最近学习到linux系统日志和计划任务,下班回家的地铁上有了灵感,尝试编写了自己的第一个脚本,监测如果有恶意登录服务器的话,发邮件通知管理员。暂时还没学习到如何发邮件给管理员,目前只是提醒和日志记录;脚本的内容也比较简单,都是学习过的基本知识,活学活用。
1、首先编写一个脚本:
定义一个变量LT,变量的值为lastb命令列出的行数(即无效登录的次数,如有恶意登录的话行数会变多);
执行一个if判断语句,如果定义的值大于15次的话,判断为恶意登录,通知管理员。
脚本内容如下:
[root@localhost ~]# cat lt.sh
#! /bin/bash
#定义变量LT,记录无效登录的次数;
LT=`lastb |wc -l |cut -d ' ' -f 1`
if [ $LT -gt "15" ]
#判断无效登录的次数如果大于15的话,执行下面的操作;
then echo "somebody try to login please check log"
#打印有人尝试登录系统请检查日志
fi
2、编写一个计划任务
每隔一分钟自动执行上面的脚本
[root@localhost ~]# crontab -l
*/1 * * * * /bin/sh /root/lt.sh
3、查看效果
超过15次登录在当前命令行模式会提示,有一封新邮件在/var/spool/mail/root下;
[root@localhost ~]#
You have new mail in /var/spool/mail/root
查看新邮件,会发现脚本里面的内容,证明有人在尝试登录主机;
[root@localhost ~]# tail -2 /var/spool/mail/root
somebody try to login please check log
执行lastb命令查看发现很多登录失败的记录
[root@localhost ~]# lastb |head
user1 ssh:notty 192.168.22.1 Tue Apr 21 22:04 - 22:04 (00:00)
user1 ssh:notty 192.168.22.1 Tue Apr 21 22:04 - 22:04 (00:00)
user1 ssh:notty 192.168.22.1 Tue Apr 21 22:03 - 22:03 (00:00)
user1 ssh:notty 192.168.22.1 Tue Apr 21 22:03 - 22:03 (00:00)
user1 ssh:notty 192.168.22.1 Tue Apr 21 22:03 - 22:03 (00:00)
user1 ssh:notty 192.168.22.1 Tue Apr 21 22:03 - 22:03 (00:00)
user1 ssh:notty 192.168.22.1 Tue Apr 21 22:03 - 22:03 (00:00)
user1 ssh:notty 192.168.22.1 Tue Apr 21 21:29 - 21:29 (00:00)
user1 ssh:notty 192.168.22.1 Tue Apr 21 21:29 - 21:29 (00:00)
user1 ssh:notty 192.168.22.1 Tue Apr 21 21:29 - 21:29 (00:00)
查看/var/log/secure 日志也会发现有多次登录失败的记录
Apr 21 22:03:35 localhost unix_chkpwd[1501]: password check failed for user (user1)
Apr 21 22:03:35 localhost sshd[1499]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.22.1 user=user1
Apr 21 22:03:36 localhost sshd[1499]: Failed password for user1 from 192.168.22.1 port 50591 ssh2
Apr 21 22:03:39 localhost unix_chkpwd[1502]: password check failed for user (user1)
Apr 21 22:03:41 localhost sshd[1499]: Failed password for user1 from 192.168.22.1 port 50591 ssh2
Apr 21 22:03:44 localhost unix_chkpwd[1503]: password check failed for user (user1)
Apr 21 22:03:46 localhost sshd[1499]: Failed password for user1 from 192.168.22.1 port 50591 ssh2
Apr 21 22:03:49 localhost unix_chkpwd[1504]: password check failed for user (user1)
Apr 21 22:03:51 localhost sshd[1499]: Failed password for user1 from 192.168.22.1 port 50591 ssh2
Apr 21 22:03:52 localhost sshd[1499]: Failed password for user1 from 192.168.22.1 port 50591 ssh2
Apr 21 22:03:54 localhost sshd[1500]: Received disconnect from 192.168.22.1: 0:
根据访问日志的来源IP,我们可以对来源设置iptables规则,禁止访问服务器的22端口,或者封闭ip地址;
暂时只有这么多,小小的骄傲一下,给自己增加点自信心,相信之后的学习中会更加深入了解linux;
和大家分享一下,共勉之。
