×ðÁú¿­Ê±¹ÙÍøµÇ¼

ÔõÑùʹÓÃCentOSϵͳµÄÈÕÖ¾¼Í¼¹¦Ð§À´ÆÊÎöÇå¾²ÊÂÎñ

ÔõÑùʹÓÃcentosϵͳµÄÈÕÖ¾¼Í¼¹¦Ð§À´ÆÊÎöÇå¾²ÊÂÎñ

СÐò£º

ÔÚµ±½ñµÄÍøÂçÇéÐÎÖУ¬Çå¾²ÊÂÎñºÍ¹¥»÷ÐÐΪÈÕÒæÔö¶à¡£ÎªÁ˱£»¤ÏµÍ³µÄÇå¾²£¬ÊµÊ±·¢Ã÷²¢Ó¦¶ÔÇå¾²Íþв±äµÃÖÁ¹ØÖ÷Òª¡£CentOSϵͳÌṩÁËÇ¿Ê¢µÄÈÕÖ¾¼Í¼¹¦Ð§£¬¿ÉÒÔ×ÊÖúÎÒÃÇÆÊÎöºÍ¼à¿ØϵͳÖеÄÇå¾²ÊÂÎñ¡£±¾ÎĽ«ÏÈÈÝÔõÑùʹÓÃcentosϵͳµÄÈÕÖ¾¼Í¼¹¦Ð§À´ÆÊÎöÇå¾²ÊÂÎñ£¬²¢ÌṩÏà¹Ø´úÂëʾÀý¡£

Ò»¡¢ÉèÖÃÈÕÖ¾¼Í¼

ÔÚCentOSϵͳÉÏ£¬ÈÕÖ¾¼Í¼ÊÇͨ¹ýrsyslogЧÀÍʵÏֵġ£ÎÒÃÇ¿ÉÒÔͨ¹ý±à¼­rsyslogµÄÉèÖÃÎļþÀ´ÉèÖÃÈÕÖ¾¼Í¼¡£·­¿ªÖնˣ¬Ê¹ÓÃrootȨÏÞÖ´ÐÐÒÔÏÂÏÂÁ

vim /etc/rsyslog.conf

µÇ¼ºó¸´ÖÆ

ÕÒµ½ÒÔÏÂÐУº

#module(load="imudp")
#input(type="imudp" port="514")
#module(load="imtcp")
#input(type="imtcp" port="514")

µÇ¼ºó¸´ÖÆ

½«ÆäÐÞ¸ÄΪ£º

module(load="imudp")
input(type="imudp" port="514")
module(load="imtcp")
input(type="imtcp" port="514")

µÇ¼ºó¸´ÖÆ

È»ºóÕÒµ½ÒÔÏÂÐУº

*.info;mail.none;authpriv.none;cron.none /var/log/messages

µÇ¼ºó¸´ÖÆ

ÔÚØʺóÌí¼ÓÒÔÏÂÐУº

authpriv.* /var/log/secure

µÇ¼ºó¸´ÖÆ

ÉúÑIJ¢Í˳öÎļþ¡£

½ÓÏÂÀ´£¬ÎÒÃÇÐèÒªÖØÆôrsyslogЧÀÍÒÔʹÉèÖÃÉúЧ¡£Ö´ÐÐÒÔÏÂÏÂÁ

systemctl restart rsyslog

µÇ¼ºó¸´ÖÆ

¶þ¡¢ÈÕÖ¾ÆÊÎö¹¤¾ß

CentOSϵͳÌṩÁËһЩǿʢµÄÈÕÖ¾ÆÊÎö¹¤¾ß£¬¿ÉÒÔ×ÊÖúÎÒÃÇ¿ìËÙÆÊÎöºÍ¼à¿ØϵͳÖеÄÇå¾²ÊÂÎñ¡£ÒÔÏÂÊǼ¸¸ö³£ÓõŤ¾ß£º

grep

grepÊÇÒ»¸öÇ¿Ê¢µÄÎı¾ËÑË÷¹¤¾ß£¬¿ÉÒÔÓÃÓÚ¹ýÂ˺ÍËÑË÷Òªº¦×Ö¡£ÎÒÃÇ¿ÉÒÔʹÓÃgrepÏÂÁîÀ´»ñÈ¡Ìض¨µÄÈÕÖ¾ÐÅÏ¢¡£ÀýÈ磬Ҫ²éÕÒ°üÀ¨Òªº¦×Ö”failed”µÄµÇ¼ʵÑé¼Í¼£¬¿ÉÒÔÖ´ÐÐÒÔÏÂÏÂÁ

grep "failed" /var/log/secure

µÇ¼ºó¸´ÖÆ

tail

tailÏÂÁîÓÃÓÚÏÔʾÎļþµÄĩβ¼¸ÐС£ÎÒÃÇ¿ÉÒÔʹÓÃtailÏÂÁîÀ´ÊµÊ±¼à¿ØÈÕÖ¾ÎļþµÄת±ä¡£ÀýÈ磬Ҫʵʱ¼à¿Ø/var/log/messagesÎļþµÄת±ä£¬¿ÉÒÔÖ´ÐÐÒÔÏÂÏÂÁ

tail -f /var/log/messages

µÇ¼ºó¸´ÖÆ

awk

awkÊÇÒ»¸öÇ¿Ê¢µÄÎı¾´¦Àí¹¤¾ß£¬¿ÉÒÔÓÃÓÚÌáÈ¡ºÍ´¦ÀíÎı¾ÖеÄÌض¨ÐÅÏ¢¡£ÎÒÃÇ¿ÉÒÔʹÓÃawkÏÂÁîÀ´¶ÔÈÕÖ¾Îļþ¾ÙÐиüÖØ´óµÄÆÊÎö¡£ÀýÈ磬ҪÌáÈ¡µÇ¼ʧ°ÜµÄIPµØµãºÍ´ÎÊý£¬¿ÉÒÔÖ´ÐÐÒÔÏÂÏÂÁ

awk '/Failed password for/ {print $11}' /var/log/secure | sort | uniq -c | sort -nr

