02s -bash
alvin    pts/2    116.199.***.**   11:05    5:20m  0.04s  0.05s sshd: alvin [priv]
harry    pts/3    116.199.***.**   11:06    4:33m 18.08s 18.06s watch date
kate     pts/4    116.199.***.**   11:08    4:33m 10.51s 10.48s top
alvin    pts/5    116.199.***.**   11:53    4:32m  0.02s  0.02s -bash

The first line is actuallyuptimeThe result of the command is the same as that of the current time, the system running time, the number of current system login users, and the average load.

Starting from the second line, a table is formed, with 8 columns showing what each user is doing and the system resources occupied by the user.

User: displays the login user account name. If the user logs in repeatedly, the account will appear repeatedly.
TTY: the terminal used by the user to log in.
Where to log in from.
Login @: is the meaning of login at, indicating the time of login and entering the system.
Idle: the user's idle time, starting from the end of the user's last task.
Jcpu: a terminal code, indicating the CPU time consumed by all process tasks related to the terminal in a certain period of time.
Pcpu: refers to the CPU time consumed after the task execution in the what domain.
What: indicates the task currently executed

If we only want to view the current behavior of a user, we can directly access thewFollowed by the user name:

[[email protected]_0_16_centos ~]$ w alvin
 16:34:21 up 29 days,  6:14,  6 users,  load average: 0.00, 0.01, 0.05
USER     TTY      FROM             [email protected]   IDLE   JCPU   PCPU WHAT
alvin    pts/0    116.199.***.**   07:25    5.00s  0.12s  0.06s sshd: alvin [priv]
alvin    pts/2    116.199.***.**   11:05    5:28m  0.04s  0.05s sshd: alvin [priv]
alvin    pts/5    116.199.***.**   11:53    4:40m  0.02s  0.02s -bash

How to know the information of current and past users logging in to the system?

Some people are more cunning and refuse to admit that they have done bad things. However, in Linux, each user’s login information will be recorded, so that the responsibility of the relevant personnel can be found.

The last command can be used to display the history of a specific user logging into the system. If no parameters are specified, the history of all users is displayed. By default, this information (displayed information) will come from the / var / log / wtmp file. The output of this command contains the following columns of information:

  • User name
  • TTY device number
  • Historical login time date
  • Login time date
  • Total working hours
[[email protected]_0_16_centos ~]$ last
alvin    pts/5        116.199.***.**   Sun Dec  9 11:53   still logged in
kate     pts/4        116.199.***.**   Sun Dec  9 11:08   still logged in
harry    pts/3        116.199.***.**   Sun Dec  9 11:06   still logged in
alvin    pts/2        116.199.***.**   Sun Dec  9 11:05   still logged in
root     pts/1        116.199.***.**   Sun Dec  9 11:05   still logged in
alvin    pts/0        116.199.***.**   Sun Dec  9 07:25   still logged in
alvin    pts/0        116.199.***.**   Sat Dec  8 20:42 - 23:10  (02:28)
alvin    pts/0        119.33.***.**    Mon Dec  3 20:50 - 23:51 (1+03:01)
alvin    pts/0        119.33.***.**    Thu Nov 29 20:20 - 22:45  (02:24)
alvin    pts/0        223.104.***.**   Thu Nov 29 06:46 - 07:00  (00:14)
alvin    pts/0        223.104.***.**   Wed Nov 28 20:45 - 22:27  (01:42)
alvin    pts/1        14.25.***.***    Sun Nov 25 19:50 - 21:09  (01:18)
alvin    pts/0        119.33.***.**    Sun Nov 25 16:32 - 21:40  (05:07)

If we only want to see a person’s history, we can follow last with the corresponding user name:

[[email protected]_0_16_centos ~]$ last alvin
alvin    pts/5        116.199.***.**   Sun Dec  9 11:53   still logged in
alvin    pts/2        116.199.***.**   Sun Dec  9 11:05   still logged in
alvin    pts/0        116.199.***.**   Sun Dec  9 07:25   still logged in
alvin    pts/0        116.199.***.**   Sat Dec  8 20:42 - 23:10  (02:28)
alvin    pts/0        119.33.***.**    Mon Dec  3 20:50 - 23:51 (1+03:01)
alvin    pts/0        119.33.***.**    Thu Nov 29 20:20 - 22:45  (02:24)
alvin    pts/0        223.104.***.**   Thu Nov 29 06:46 - 07:00  (00:14)
alvin    pts/0        223.104.***.**   Wed Nov 28 20:45 - 22:27  (01:42)

Kick out the bad guys

Through the above commands, we can roughly know the behavior of some users. If we want to kick out the bad guys, we can use itpkill -uCommand.

pkill -u alvin

However, this command is very dangerous and may cause system restart, so it is not recommended. The safer way is to use itpkillCommand.

[[email protected]_0_16_centos ~]$ sudo pkill -kill -t pts/3
#Harry user has been kicked out
[[email protected]_0_16_centos ~]$ w
 17:04:37 up 29 days,  6:44,  5 users,  load average: 0.00, 0.01, 0.05
USER     TTY      FROM             [email protected]   IDLE   JCPU   PCPU WHAT
alvin    pts/0    116.199.102.65   07:25    5.00s  0.12s  0.00s w
root     pts/1    116.199.102.65   11:05    5:59m  0.02s  0.02s -bash
alvin    pts/2    116.199.102.65   11:05    5:59m  0.04s  0.05s sshd: alvin [priv]
kate     pts/4    116.199.102.65   11:08    5:12m 11.94s 11.91s top
alvin    pts/5    116.199.102.65   11:53    5:10m  0.02s  0.02s -bash

Official account: good Linux

How to know if someone is doing something bad under Linux?

What’s the gain? I hope the old fellow will take three strikes to show this article to more people.