×ðÁú¿­Ê±¹ÙÍøµÇ¼

LinuxÉϵÄÈÕÖ¾ÆÊÎöÓëÇå¾²ÊÂÎñ¼ì²â

linuxÉϵÄÈÕÖ¾ÆÊÎöÓëÇå¾²ÊÂÎñ¼ì²â

ÔÚµ±½ñÐÅϢʱ´ú £¬ÍøÂçÇå¾²ÎÊÌâÈÕÒæÍ»³ö £¬ºÚ¿Í¹¥»÷ºÍ¶ñÒâÈí¼þ³ÉΪÆóÒµºÍСÎÒ˽ÈËÃæÁٵĺã¾ÃÍþв¡£ÎªÁ˸üºÃµØ±£»¤ÎÒÃǵÄϵͳºÍÊý¾Ý £¬¶ÔЧÀÍÆ÷µÄÈÕÖ¾¾ÙÐÐÆÊÎöºÍÇå¾²ÊÂÎñ¼ì²â±äµÃÖÁ¹ØÖ÷Òª¡£Linux²Ù×÷ϵͳÌṩÁ˸»ºñµÄ¹¤¾ßºÍÊÖÒÕÀ´ÊµÏÖÕâһĿµÄ £¬±¾ÎĽ«ÏÈÈÝÔõÑùÔÚLinuxÉϾÙÐÐÈÕÖ¾ÆÊÎöºÍÇå¾²ÊÂÎñ¼ì²â £¬²¢Ìṩ´úÂëʾÀýÒÔ±ã¸üºÃÃ÷È·¡£

Ò»¡¢ÈÕÖ¾ÆÊÎö

ЧÀÍÆ÷µÄÈÕÖ¾¼Í¼ÁËÓû§ºÍϵͳÔ˶¯µÄÖ÷ÒªÐÅÏ¢ £¬Í¨¹ý¶ÔÕâЩÈÕÖ¾¾ÙÐÐÆÊÎö¿ÉÒÔ×ÊÖúÎÒÃÇÅÅÅÌÎÊÌâ¡¢·¢Ã÷Òì³£¡¢×·×Ù¹¥»÷Õߵȡ£ÏÂÃæÏÈÈݼ¸ÖÖ³£¼ûµÄÈÕÖ¾ÆÊÎöÒªÁì¡£

ÆÊÎöϵͳÈÕÖ¾

LinuxϵͳµÄÖ÷ÒªÈÕÖ¾ÎļþλÓÚ/var/logĿ¼Ï £¬ÆäÖÐ×îÖ÷ÒªµÄÊÇ/var/log/messagesºÍ/var/log/syslog¡£ÎÒÃÇ¿ÉÒÔʹÓÃgrepÏÂÁîÀ´ËÑË÷Òªº¦×Ö £¬Èç²éÕÒÌض¨µÄIPµØµã¡¢Òªº¦´ÊµÈ¡£

ÀýÈç £¬ÎÒÃÇ¿ÉÒÔʹÓÃÒÔÏÂÏÂÁîÀ´ËÑË÷Ö¸¶¨IPµØµãµÄµÇ¼¼Í¼£º

grep ‘192.168.1.100’ /var/log/auth.log

ʹÓÃÈÕÖ¾ÆÊÎö¹¤¾ß

³ýÁËÊÖ¶¯ÆÊÎöÈÕÖ¾ÎļþÍâ £¬»¹¿ÉÒÔʹÓÃһЩÈÕÖ¾ÆÊÎö¹¤¾ßÀ´×ÊÖú´¦Àí´ó×ÚÈÕÖ¾Êý¾Ý¡£ÆäÖнÏÁ¿³£ÓõÄÊÇELK£¨Elasticsearch¡¢LogstashºÍKibana£©¿ÍÕ»¡£

ElasticsearchÊÇÒ»ÖÖÂþÑÜʽËÑË÷ºÍÆÊÎöÒýÇæ £¬Logstash¿ÉÒÔÍøÂç¡¢´¦ÀíºÍת·¢ÈÕÖ¾Êý¾Ý £¬KibanaÔòÊÇÒ»¸öÇ¿Ê¢µÄÊý¾Ý¿ÉÊÓ»¯¹¤¾ß¡£Í¨¹ý½«ÕâÈý¸ö¹¤¾ß×éºÏʹÓà £¬ÎÒÃÇ¿ÉÒÔ½«ÈÕÖ¾Êý¾Ýµ¼ÈëElasticsearchÖÐ £¬²¢Ê¹ÓÃKibana¾ÙÐиßЧµÄËÑË÷ºÍ¿ÉÊÓ»¯¡£

