All Products
Search
Document Center

How to query the remote logon information of an ECS instance

Last Updated: Aug 03, 2021

Disclaimer: This article may contain information about third-party products. Such information is for reference only. Alibaba Cloud does not make guarantees or warranties, express or implied, with respect to the performance and reliability of third-party products, and potential impacts of operations on the products.

Overview

By viewing the remote logon information of a ECS instance, you can effectively locate faults and analyze security. This topic describes how to view the remote logon information of a ECS instance.

Description

Take note of the following items:

  • Before you perform high-risk operations such as modifying instance configurations or data, we recommend that you check the disaster recovery and fault tolerance capabilities of the instances to ensure data security.
  • You can modify the configurations and data of instances including Elastic Compute Service (ECS) and ApsaraDB RDS instances. We recommend that you create snapshots or enable RDS log backup before you modify instance configurations or data.
  • If you have authorized or submitted sensitive information such as the logon account and password in Alibaba Cloud Management console, we recommend that you modify the information in a timely manner.

Different operating systems have different methods to view remote login information. Please select the following corresponding steps according to the actual situation on site.

How to view remote logon information for Linux instances

  1. Use a management terminal to connect to a Linux instance. For more information, see Overview.
  2. Run the following command as the root user to view information about the client that remotely logs on to the Linux instance:
    last
    The system display is similar to the following. You can view the client name, client address, and event recording time and other information, and use this information to analyze whether the server has security risks.
    Note: If an abnormal client is found to log on to the instance, you can use only a specific IP address to remotely log on to the instance. For more information, see the Allow only specific IP addresses to remotely log on to the instance section of Security group application cases.
    Dingtalk_20210331171633.jpg
    Note: The following is a comment on the output result of the last command:
    • First column: the username.
    • The second column: login terminal. If the pts/0 indicates that the pseudo terminal refers to the ssh command or the telnet command to connect to the user remotely, the tty refers to the local connection user.
    • Third column: Login IP address or kernel. If it is 0.0 or no content, it means that the user is connected from the local terminal. In addition to the restart operation, the kernel version is displayed in the status.
    • Column 4: Start time.
    • The fifth column: end time (still logged in status: user did not exit, down status: until normal shutdown, crash status: until forced shutdown).
    • Column 6: Duration.

Method for viewing remote logon information on Windows systems

  1. Use the management terminal to connect to a Windows instance. For more information, see Overview.
  2. Select Start, right-click Run, enter a eventvwr.msc in the Run box, and then click OK.
  3. On the Event Viewer page, choose Windows Logs > Security, and then click Filter Current Logs.
  4. On the Filter Current Logs page, enter 4648 in the All Event IDs box and click OK. The system lists the logs that meet the filtering conditions and double-clicks the corresponding event log.
  5. On the Event Attributes page, click Details to view the client name, client address, and event recording time. This information is used to analyze whether the server has security risks.
    Note: If an abnormal client is found to log on to the instance, you can use only a specific IP address to remotely log on to the instance. For more information, see the Allow only specific IP addresses to remotely log on to the instance section of Security group application cases.

Application scope

  • ECS