入侵检测
查看系统日志
过滤ssh远程登录失败日志
[root@localhost ~]# grep -i Failed /var/log/secure
May 3 08:49:36 localhost unix_chkpwd[26148]: password check failed for user (root)
May 3 08:49:38 localhost sshd[26146]: Failed password for root from 192.168.31.110 port 10889 ssh2
过滤ssh远程登录成功日志
[root@localhost ~]# grep -i Accepted /var/log/secure
Apr 28 13:32:17 MiWiFi-R3P-srv sshd[13500]: Accepted password for root from 192.168.31.110 port 2620 ssh2
Apr 28 13:34:58 localhost sshd[12708]: Accepted password for root from 192.168.31.110 port 2802 ssh2
统计登录成功或登录失败的ip,并进行去重降序排列
# 统计登录成功的ip
[root@localhost ~]# grep -i Accepted /var/log/secure |awk '{print $(NF-3)}' |grep '^[0-9]' |sort |uniq -c |sort -rn
18 192.168.31.110
# 统计登录失败的ip
[root@localhost ~]# grep -i Failed /var/log/secure |awk '{print $(NF-3)}' |egrep '^[0-9]' |sort |uniq -c |sort -rn
1 192.168.31.110
查看历史用户登录信息 last :查看最后5条登录信息
[root@localhost ~]# last -a -5
root pts/1 Mon May 3 08:48 - 08:51 (00:03) 192.168.31.110
root pts/0 Thu Apr 29 20:26 still logged in 192.168.31.110
root pts/1 Thu Apr 29 19:55 - 20:24 (00:28) 192.168.31.110
root pts/2 Thu Apr 29 19:55 - 19:55 (00:00) 192.168.31.110
root pts/1 Thu Apr 29 19:54 - 19:55 (00:01) 192.168.31.110
查看指定时间之前登录信息
#2019-02-10 12:30:30之前
[root@localhost ~]# last -a -t 20190210123030
查看登录系统的用户相关信息
[root@localhost ~]# last -a -f /var/log/btmp
root ssh:notty Mon May 3 08:49 gone - no logout 192.168.31.110
btmp begins Mon May 3 08:49:38 2021
查看记录每个用户最后的登入信息
[root@localhost ~]# lastlog
Username Port From Latest
root pts/1 192.168.31.110 Mon May 3 08:48:08 +0800 2021
bin **Never logged in**
daemon **Never logged in**
统计当前在线状态
[root@localhost ~]# w
09:04:00 up 1 day, 7:33, 1 user, load average: 0.00, 0.01, 0.05
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
root pts/0 192.168.31.110 Thu20 0.00s 0.06s 0.00s w
查看系统主日志
[root@localhost ~]# less /var/log/messages
查看计划任务
[root@localhost ~]# less /var/log/cron
[root@localhost ~]# cat /var/spool/cron/*
[root@localhost ~]# less /etc/crontab
[root@localhost ~]# ls /etc/cron.*
查看异常流量
iftop 动态查看网卡接口流量
[root@localhost ~]# yum -y install epel-release
[root@localhost ~]# yum -y install iftop
[root@localhost ~]# iftop -i ens33
tcpdump
[root@localhost ~]# yum install -y tcpdump
基本用法
# tcpdump -i eth0 -nnv
# tcpdump -i eth0 -nnv -c 100 # 只显示100条
# tcpdump -i eth0 -nnv -w /file1.tcpdump # 数据包保存到指定文件,用于分析
# tcpdump -nnv -r /file1.tcpdump # 读取数据包
# 安装wireshark 读取file1.tcpdump
[root@localhost ~]# yum -y install wireshark*
[root@localhost ~]# yum -y install xorg-x11-xauth # 用于图形连接
条件:port,host,net
