LinuxÉϵÄÈÕÖ¾ÆÊÎöÓëÇå¾²ÊÂÎñ¼ì²â
linuxÉϵÄÈÕÖ¾ÆÊÎöÓëÇå¾²ÊÂÎñ¼ì²â
ÔÚµ±½ñÐÅϢʱ´ú£¬ÍøÂçÇå¾²ÎÊÌâÈÕÒæÍ»³ö£¬ºÚ¿Í¹¥»÷ºÍ¶ñÒâÈí¼þ³ÉΪÆóÒµºÍСÎÒ˽ÈËÃæÁٵĺã¾ÃÍþв¡£ÎªÁ˸üºÃµØ±£»¤ÎÒÃǵÄϵͳºÍÊý¾Ý£¬¶ÔЧÀÍÆ÷µÄÈÕÖ¾¾ÙÐÐÆÊÎöºÍÇå¾²ÊÂÎñ¼ì²â±äµÃÖÁ¹ØÖ÷Òª¡£Linux²Ù×÷ϵͳÌṩÁ˸»ºñµÄ¹¤¾ßºÍÊÖÒÕÀ´ÊµÏÖÕâһĿµÄ£¬±¾ÎĽ«ÏÈÈÝÔõÑùÔÚLinuxÉϾÙÐÐÈÕÖ¾ÆÊÎöºÍÇå¾²ÊÂÎñ¼ì²â£¬²¢Ìṩ´úÂëʾÀýÒÔ±ã¸üºÃÃ÷È·¡£
Ò»¡¢ÈÕÖ¾ÆÊÎö
ЧÀÍÆ÷µÄÈÕÖ¾¼Í¼ÁËÓû§ºÍϵͳÔ˶¯µÄÖ÷ÒªÐÅÏ¢£¬Í¨¹ý¶ÔÕâЩÈÕÖ¾¾ÙÐÐÆÊÎö¿ÉÒÔ×ÊÖúÎÒÃÇÅÅÅÌÎÊÌâ¡¢·¢Ã÷Òì³£¡¢×·×Ù¹¥»÷Õߵȡ£ÏÂÃæÏÈÈݼ¸ÖÖ³£¼ûµÄÈÕÖ¾ÆÊÎöÒªÁì¡£
ÆÊÎöϵͳÈÕÖ¾
LinuxϵͳµÄÖ÷ÒªÈÕÖ¾ÎļþλÓÚ/var/logĿ¼Ï£¬ÆäÖÐ×îÖ÷ÒªµÄÊÇ/var/log/messagesºÍ/var/log/syslog¡£ÎÒÃÇ¿ÉÒÔʹÓÃgrepÏÂÁîÀ´ËÑË÷Òªº¦×Ö£¬Èç²éÕÒÌض¨µÄIPµØµã¡¢Òªº¦´ÊµÈ¡£
ÀýÈ磬ÎÒÃÇ¿ÉÒÔʹÓÃÒÔÏÂÏÂÁîÀ´ËÑË÷Ö¸¶¨IPµØµãµÄµÇ¼¼Í¼£º
grep ‘192.168.1.100’ /var/log/auth.log
ʹÓÃÈÕÖ¾ÆÊÎö¹¤¾ß
³ýÁËÊÖ¶¯ÆÊÎöÈÕÖ¾ÎļþÍ⣬»¹¿ÉÒÔʹÓÃһЩÈÕÖ¾ÆÊÎö¹¤¾ßÀ´×ÊÖú´¦Àí´ó×ÚÈÕÖ¾Êý¾Ý¡£ÆäÖнÏÁ¿³£ÓõÄÊÇELK£¨Elasticsearch¡¢LogstashºÍKibana£©¿ÍÕ»¡£
ElasticsearchÊÇÒ»ÖÖÂþÑÜʽËÑË÷ºÍÆÊÎöÒýÇ棬Logstash¿ÉÒÔÍøÂç¡¢´¦ÀíºÍת·¢ÈÕÖ¾Êý¾Ý£¬KibanaÔòÊÇÒ»¸öÇ¿Ê¢µÄÊý¾Ý¿ÉÊÓ»¯¹¤¾ß¡£Í¨¹ý½«ÕâÈý¸ö¹¤¾ß×éºÏʹÓã¬ÎÒÃÇ¿ÉÒÔ½«ÈÕÖ¾Êý¾Ýµ¼ÈëElasticsearchÖУ¬²¢Ê¹ÓÃKibana¾ÙÐиßЧµÄËÑË÷ºÍ¿ÉÊÓ»¯¡£
×Ô½ç˵½ÅÌìÖ°Îö
³ýÁËʹÓÃÏÖÓеŤ¾ßºÍÏÂÁîÍ⣬ÎÒÃÇ»¹¿ÉÒÔ±àд×Ô½ç˵½ÅÔÀ´ÆÊÎöºÍ´¦ÀíÈÕÖ¾Êý¾Ý¡£ÀýÈ磬ÏÂÃæµÄʾÀý´úÂëÑÝʾÁËÔõÑùÆÊÎöApache»á¼ûÈÕÖ¾ÎļþÖеÄÇëÇóÁ¿£º
#!/bin/bash logfile="/var/log/httpd/access_log" count=$(cat $logfile | wc -l) echo "Total Requests: $count" unique_ips=$(cat $logfile | awk '{print $1}' | sort -u | wc -l) echo "Unique IPs: $unique_ips"
µÇ¼ºó¸´ÖÆ
Õâ¶Î´úÂëʹÓÃcatÏÂÁî¶ÁÈ¡ÈÕÖ¾Îļþ£¬wcÏÂÁîÅÌËãÐÐÊýºÍΨһIPµØµãÊýÄ¿£¬²¢½«Ð§¹û´òÓ¡Êä³ö¡£
¶þ¡¢Çå¾²ÊÂÎñ¼ì²â