×Ô½ç˵½ÅÌìÖ°Îö

³ýÁËʹÓÃÏÖÓеŤ¾ßºÍÏÂÁîÍâ £¬ÎÒÃÇ»¹¿ÉÒÔ±àд×Ô½ç˵½ÅÔ­À´ÆÊÎöºÍ´¦ÀíÈÕÖ¾Êý¾Ý¡£ÀýÈç £¬ÏÂÃæµÄʾÀý´úÂëÑÝʾÁËÔõÑùÆÊÎöApache»á¼ûÈÕÖ¾ÎļþÖеÄÇëÇóÁ¿£º

#!/bin/bash
logfile="/var/log/httpd/access_log"
count=$(cat $logfile | wc -l)
echo "Total Requests: $count"
unique_ips=$(cat $logfile | awk '{print $1}' | sort -u | wc -l)
echo "Unique IPs: $unique_ips"

µÇ¼ºó¸´ÖÆ

Õâ¶Î´úÂëʹÓÃcatÏÂÁî¶ÁÈ¡ÈÕÖ¾Îļþ £¬wcÏÂÁîÅÌËãÐÐÊýºÍΨһIPµØµãÊýÄ¿ £¬²¢½«Ð§¹û´òÓ¡Êä³ö¡£

¶þ¡¢Çå¾²ÊÂÎñ¼ì²â

³ýÁËÆÊÎöÈÕÖ¾Íâ £¬ÎÒÃÇ»¹¿ÉÒÔͨ¹ý¼ì²âÇå¾²ÊÂÎñÀ´ÌáÇ°·¢Ã÷DZÔÚµÄÍþв¡£ÏÂÃæÏÈÈݼ¸ÖÖ³£¼ûµÄÇå¾²ÊÂÎñ¼ì²âÒªÁì¡£

ʹÓÃÈëÇÖ¼ì²âϵͳ£¨IDS£©

ÈëÇÖ¼ì²âϵͳ¿ÉÒÔ¼à²âÍøÂçÁ÷Á¿ºÍϵͳÈÕÖ¾ £¬Í¨¹ý¶ÔÁ÷Á¿ºÍÐÐΪµÄÒì³£¼ì²â £¬×ÊÖú·¢Ã÷ÈëÇÖÐÐΪ¡£ÆäÖнÏÁ¿³£ÓõÄIDS¹¤¾ßÓÐSnort¡¢SuricataµÈ¡£

ÉèÖÃÎļþÍêÕûÐÔ¼ì²é

ÎļþÍêÕûÐÔ¼ì²é¿ÉÒÔÓÃÀ´¼ì²âϵͳÎļþµÄÐ޸ĺ͸Ķ¯¡£ÆäÖнϳ£ÓõŤ¾ßÊÇAIDE£¨Advanced Intrusion Detection Environment£© £¬Ëü¿ÉÒÔͨ¹ý°´ÆÚ¼ì²éÎļþ¹þÏ£ÖµµÄ·½·¨À´·¢Ã÷DZÔÚµÄÇå¾²ÎÊÌâ¡£

ÆÊÎöÍøÂçͨѶ

̫ͨ¹ýÎöÍøÂçÁ÷Á¿¿ÉÒÔ·¢Ã÷¶ñÒâÐÐΪºÍ¹¥»÷ʵÑé¡£ÆäÖнÏÁ¿³£¼ûµÄ¹¤¾ßÓÐtcpdump¡¢WiresharkµÈ¡£

Èý¡¢´úÂëʾÀý

ÒÔÏÂÊÇÒ»¸öʹÓÃPythonÓïÑÔ±àдµÄ¼òÆÓµÄÇå¾²ÊÂÎñ¼ì²â¾ç±¾Ê¾Àý £¬ÓÃÓÚ¼à²âSSHµÇ¼ʧ°ÜµÄÇéÐΣº

#!/usr/bin/env python

import re
import subprocess

log_file = '/var/log/auth.log'

def check_ssh_failed_login():
    pattern = r'Failed password for .* from (d+.d+.d+.d+)'
    ip_list = []

    with open(log_file, 'r') as f:
        for line in f:
            match = re.search(pattern, line)
            if match:
                ip = match.group(1)
                ip_list.append(ip)