1、首先编写一个脚本:
定义一个变量LT,变量的值为lastb命令列出的行数(即无效登录的次数,如有恶意登录的话行数会变多);
执行一个if判断语句,如果定义的值大于15次的话,判断为恶意登录,通知管理员。
脚本内容如下:
[root@localhost ~]# cat lt.sh
#! /bin/bash
#定义变量LT,记录无效登录的次数;
LT=`lastb |wc -l |cut -d ' ' -f 1`
if [ $LT -gt "15" ]
#判断无效登录的次数如果大于15的话,执行下面的操作;
then echo "somebody try to login please check log"
#打印有人尝试登录系统请检查日志
fi
2、编写一个计划任务
每隔一分钟自动执行上面的脚本
[root@localhost ~]# crontab -l
*/1 * * * * /bin/sh /root/lt.sh
3、查看效果
超过15次登录在当前命令行模式会提示,有一封新邮件在/var/spool/mail/root下;
[root@localhost ~]#
You have new mail in /var/spool/mail/root
查看新邮件,会发现脚本里面的内容,证明有人在尝试登录主机;
[root@localhost ~]# tail -2 /var/spool/mail/root
somebody try to login please check log
执行lastb命令查看发现很多登录失败的记录
[root@localhost ~]# lastb |head
user1 ssh:notty 192.168.22.1 Tue Apr 21 22:04 - 22:04 (00:00)
user1 ssh:notty 192.168.22.1 Tue Apr 21 22:04 - 22:04 (00:00)
user1 ssh:notty 192.168.22.1 Tue Apr 21 22:03 - 22:03 (00:00)
user1 ssh:notty 192.168.22.1 Tue Apr 21 22:03 - 22:03 (00:00)
user1 ssh:notty 192.168.22.1 Tue Apr 21 22:03 - 22:03 (00:00)
user1 ssh:notty 192.168.22.1 Tue Apr 21 22:03 - 22:03 (00:00)
user1 ssh:notty 192.168.22.1 Tue Apr 21 22:03 - 22:03 (00:00)
user1 ssh:notty 192.168.22.1 Tue Apr 21 21:29 - 21:29 (00:00)
user1 ssh:notty 192.168.22.1 Tue Apr 21 21:29 - 21:29 (00:00)
user1 ssh:notty 192.168.22.1 Tue Apr 21 21:29 - 21:29 (00:00)
查看/var/log/secure 日志也会发现有多次登录失败的记录
Apr 21 22:03:35 localhost unix_chkpwd[1501]: password check failed for user (user1)
Apr 21 22:03:35 localhost sshd[1499]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.22.1 user=user1
Apr 21 22:03:36 localhost sshd[1499]: Failed password for user1 from 192.168.22.1 port 50591 ssh2
Apr 21 22:03:39 localhost unix_chkpwd[1502]: password check failed for user (user1)
Apr 21 22:03:41 localhost sshd[1499]: Failed password for user1 from 192.168.22.1 port 50591 ssh2
Apr 21 22:03:44 localhost unix_chkpwd[1503]: password check failed for user (user1)
Apr 21 22:03:46 localhost sshd[1499]: Failed password for user1 from 192.168.22.1 port 50591 ssh2
Apr 21 22:03:49 localhost unix_chkpwd[1504]: password check failed for user (user1)
Apr 21 22:03:51 localhost sshd[1499]: Failed password for user1 from 192.168.22.1 port 50591 ssh2
Apr 21 22:03:52 localhost sshd[1499]: Failed password for user1 from 192.168.22.1 port 50591 ssh2
Apr 21 22:03:54 localhost sshd[1500]: Received disconnect from 192.168.22.1: 0:
根据访问日志的来源IP,我们可以对来源设置iptables规则,禁止访问服务器的22端口,或者封闭ip地址;
暂时只有这么多,小小的骄傲一下,给自己增加点自信心,相信之后的学习中会更加深入了解linux;
和大家分享一下,共勉之。
0
{:4_107:}多谢铭哥鼓励,继续学习。
阿铭 发表于 2015-4-22 13:23
学以致用,非常不错! 脚本都是从小写大的,希望你能继续坚持下去,后面咱们的内容越来越多用到脚本的地方 ...
{:4_107:}多谢铭哥鼓励,继续学习。
编辑回复