ÔõÑùʹÓÃCentOSϵͳµÄÈÕÖ¾¼Í¼¹¦Ð§À´ÆÊÎöÇå¾²ÊÂÎñ
ÔõÑùʹÓÃcentosϵͳµÄÈÕÖ¾¼Í¼¹¦Ð§À´ÆÊÎöÇå¾²ÊÂÎñ
СÐò£º
ÔÚµ±½ñµÄÍøÂçÇéÐÎÖУ¬Çå¾²ÊÂÎñºÍ¹¥»÷ÐÐΪÈÕÒæÔö¶à¡£ÎªÁ˱£»¤ÏµÍ³µÄÇå¾²£¬ÊµÊ±·¢Ã÷²¢Ó¦¶ÔÇå¾²Íþв±äµÃÖÁ¹ØÖ÷Òª¡£CentOSϵͳÌṩÁËÇ¿Ê¢µÄÈÕÖ¾¼Í¼¹¦Ð§£¬¿ÉÒÔ×ÊÖúÎÒÃÇÆÊÎöºÍ¼à¿ØϵͳÖеÄÇå¾²ÊÂÎñ¡£±¾ÎĽ«ÏÈÈÝÔõÑùʹÓÃcentosϵͳµÄÈÕÖ¾¼Í¼¹¦Ð§À´ÆÊÎöÇå¾²ÊÂÎñ£¬²¢ÌṩÏà¹Ø´úÂëʾÀý¡£
Ò»¡¢ÉèÖÃÈÕÖ¾¼Í¼
ÔÚCentOSϵͳÉÏ£¬ÈÕÖ¾¼Í¼ÊÇͨ¹ýrsyslogЧÀÍʵÏֵġ£ÎÒÃÇ¿ÉÒÔͨ¹ý±à¼rsyslogµÄÉèÖÃÎļþÀ´ÉèÖÃÈÕÖ¾¼Í¼¡£·¿ªÖնˣ¬Ê¹ÓÃrootȨÏÞÖ´ÐÐÒÔÏÂÏÂÁ
vim /etc/rsyslog.conf
µÇ¼ºó¸´ÖÆ
ÕÒµ½ÒÔÏÂÐУº
#module(load="imudp") #input(type="imudp" port="514") #module(load="imtcp") #input(type="imtcp" port="514")
µÇ¼ºó¸´ÖÆ
½«ÆäÐÞ¸ÄΪ£º
module(load="imudp") input(type="imudp" port="514") module(load="imtcp") input(type="imtcp" port="514")
µÇ¼ºó¸´ÖÆ
È»ºóÕÒµ½ÒÔÏÂÐУº
*.info;mail.none;authpriv.none;cron.none /var/log/messages
µÇ¼ºó¸´ÖÆ
ÔÚØʺóÌí¼ÓÒÔÏÂÐУº
authpriv.* /var/log/secure
µÇ¼ºó¸´ÖÆ
ÉúÑIJ¢Í˳öÎļþ¡£
½ÓÏÂÀ´£¬ÎÒÃÇÐèÒªÖØÆôrsyslogЧÀÍÒÔʹÉèÖÃÉúЧ¡£Ö´ÐÐÒÔÏÂÏÂÁ
systemctl restart rsyslog
µÇ¼ºó¸´ÖÆ
¶þ¡¢ÈÕÖ¾ÆÊÎö¹¤¾ß
CentOSϵͳÌṩÁËһЩǿʢµÄÈÕÖ¾ÆÊÎö¹¤¾ß£¬¿ÉÒÔ×ÊÖúÎÒÃÇ¿ìËÙÆÊÎöºÍ¼à¿ØϵͳÖеÄÇå¾²ÊÂÎñ¡£ÒÔÏÂÊǼ¸¸ö³£ÓõŤ¾ß£º
grep
grepÊÇÒ»¸öÇ¿Ê¢µÄÎı¾ËÑË÷¹¤¾ß£¬¿ÉÒÔÓÃÓÚ¹ýÂ˺ÍËÑË÷Òªº¦×Ö¡£ÎÒÃÇ¿ÉÒÔʹÓÃgrepÏÂÁîÀ´»ñÈ¡Ìض¨µÄÈÕÖ¾ÐÅÏ¢¡£ÀýÈ磬Ҫ²éÕÒ°üÀ¨Òªº¦×Ö”failed”µÄµÇ¼ʵÑé¼Í¼£¬¿ÉÒÔÖ´ÐÐÒÔÏÂÏÂÁ
grep "failed" /var/log/secure
µÇ¼ºó¸´ÖÆ
tail
