CentOS系统通过日志反查是否被入侵
<p><span><strong>一、查看日志文件</strong></span></p>
<p>
Linux查看<code>/var/log/wtmp</code>文件查看可疑IP登陆</p>
<div class="jb51code">
<div>
<div class="syntaxhighlighterbash" id="highlighter_8171">
<div class="toolbar">
<span>?</span>
</div>
<table border="0" cellpadding="0" cellspacing="0"><tbody><tr>
<td class="gutter">
<div class="line number1 index0 alt2">
1</div>
</td>
<td class="code">
<div class="container">
<div class="line number1 index0 alt2">
<code class="bash plain">last -f </code><code class="bash plain">/var/log/wtmp</code>
</div>
</div>
</td>
</tr></tbody></table>
</div>
</div>
<div class="codetool" id="codetool">
<div class="code_n">
<textarea></textarea>
</div>
</div>
</div>
<p>
<img style="max-width:100%!important;height:auto!important;"title="CentOS系统通过日志反查是否被入侵" alt="CentOS系统通过日志反查是否被入侵" src="https://zhuji.jb51.net/uploads/img/202305/d17b818cef13c5b4fecb9dabacbf4219.jpg"></p>
<p>
该日志文件永久记录每个用户登录、注销及系统的启动、停机的事件。因此随着系统正常运行时间的增加,该文件的大小也会越来越大,</p>
<p>
增加的速度取决于系统用户登录的次数。该日志文件可以用来查看用户的登录记录,last命令就通过访问这个文件获得这些信息,并以反序从后向前显示用户的登录记录,last也能根据用户、终端tty或时间显示相应的记录。</p>
<p>
查看<code>/var/log/secure</code>文件寻找可疑IP登陆次数</p>
<p>
<img style="max-width:100%!important;height:auto!important;"title="CentOS系统通过日志反查是否被入侵" alt="CentOS系统通过日志反查是否被入侵" src="https://zhuji.jb51.net/uploads/img/202305/5798adb66ada883b49afb50368a01ee9.jpg"></p>
<p>
<span><strong>二、脚本生产所有登录用户的操作历史</strong></span></p>
<p>
在linux系统的环境下,不管是root用户还是其它的用户只有登陆系统后用进入操作我们都可以通过命令<code>history</code>来查看历史记录,可是假如一台服务器多人登陆,一天因为某人误操作了删除了重要的数据。这时候通过查看历史记录(命令:<code>history</code>)是没有什么意义了(因为<code>history</code>只针对登录用户下执行有效,即使root用户也无法得到其它用户<code>histotry</code>历史)。</p>
<p>
那有没有什么办法实现通过记录登陆后的IP地址和某用户名所操作的历史记录呢?</p>
<p>
答案:有的。</p>
<p>
通过在<code>/etc/profile</code>里面加入以下代码就可以实现:</p>
<div class="jb51code">
<div>
<div class="syntaxhighlighterbash" id="highlighter_270898">
<div class="toolbar">
<span>?</span>
</div>
<table border="0" cellpadding="0" cellspacing="0"><tbody><tr>
<td class="gutter">
<div class="line number1 index0 alt2">
1</div>
<div class="line number2 index1 alt1">
2</div>
<div class="line number3 index2 alt2">
3</div>
<div class="line number4 index3 alt1">
4</div>
<div class="line number5 index4 alt2">
5</div>
<div class="line number6 index5 alt1">
6</div>
<div class="line number7 index6 alt2">
7</div>
<div class="line number8 index7 alt1">
8</div>
<div class="line number9 index8 alt2">
9</div>
<div class="line number10 index9 alt1">
10</div>
<div class="line number11 index10 alt2">
11</div>
<div class="line number12 index11 alt1">
12</div>
<div class="line number13 index12 alt2">
13</div>
<div class="line number14 index13 alt1">
14</div>
<div class="line number15 index14 alt2">
15</div>
<div class="line number16 index15 alt1">
16</div>
<div class="line number17 index16 alt2">
17</div>
<div class="line number18 index17 alt1">
18</div>
<div class="line number19 index18 alt2">
19</div>
<div class="line number20 index19 alt1">
20</div>
<div class="line number21 index20 alt2">
21</div>
<div class="line number22 index21 alt1">
22</div>
</td>
<td class="code">
<div class="container">
<div class="line number1 index0 alt2">
<code class="bash plain">PS1=</code><code class="bash string">"`whoami`@`hostname`:"</code><code class="bash string">'[$PWD]'</code>
</div>
<div class="line number2 index1 alt1">
<code class="bash functions">history</code>
</div>
<div class="line number3 index2 alt2">
<code class="bash plain">USER_IP=`</code><code class="bash functions">who</code> <code class="bash plain">-u am i 2></code><code class="bash plain">/dev/null</code><code class="bash plain">| </code><code class="bash functions">awk</code> <code class="bash string">'{print $NF}'</code><code class="bash plain">|</code><code class="bash functions">sed</code> <code class="bash plain">-e </code><code class="bash string">'s/[()]//g'</code><code class="bash plain">`</code>
</div>
<div class="line number4 index3 alt1">
<code class="bash keyword">if</code> <code class="bash plain">[ </code><code class="bash string">"$USER_IP"</code> <code class="bash plain">= </code><code class="bash string">""</code> <code class="bash plain">]</code>
</div>
<div class="line number5 index4 alt2">
<code class="bash keyword">then</code>
</div>
<div class="line number6 index5 alt1">
