Linux实用一句话&脚本介绍
<strong>1、查看谁破解你的ssh <br /></strong>cat /var/log/auth.log | grep "pam_unix(sshd:auth): authentication failure;" | cut -f14 -d\ | cut -d'=' -f2 | sort | uniq -c | sort -nr <br /><strong>2、查看当前网络连接数 <br /></strong>netstat -n | awk '/^tcp/ {++S[$NF]} END {for(a in S) print a, S}' <br />TCP连接状态详解 <br />LISTEN: 侦听来自远方的TCP端口的连接请求 <br />SYN-SENT: 再发送连接请求后等待匹配的连接请求 <br />SYN-RECEIVED:再收到和发送一个连接请求后等待对方对连接请求的确认 <br />ESTABLISHED: 代表一个打开的连接 <br />FIN-WAIT-1: 等待远程TCP连接中断请求,或先前的连接中断请求的确认 <br />FIN-WAIT-2: 从远程TCP等待连接中断请求 <br />CLOSE-WAIT: 等待从本地用户发来的连接中断请求 <br />CLOSING: 等待远程TCP对连接中断的确认 <br />LAST-ACK: 等待原来的发向远程TCP的连接中断请求的确认 <br />TIME-WAIT: 等待足够的时间以确保远程TCP接收到连接中断请求的确认 <br />CLOSED: 没有任何连接状态 <br /><strong>3、统计80端口连接数</strong> <br />netstat -nat|grep -i "80"|wc -l <br /><strong>4、统计httpd协议连接数</strong> <br />ps -ef|grep httpd|wc -l <br /><strong>5、统计已连接上的,状态为established</strong> <br />netstat -na|grep ESTABLISHED|wc -l <br /><strong>6、查出哪个IP地址连接最多,将其封了. <br /></strong>netstat -na|grep ESTABLISHED|awk {print $5}|awk -F: {print $1}|sort|uniq -c|sort -r +0n <br />netstat -na|grep SYN|awk {print $5}|awk -F: {print $1}|sort|uniq -c|sort -r +0n <br /><strong>7、防SYN</strong> <br /># added by liang SYN protect <br />sysctl -w net.ipv4.tcp_syncookies=1 <br />sysctl -w net.ipv4.tcp_max_syn_backlog=8192 <br />sysctl -w net.ipv4.tcp_fin_timeout=30 <br />sysctl -w net.ipv4.tcp_keepalive_time=200 <br />sysctl -w net.ipv4.tcp_tw_reuse=1 <br />sysctl -w net.ipv4.tcp_tw_recycle=1 <br />sysctl -w net.ipv4.ip_local_port_range="1024 65000" <br />sysctl -w net.ipv4.tcp_max_tw_buckets=5000 <br />sysctl -w net.ipv4.tcp_synack_retries=2 <br />sysctl -w net.ipv4.tcp_syn_retries=2 <br /><strong>8、脚本防SSH和VSFTP暴力破解</strong> <br />#! /bin/bash <br />cat /var/log/secure|awk '/Failed/{print $(NF-3)}'|sort|uniq -c|awk '{print $2"="$1;}' > /root/black.txt <br />DEFINE="100" <br />for i in `cat /root/black.txt` <br />do <br />IP=`echo $i |awk -F= '{print $1}'` <br />NUM=`echo $i|awk -F= '{print $2}'` <br />if [ $NUM -gt $DEFINE ]; <br />then <br />grep $IP /etc/hosts.deny > /dev/null <br />if [ $? -gt 0 ]; <br />then <br />echo "sshd:$IP" >> /etc/hosts.deny <br />echo "vsftpd:$IP" >> /etc/hosts.deny <br />fi <br />fi <br />done <br />我的/etc/crontab文件最后一行为 <br />* */1 * * * root sh /root/hosts_deny.sh <br />另外一个http://www.opsers.org/linux-home/security/use-fail2ban-to-prevent-brute-force-ftp-ssh-and-other-services.html <br /><strong>9、显示每个ip的连接数 <br /></strong>netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
頁:
[1]