³ýÁËÆÊÎöÈÕÖ¾Í⣬ÎÒÃÇ»¹¿ÉÒÔͨ¹ý¼ì²âÇå¾²ÊÂÎñÀ´ÌáÇ°·¢Ã÷DZÔÚµÄÍþв¡£ÏÂÃæÏÈÈݼ¸ÖÖ³£¼ûµÄÇå¾²ÊÂÎñ¼ì²âÒªÁì¡£
ʹÓÃÈëÇÖ¼ì²âϵͳ£¨IDS£©
ÈëÇÖ¼ì²âϵͳ¿ÉÒÔ¼à²âÍøÂçÁ÷Á¿ºÍϵͳÈÕÖ¾£¬Í¨¹ý¶ÔÁ÷Á¿ºÍÐÐΪµÄÒì³£¼ì²â£¬×ÊÖú·¢Ã÷ÈëÇÖÐÐΪ¡£ÆäÖнÏÁ¿³£ÓõÄIDS¹¤¾ßÓÐSnort¡¢SuricataµÈ¡£
ÉèÖÃÎļþÍêÕûÐÔ¼ì²é
ÎļþÍêÕûÐÔ¼ì²é¿ÉÒÔÓÃÀ´¼ì²âϵͳÎļþµÄÐ޸ĺ͸Ķ¯¡£ÆäÖнϳ£ÓõŤ¾ßÊÇAIDE£¨Advanced Intrusion Detection Environment£©£¬Ëü¿ÉÒÔͨ¹ý°´ÆÚ¼ì²éÎļþ¹þÏ£ÖµµÄ·½·¨À´·¢Ã÷DZÔÚµÄÇå¾²ÎÊÌâ¡£
ÆÊÎöÍøÂçͨѶ
̫ͨ¹ýÎöÍøÂçÁ÷Á¿¿ÉÒÔ·¢Ã÷¶ñÒâÐÐΪºÍ¹¥»÷ʵÑé¡£ÆäÖнÏÁ¿³£¼ûµÄ¹¤¾ßÓÐtcpdump¡¢WiresharkµÈ¡£
Èý¡¢´úÂëʾÀý
ÒÔÏÂÊÇÒ»¸öʹÓÃPythonÓïÑÔ±àдµÄ¼òÆÓµÄÇå¾²ÊÂÎñ¼ì²â¾ç±¾Ê¾Àý£¬ÓÃÓÚ¼à²âSSHµÇ¼ʧ°ÜµÄÇéÐΣº
#!/usr/bin/env python import re import subprocess log_file = '/var/log/auth.log' def check_ssh_failed_login(): pattern = r'Failed password for .* from (d+.d+.d+.d+)' ip_list = [] with open(log_file, 'r') as f: for line in f: match = re.search(pattern, line) if match: ip = match.group(1) ip_list.append(ip) # ͳ¼Æÿ¸öIPµÄµÇ¼ʧ°Ü´ÎÊý count = {} for ip in ip_list: if ip in count: count[ip] += 1 else: count[ip] = 1 # Êä³öµÇ¼ʧ°Ü´ÎÊý´óÓÚãÐÖµµÄIP threshold = 3 for ip, num in count.items(): if num > threshold: print(f'IPµØµã£º{ip} µÇ¼ʧ°Ü´ÎÊý£º{num}') if __name__ == '__main__': check_ssh_failed_login()
µÇ¼ºó¸´ÖÆ
Õâ¸ö¾ç±¾Í¨Ì«¹ýÎöÈÕÖ¾ÎļþÖеÄʧ°ÜµÇ¼¼Í¼£¬²¢Í³¼Æÿ¸öIPµØµãµÄµÇ¼ʧ°Ü´ÎÊý£¬×îºóÊä³öµÇ¼ʧ°Ü´ÎÊý´óÓÚÔ¤ÉèãÐÖµµÄIPµØµã¡£
½áÂÛ
ͨ¹ý¶ÔLinuxЧÀÍÆ÷µÄÈÕÖ¾¾ÙÐÐÆÊÎöºÍÇå¾²ÊÂÎñ¼ì²â£¬ÎÒÃÇ¿ÉÒÔʵʱ·¢Ã÷DZÔÚµÄÍþв²¢½ÓÄÉÏìÓ¦µÄ²½·¥À´±£»¤ÏµÍ³ºÍÊý¾ÝÇå¾²¡£±¾ÎÄÏÈÈÝÁËÈÕÖ¾ÆÊÎöºÍÇå¾²ÊÂÎñ¼ì²âµÄһЩ»ù±¾ÒªÁ죬²¢ÌṩÁËÏà¹ØµÄ´úÂëʾÀý£¬Ï£ÍûÄܹ»¶Ô¶ÁÕßÔÚLinuxƽ̨ÉϾÙÐÐÈÕÖ¾ÆÊÎöºÍÇå¾²ÊÂÎñ¼ì²âÌṩһЩ×ÊÖú¡£
ÒÔÉϾÍÊÇLinuxÉϵÄÈÕÖ¾ÆÊÎöÓëÇå¾²ÊÂÎñ¼ì²âµÄÏêϸÄÚÈÝ£¬¸ü¶àÇë¹Ø×¢±¾ÍøÄÚÆäËüÏà¹ØÎÄÕ£¡