# tcpdump -i eth0 -nnv not port 80
# tcpdump -i eth0 -nnv port 22
# tcpdump -i eth0 -nnv port 80
# tcpdump -i eth0 -nnv net 192.168.0.0/24
# tcpdump -i eth0 -nnv host 192.168.0.15
# tcpdump -i eth0 -nnv dst port 22
# tcpdump -i eth0 -nnv src port 22
协议作为条件
# tcpdump -i eth0 -nnv arp
# tcpdump -i eth0 -nnv icmp
# tcpdump -i eth0 -nnv udp # udp协议
# tcpdump -i eth0 -nnv tcp # tcp协议,三次握手及四次断开
# tcpdump -i eth0 -nnv ip # ip协议
# tcpdump -i eth0 -nnv vrrp # keepalived使用协议
多条件:与关系(and) 或关系(or) 非关系(not)
# tcpdump -i eth0 -nnv not net 192.168.0.0/24
# tcpdump -i eth0 -nnv not port 80
# tcpdump -i eth0 -nnv host 192.168.0.15 and port 22
# tcpdump -i eth0 -nnv host 192.168.0.15 and host 192.168.0.33
# tcpdump -i eth0 -nnv host 192.168.0.15 or host 192.168.0.33
# tcpdump -i eth0 -nnv \( host 192.168.0.15 and port 22 \) or \( host 192.168.0.33 and port 80 \)
# tcpdump -i eth0 -nnv host 192.168.0.110 and port 22 or port 80
# tcpdump -i eth0 -nnv host 192.168.0.110 and \( port 22 or port 80\)
# tcpdump -i eth0 -nnv host 192.168.0.110 and port 80
# tcpdump -i eth0 -nnv host 192.168.0.110 and ! port 80
条件为TCP仅有SYN标记的(SYN洪水攻击)
# man tcpdump
# tcpdump -i eth0 -nnv tcp[13]==2
|C|E|U|A|P|R|S|F|
|--------------- |
|0 0 0 0 0 0 1 0 |
|--------------- |
|7 6 5 4 3 2 1 0|
# tcpdump -i eth0 -nnv tcp[13]==2 and port 22 -w ssh-conn.tcpdump
条件是:TCP仅有SYN/ACK标记的
# tcpdump -i eth0 -nnv tcp[13]==18
|C|E|U|A|P|R|S|F|
|--------------- |
|0 0 0 1 0 0 1 0 |
|--------------- |
|7 6 5 4 3 2 1 0|
# tcpdump -i eth0 -nnv tcp[13]==17
检查可疑进程
# ps
[root@localhost ~]# ps
PID TTY TIME CMD
27198 pts/2 00:00:00 bash
27316 pts/2 00:00:00 ps
# 系统进程一般还有“[]”
ps -aux | less
# pstree 进程树 -a 所有 -p 子进程号父进程号 -h
yum -y install psmisc
[root@localhost ~]# pstree
systemd─┬─NetworkManager───2*[{NetworkManager}]
├─agetty
├─auditd───{auditd}
├─crond
├─dbus-daemon───{dbus-daemon}
├─httpd───8*[httpd]
├─irqbalance
├─lvmetad
├─mysqld───35*[{mysqld}]
├─polkitd───6*[{polkitd}]
├─rsyslogd───2*[{rsyslogd}]
├─sshd─┬─sshd───bash
│ ├─sshd───sftp-server
│ └─sshd───bash───pstree
├─systemd-journal
├─systemd-logind
├─systemd-udevd
└─tuned───4*[{tuned}]
# top命令 -d 降序显示
按P以CPU使用排序
按M以内存使用排序
# netstat
netstat -anputl
# ss 查看某个协议或端口的监听状态
ss -an | grep tcp
# 根据文件或端口查找进程
yum install -y lsof
lsof /usr/sbin/vsftpd 根据某文件查看正在被某些进程使用
fuser /usr/local/nginx/sbin/nginx 根据某文件查看正在被某些进程使用
lsof -i TCP:22 根据某个端口查看对应进程
fuser -v 22/tcp 根据某个端口查看对应进程
文件完全性检查
检验RPM包完整性
rpm -V bash
rpm -V kernel
rpm -V vsftpd
rpm -Vf /etc/ssh/sshd_config
md5sum/sha1sum检测:获取当前的/etc 目录md5值
# 获取当前的/etc 目录md5值
find /etc -type f -exec md5sum {} \; >/tmp/`date +%F%H%M`-md5.txt 1
# 修改文件、删除文件、添加文件
....
# 重新获取/etc目录的md5值
find /etc -type f -exec md5sum {} \; >/tmp/`date +%F%H%M`-md5.txt
# 对比以上md5值获取操作过的文件
diff /tmp/1-md5.txt /tmp/2-md5.txt