入侵检测
查看系统日志
过滤 SSH 远程登录失败日志
1[root@localhost ~]# grep -i Failed /var/log/secure
2May 3 08:49:36 localhost unix_chkpwd[26148]: password check failed for user (root)
3May 3 08:49:38 localhost sshd[26146]: Failed password for root from 192.168.31.110 port 10889 ssh2
过滤 SSH 远程登录成功日志
1[root@localhost ~]# grep -i Accepted /var/log/secure
2Apr 28 13:32:17 MiWiFi-R3P-srv sshd[13500]: Accepted password for root from 192.168.31.110 port 2620 ssh2
3Apr 28 13:34:58 localhost sshd[12708]: Accepted password for root from 192.168.31.110 port 2802 ssh2
4
统计登录成功或登录失败的 ip,并进行去重降序排列
1# 统计登录成功的ip
2[root@localhost ~]# grep -i Accepted /var/log/secure |awk '{print $(NF-3)}' |grep '^[0-9]' |sort |uniq -c |sort -rn
3 18 192.168.31.110
4
5# 统计登录失败的ip
6[root@localhost ~]# grep -i Failed /var/log/secure |awk '{print $(NF-3)}' |egrep '^[0-9]' |sort |uniq -c |sort -rn
7 1 192.168.31.110
查看历史用户登录信息 last :查看最后 5 条登录信息
1[root@localhost ~]# last -a -5
2root pts/1 Mon May 3 08:48 - 08:51 (00:03) 192.168.31.110
3root pts/0 Thu Apr 29 20:26 still logged in 192.168.31.110
4root pts/1 Thu Apr 29 19:55 - 20:24 (00:28) 192.168.31.110
5root pts/2 Thu Apr 29 19:55 - 19:55 (00:00) 192.168.31.110
6root pts/1 Thu Apr 29 19:54 - 19:55 (00:01) 192.168.31.110
查看指定时间之前登录信息
1#2019-02-10 12:30:30之前
2[root@localhost ~]# last -a -t 20190210123030
查看登录系统的用户相关信息
1[root@localhost ~]# last -a -f /var/log/btmp
2root ssh:notty Mon May 3 08:49 gone - no logout 192.168.31.110
3
4btmp begins Mon May 3 08:49:38 2021
查看记录每个用户最后的登入信息
1[root@localhost ~]# lastlog
2Username Port From Latest
3root pts/1 192.168.31.110 Mon May 3 08:48:08 +0800 2021
4bin **Never logged in**
5daemon **Never logged in**
统计当前在线状态
1[root@localhost ~]# w
2 09:04:00 up 1 day, 7:33, 1 user, load average: 0.00, 0.01, 0.05
3USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
4root pts/0 192.168.31.110 Thu20 0.00s 0.06s 0.00s w
查看系统主日志
1[root@localhost ~]# less /var/log/messages
查看计划任务
1[root@localhost ~]# less /var/log/cron
2[root@localhost ~]# cat /var/spool/cron/*
3[root@localhost ~]# less /etc/crontab
4[root@localhost ~]# ls /etc/cron.*
查看异常流量
iftop 动态查看网卡接口流量
1[root@localhost ~]# yum -y install epel-release
2[root@localhost ~]# yum -y install iftop
3[root@localhost ~]# iftop -i ens33
tcpdump
1[root@localhost ~]# yum install -y tcpdump
基本用法
1# tcpdump -i eth0 -nnv
2# tcpdump -i eth0 -nnv -c 100 # 只显示100条
3# tcpdump -i eth0 -nnv -w /file1.tcpdump # 数据包保存到指定文件,用于分析
4# tcpdump -nnv -r /file1.tcpdump # 读取数据包
5
6# 安装wireshark 读取file1.tcpdump
7[root@localhost ~]# yum -y install wireshark*
8[root@localhost ~]# yum -y install xorg-x11-xauth # 用于图形连接
9
条件:port,host,net
1# tcpdump -i eth0 -nnv not port 80
2# tcpdump -i eth0 -nnv port 22
3# tcpdump -i eth0 -nnv port 80
4# tcpdump -i eth0 -nnv net 192.168.0.0/24
5# tcpdump -i eth0 -nnv host 192.168.0.15