µÇ¼ºó¸´ÖÆ

ÒÔÉÏÊÇһЩ³£ÓõÄÈÕÖ¾ÆÊÎö¹¤¾ß£¬¿ÉÒÔƾ֤×Ô¼ºµÄÐèÇóÑ¡ÔñºÏÊʵŤ¾ßÀ´ÆÊÎöÈÕÖ¾¡£

Èý¡¢Êµ¼ùʾÀý

ÒÔÏÂÊÇÒ»¸öʵ¼ùʾÀý£¬¼ÙÉèÎÒÃÇÒª¼à¿ØϵͳÖеǼʧ°ÜµÄIPµØµã£¬²¢½«Ð§¹ûÉúÑĵ½Ò»¸öÎļþÖС£

½¨ÉèÒ»¸öеľ籾Îļþ£¬Ê¹ÓÃrootȨÏÞÖ´ÐÐÒÔÏÂÏÂÁ

vim /root/login_failed.sh

µÇ¼ºó¸´ÖÆ

Ôھ籾ÎļþÖÐÌí¼ÓÒÔÏÂÄÚÈÝ£º

#!/bin/bash

LOG_FILE="/var/log/secure"
OUTPUT_FILE="/root/login_failed.txt"

grep "Failed password for" $LOG_FILE | awk '{print $11}' | sort | uniq -c | sort -nr > $OUTPUT_FILE

µÇ¼ºó¸´ÖÆ

ÉúÑIJ¢Í˳öÎļþ¡£

ʹÓÃÒÔÏÂÏÂÁî¸ø¾ç±¾ÎļþÌí¼ÓÖ´ÐÐȨÏÞ£º

chmod +x /root/login_failed.sh

µÇ¼ºó¸´ÖÆ

Ö´ÐÐÒÔÏÂÏÂÁîÔËÐо籾£º

./root/login_failed.sh

µÇ¼ºó¸´ÖÆ

¾ç±¾½«ÔÚ/var/log/secureÖÐËÑË÷µÇ¼ʧ°ÜµÄ¼Í¼£¬²¢½«ÏìÓ¦µÄIPµØµã¼°´ÎÊýÉúÑĵ½/root/login_failed.txtÎļþÖС£

×ܽ᣺

±¾ÎÄÏÈÈÝÁËÔõÑùʹÓÃcentosϵͳµÄÈÕÖ¾¼Í¼¹¦Ð§À´ÆÊÎöÇå¾²ÊÂÎñ£¬²¢ÌṩÁËÏà¹ØµÄ´úÂëʾÀý¡£Í¨¹ýÉèÖÃÈÕÖ¾¼Í¼ºÍʹÓÃÈÕÖ¾ÆÊÎö¹¤¾ß£¬ÎÒÃÇ¿ÉÒÔʵʱ·¢Ã÷ºÍÓ¦¶ÔϵͳÖеÄÇå¾²ÊÂÎñ¡£Ï£ÍûÕâЩÐÅÏ¢¶ÔÄúÓÐËù×ÊÖú¡£

ÒÔÉϾÍÊÇÔõÑùʹÓÃCentOSϵͳµÄÈÕÖ¾¼Í¼¹¦Ð§À´ÆÊÎöÇå¾²ÊÂÎñµÄÏêϸÄÚÈÝ£¬¸ü¶àÇë¹Ø×¢±¾ÍøÄÚÆäËüÏà¹ØÎÄÕ£¡

ÃâÔð˵Ã÷£ºÒÔÉÏչʾÄÚÈÝȪԴÓÚÏàÖúýÌå¡¢ÆóÒµ»ú¹¹¡¢ÍøÓÑÌṩ»òÍøÂçÍøÂçÕûÀí£¬°æȨÕùÒéÓë±¾Õ¾Î޹أ¬ÎÄÕÂÉæ¼°¿´·¨Óë¿´·¨²»´ú±í×ðÁú¿­Ê±¹ÙÍøµÇ¼ÂËÓÍ»úÍø¹Ù·½Ì¬¶È£¬Çë¶ÁÕß½ö×ö²Î¿¼¡£±¾ÎĽӴýתÔØ£¬×ªÔØÇë˵Ã÷À´ÓÉ¡£ÈôÄúÒÔΪ±¾ÎÄÇÖÕ¼ÁËÄúµÄ°æȨÐÅÏ¢£¬»òÄú·¢Ã÷¸ÃÄÚÈÝÓÐÈκÎÉæ¼°ÓÐÎ¥¹«µÂ¡¢Ã°·¸Ö´·¨µÈÎ¥·¨ÐÅÏ¢£¬ÇëÄúÁ¬Ã¦ÁªÏµ×ðÁú¿­Ê±¹ÙÍøµÇ¼ʵʱÐÞÕý»òɾ³ý¡£

Ïà¹ØÐÂÎÅ

ÁªÏµ×ðÁú¿­Ê±¹ÙÍøµÇ¼

18523999891

¿É΢ÐÅÔÚÏß×Éѯ

ÊÂÇéʱ¼ä£ºÖÜÒ»ÖÁÖÜÎ壬9:30-18:30£¬½ÚãåÈÕÐÝÏ¢

QR code
ÍøÕ¾µØͼ