tailÏÂÁîÓÃÓÚÏÔʾÎļþµÄĩβ¼¸ÐС£ÎÒÃÇ¿ÉÒÔʹÓÃtailÏÂÁîÀ´ÊµÊ±¼à¿ØÈÕÖ¾ÎļþµÄת±ä¡£ÀýÈ磬Ҫʵʱ¼à¿Ø/var/log/messagesÎļþµÄת±ä£¬¿ÉÒÔÖ´ÐÐÒÔÏÂÏÂÁ
tail -f /var/log/messages
µÇ¼ºó¸´ÖÆ
awk
awkÊÇÒ»¸öÇ¿Ê¢µÄÎı¾´¦Àí¹¤¾ß£¬¿ÉÒÔÓÃÓÚÌáÈ¡ºÍ´¦ÀíÎı¾ÖеÄÌض¨ÐÅÏ¢¡£ÎÒÃÇ¿ÉÒÔʹÓÃawkÏÂÁîÀ´¶ÔÈÕÖ¾Îļþ¾ÙÐиüÖØ´óµÄÆÊÎö¡£ÀýÈ磬ҪÌáÈ¡µÇ¼ʧ°ÜµÄIPµØµãºÍ´ÎÊý£¬¿ÉÒÔÖ´ÐÐÒÔÏÂÏÂÁ
awk '/Failed password for/ {print $11}' /var/log/secure | sort | uniq -c | sort -nr
µÇ¼ºó¸´ÖÆ
ÒÔÉÏÊÇһЩ³£ÓõÄÈÕÖ¾ÆÊÎö¹¤¾ß£¬¿ÉÒÔƾ֤×Ô¼ºµÄÐèÇóÑ¡ÔñºÏÊʵŤ¾ßÀ´ÆÊÎöÈÕÖ¾¡£
Èý¡¢Êµ¼ùʾÀý
ÒÔÏÂÊÇÒ»¸öʵ¼ùʾÀý£¬¼ÙÉèÎÒÃÇÒª¼à¿ØϵͳÖеǼʧ°ÜµÄIPµØµã£¬²¢½«Ð§¹ûÉúÑĵ½Ò»¸öÎļþÖС£
½¨ÉèÒ»¸öеľ籾Îļþ£¬Ê¹ÓÃrootȨÏÞÖ´ÐÐÒÔÏÂÏÂÁ
vim /root/login_failed.sh
µÇ¼ºó¸´ÖÆ
Ôھ籾ÎļþÖÐÌí¼ÓÒÔÏÂÄÚÈÝ£º
#!/bin/bash LOG_FILE="/var/log/secure" OUTPUT_FILE="/root/login_failed.txt" grep "Failed password for" $LOG_FILE | awk '{print $11}' | sort | uniq -c | sort -nr > $OUTPUT_FILE
µÇ¼ºó¸´ÖÆ
ÉúÑIJ¢Í˳öÎļþ¡£
ʹÓÃÒÔÏÂÏÂÁî¸ø¾ç±¾ÎļþÌí¼ÓÖ´ÐÐȨÏÞ£º
chmod +x /root/login_failed.sh
µÇ¼ºó¸´ÖÆ
Ö´ÐÐÒÔÏÂÏÂÁîÔËÐо籾£º
./root/login_failed.sh
µÇ¼ºó¸´ÖÆ
¾ç±¾½«ÔÚ/var/log/secureÖÐËÑË÷µÇ¼ʧ°ÜµÄ¼Í¼£¬²¢½«ÏìÓ¦µÄIPµØµã¼°´ÎÊýÉúÑĵ½/root/login_failed.txtÎļþÖС£
×ܽ᣺
±¾ÎÄÏÈÈÝÁËÔõÑùʹÓÃcentosϵͳµÄÈÕÖ¾¼Í¼¹¦Ð§À´ÆÊÎöÇå¾²ÊÂÎñ£¬²¢ÌṩÁËÏà¹ØµÄ´úÂëʾÀý¡£Í¨¹ýÉèÖÃÈÕÖ¾¼Í¼ºÍʹÓÃÈÕÖ¾ÆÊÎö¹¤¾ß£¬ÎÒÃÇ¿ÉÒÔʵʱ·¢Ã÷ºÍÓ¦¶ÔϵͳÖеÄÇå¾²ÊÂÎñ¡£Ï£ÍûÕâЩÐÅÏ¢¶ÔÄúÓÐËù×ÊÖú¡£
ÒÔÉϾÍÊÇÔõÑùʹÓÃCentOSϵͳµÄÈÕÖ¾¼Í¼¹¦Ð§À´ÆÊÎöÇå¾²ÊÂÎñµÄÏêϸÄÚÈÝ£¬¸ü¶àÇë¹Ø×¢±¾ÍøÄÚÆäËüÏà¹ØÎÄÕ£¡