6# tcpdump -i eth0 -nnv dst port 22
7# tcpdump -i eth0 -nnv src port 22
协议作为条件
1# tcpdump -i eth0 -nnv arp
2# tcpdump -i eth0 -nnv icmp
3# tcpdump -i eth0 -nnv udp # udp协议
4# tcpdump -i eth0 -nnv tcp # tcp协议,三次握手及四次断开
5# tcpdump -i eth0 -nnv ip # ip协议
6# tcpdump -i eth0 -nnv vrrp # keepalived使用协议
多条件:与关系(and) 或关系(or) 非关系(not)
1# tcpdump -i eth0 -nnv not net 192.168.0.0/24
2# tcpdump -i eth0 -nnv not port 80
3# tcpdump -i eth0 -nnv host 192.168.0.15 and port 22
4# tcpdump -i eth0 -nnv host 192.168.0.15 and host 192.168.0.33
5# tcpdump -i eth0 -nnv host 192.168.0.15 or host 192.168.0.33
6# tcpdump -i eth0 -nnv \( host 192.168.0.15 and port 22 \) or \( host 192.168.0.33 and port 80 \)
7
8# tcpdump -i eth0 -nnv host 192.168.0.110 and port 22 or port 80
9# tcpdump -i eth0 -nnv host 192.168.0.110 and \( port 22 or port 80\)
10
11# tcpdump -i eth0 -nnv host 192.168.0.110 and port 80
12# tcpdump -i eth0 -nnv host 192.168.0.110 and ! port 80
条件为 TCP 仅有 SYN 标记的(SYN 洪水攻击)
1# man tcpdump
2# tcpdump -i eth0 -nnv tcp[13]==2
3 |C|E|U|A|P|R|S|F|
4 |--------------- |
5 |0 0 0 0 0 0 1 0 |
6 |--------------- |
7 |7 6 5 4 3 2 1 0|
8# tcpdump -i eth0 -nnv tcp[13]==2 and port 22 -w ssh-conn.tcpdump
9
10条件是:TCP仅有SYN/ACK标记的
11# tcpdump -i eth0 -nnv tcp[13]==18
12 |C|E|U|A|P|R|S|F|
13 |--------------- |
14 |0 0 0 1 0 0 1 0 |
15 |--------------- |
16 |7 6 5 4 3 2 1 0|
17
18# tcpdump -i eth0 -nnv tcp[13]==17
检查可疑进程
1# ps
2[root@localhost ~]# ps
3 PID TTY TIME CMD
427198 pts/2 00:00:00 bash
527316 pts/2 00:00:00 ps
6
7# 系统进程一般还有“[]”
8ps -aux | less
9
10# pstree 进程树 -a 所有 -p 子进程号父进程号 -h
11yum -y install psmisc
12[root@localhost ~]# pstree
13systemd─┬─NetworkManager───2*[{NetworkManager}]
14 ├─agetty
15 ├─auditd───{auditd}
16 ├─crond
17 ├─dbus-daemon───{dbus-daemon}
18 ├─httpd───8*[httpd]
19 ├─irqbalance
20 ├─lvmetad
21 ├─mysqld───35*[{mysqld}]
22 ├─polkitd───6*[{polkitd}]
23 ├─rsyslogd───2*[{rsyslogd}]
24 ├─sshd─┬─sshd───bash
25 │ ├─sshd───sftp-server
26 │ └─sshd───bash───pstree
27 ├─systemd-journal
28 ├─systemd-logind
29 ├─systemd-udevd
30 └─tuned───4*[{tuned}]
31
32# top命令 -d 降序显示
33按P以CPU使用排序
34按M以内存使用排序
35
36# netstat
37netstat -anputl
38
39# ss 查看某个协议或端口的监听状态
40ss -an | grep tcp
41
42# 根据文件或端口查找进程
43yum install -y lsof
44lsof /usr/sbin/vsftpd 根据某文件查看正在被某些进程使用
45fuser /usr/local/nginx/sbin/nginx 根据某文件查看正在被某些进程使用
46
47lsof -i TCP:22 根据某个端口查看对应进程
48fuser -v 22/tcp 根据某个端口查看对应进程
文件完全性检查
检验 RPM 包完整性
1rpm -V bash
2rpm -V kernel
3rpm -V vsftpd
4rpm -Vf /etc/ssh/sshd_config
md5sum/sha1sum 检测:获取当前的/etc 目录 md5 值
1# 获取当前的/etc 目录md5值
2find /etc -type f -exec md5sum {} \; >/tmp/`date +%F%H%M`-md5.txt 1
3
4# 修改文件、删除文件、添加文件
5....
6
7# 重新获取/etc目录的md5值
8find /etc -type f -exec md5sum {} \; >/tmp/`date +%F%H%M`-md5.txt
9
10# 对比以上md5值获取操作过的文件
11diff /tmp/1-md5.txt /tmp/2-md5.txt