<code class="bash plain">USER_IP=`</code><code class="bash functions">hostname</code><code class="bash plain">`</code>
</div>
<div class="line number7 index6 alt2">
<code class="bash keyword">fi</code>
</div>
<div class="line number8 index7 alt1">
<code class="bash keyword">if</code> <code class="bash plain">[ ! -d </code><code class="bash plain">/tmp/dbasky</code> <code class="bash plain">]</code>
</div>
<div class="line number9 index8 alt2">
<code class="bash keyword">then</code>
</div>
<div class="line number10 index9 alt1">
<code class="bash functions">mkdir</code> <code class="bash plain">/tmp/dbasky</code>
</div>
<div class="line number11 index10 alt2">
<code class="bash functions">chmod</code> <code class="bash plain">777 </code><code class="bash plain">/tmp/dbasky</code>
</div>
<div class="line number12 index11 alt1">
<code class="bash keyword">fi</code>
</div>
<div class="line number13 index12 alt2">
<code class="bash keyword">if</code> <code class="bash plain">[ ! -d </code><code class="bash plain">/tmp/dbasky/</code><code class="bash plain">${LOGNAME} ]</code>
</div>
<div class="line number14 index13 alt1">
<code class="bash keyword">then</code>
</div>
<div class="line number15 index14 alt2">
<code class="bash functions">mkdir</code> <code class="bash plain">/tmp/dbasky/</code><code class="bash plain">${LOGNAME}</code>
</div>
<div class="line number16 index15 alt1">
<code class="bash functions">chmod</code> <code class="bash plain">300 </code><code class="bash plain">/tmp/dbasky/</code><code class="bash plain">${LOGNAME}</code>
</div>
<div class="line number17 index16 alt2">
<code class="bash keyword">fi</code>
</div>
<div class="line number18 index17 alt1">
<code class="bash functions">export</code> <code class="bash plain">HISTSIZE=4096</code>
</div>
<div class="line number19 index18 alt2">
<code class="bash plain">DT=`</code><code class="bash functions">date</code> <code class="bash string">"+%Y-%m-%d_%H:%M:%S"</code><code class="bash plain">`</code>
</div>
<div class="line number20 index19 alt1">
<code class="bash functions">export</code> <code class="bash plain">HISTFILE=</code><code class="bash string">"/tmp/dbasky/${LOGNAME}/${USER_IP} dbasky.$DT"</code>
</div>
<div class="line number21 index20 alt2">
<code class="bash functions">chmod</code> <code class="bash plain">600 </code><code class="bash plain">/tmp/dbasky/</code><code class="bash plain">${LOGNAME}/*dbasky* 2></code><code class="bash plain">/dev/null</code>
</div>
<div class="line number22 index21 alt1">
<code class="bash functions">source</code> <code class="bash plain">/etc/profile</code> <code class="bash plain">使用脚本生效</code>
</div>
</div>
</td>
</tr></tbody></table>
</div>
</div>
<div class="codetool" id="codetool">
<div class="code_n">
<textarea></textarea>
</div>
</div>
</div>
<p>
退出用户,重新登录</p>
<p>
上面脚本在系统的/tmp新建个dbasky目录,记录所有登陆过系统的用户和IP地址(文件名),每当用户登录/退出会创建相应的文件,该文件保存这段用户登录时期内操作历史,可以用这个方法来监测系统的安全性。</p>
<div class="jb51code">
<div>
<div class="syntaxhighlighterbash" id="highlighter_838893">
<div class="toolbar">
<span>?</span>
</div>
<table border="0" cellpadding="0" cellspacing="0"><tbody><tr>
<td class="gutter">
<div class="line number1 index0 alt2">
1</div>
<div class="line number2 index1 alt1">
2</div>
<div class="line number3 index2 alt2">
3</div>
<div class="line number4 index3 alt1">
4</div>
<div class="line number5 index4 alt2">
5</div>
</td>
<td class="code">
<div class="container">
<div class="line number1 index0 alt2">
<code class="bash plain">root@zsc6:[</code><code class="bash plain">/tmp/dbasky/root</code><code class="bash plain">]</code><code class="bash functions">ls</code>
</div>
<div class="line number2 index1 alt1">
</div>
<div class="line number3 index2 alt2">
<code class="bash plain">10.1.80.47 dbasky.2013-10-24_12:53:08</code>
</div>
<div class="line number4 index3 alt1">
</div>
<div class="line number5 index4 alt2">
<code class="bash plain">root@zsc6:[</code><code class="bash plain">/tmp/dbasky/root</code><code class="bash plain">]</code><code class="bash functions">cat</code> <code class="bash plain">10.1.80.47 dbasky.2013-10-24_12:53:08</code>
</div>
</div>
</td>
</tr></tbody></table>
</div>
</div>
<div class="codetool" id="codetool">
<div class="code_n">
<textarea></textarea>
</div>
</div>
</div>
<p>
<span><strong>三、总结</strong></span></p>
<p>
以上就是这篇文章的全部内容,希望对大家维护服务器安全能有所帮助,如果有疑问可以留言交流。</p>
頁:
[1]