    # ͳ¼Æÿ¸öIPµÄµÇ¼ʧ°Ü´ÎÊý
    count = {}
    for ip in ip_list:
        if ip in count:
            count[ip] += 1
        else:
            count[ip] = 1

    # Êä³öµÇ¼ʧ°Ü´ÎÊý´óÓÚãÐÖµµÄIP
    threshold = 3
    for ip, num in count.items():
        if num > threshold:
            print(f'IPµØµã£º{ip} µÇ¼ʧ°Ü´ÎÊý£º{num}')

if __name__ == '__main__':
    check_ssh_failed_login()

µÇ¼ºó¸´ÖÆ

Õâ¸ö¾ç±¾Í¨Ì«¹ýÎöÈÕÖ¾ÎļþÖеÄʧ°ÜµÇ¼¼Í¼ £¬²¢Í³¼Æÿ¸öIPµØµãµÄµÇ¼ʧ°Ü´ÎÊý £¬×îºóÊä³öµÇ¼ʧ°Ü´ÎÊý´óÓÚÔ¤ÉèãÐÖµµÄIPµØµã¡£

½áÂÛ

ͨ¹ý¶ÔLinuxЧÀÍÆ÷µÄÈÕÖ¾¾ÙÐÐÆÊÎöºÍÇå¾²ÊÂÎñ¼ì²â £¬ÎÒÃÇ¿ÉÒÔʵʱ·¢Ã÷DZÔÚµÄÍþв²¢½ÓÄÉÏìÓ¦µÄ²½·¥À´±£»¤ÏµÍ³ºÍÊý¾ÝÇå¾²¡£±¾ÎÄÏÈÈÝÁËÈÕÖ¾ÆÊÎöºÍÇå¾²ÊÂÎñ¼ì²âµÄһЩ»ù±¾ÒªÁì £¬²¢ÌṩÁËÏà¹ØµÄ´úÂëʾÀý £¬Ï£ÍûÄܹ»¶Ô¶ÁÕßÔÚLinuxƽ̨ÉϾÙÐÐÈÕÖ¾ÆÊÎöºÍÇå¾²ÊÂÎñ¼ì²âÌṩһЩ×ÊÖú¡£

ÒÔÉϾÍÊÇLinuxÉϵÄÈÕÖ¾ÆÊÎöÓëÇå¾²ÊÂÎñ¼ì²âµÄÏêϸÄÚÈÝ £¬¸ü¶àÇë¹Ø×¢±¾ÍøÄÚÆäËüÏà¹ØÎÄÕ£¡

ÃâÔð˵Ã÷£ºÒÔÉÏչʾÄÚÈÝȪԴÓÚÏàÖúýÌå¡¢ÆóÒµ»ú¹¹¡¢ÍøÓÑÌṩ»òÍøÂçÍøÂçÕûÀí £¬°æȨÕùÒéÓë±¾Õ¾ÎÞ¹Ø £¬ÎÄÕÂÉæ¼°¿´·¨Óë¿´·¨²»´ú±í×ðÁú¿­Ê±¹ÙÍøµÇ¼ÂËÓÍ»úÍø¹Ù·½Ì¬¶È £¬Çë¶ÁÕß½ö×ö²Î¿¼¡£±¾ÎĽӴýתÔØ £¬×ªÔØÇë˵Ã÷À´ÓÉ¡£ÈôÄúÒÔΪ±¾ÎÄÇÖÕ¼ÁËÄúµÄ°æȨÐÅÏ¢ £¬»òÄú·¢Ã÷¸ÃÄÚÈÝÓÐÈκÎÉæ¼°ÓÐÎ¥¹«µÂ¡¢Ã°·¸Ö´·¨µÈÎ¥·¨ÐÅÏ¢ £¬ÇëÄúÁ¬Ã¦ÁªÏµ×ðÁú¿­Ê±¹ÙÍøµÇ¼ʵʱÐÞÕý»òɾ³ý¡£

Ïà¹ØÐÂÎÅ

ÁªÏµ×ðÁú¿­Ê±¹ÙÍøµÇ¼

18523999891

¿É΢ÐÅÔÚÏß×Éѯ

ÊÂÇéʱ¼ä£ºÖÜÒ»ÖÁÖÜÎå £¬9:30-18:30 £¬½ÚãåÈÕÐÝÏ¢

QR code
ÍøÕ¾µØͼ