内容简介:本文风哥教程参考Linux官方文档、Red Hat Enterprise Linux官方文档、Ansible Automation Platform官方文档、Docker官方文档、Kubernetes官方文档和Podman官方文档等内容,详细介绍了相关技术的配置和使用方法。
风哥提示:
本文档详细介绍Linux安全监控和告警系统的配置方法。
Part01-安全监控系统
1.1 配置Prometheus监控
$ sudo dnf install -y prometheus
# 配置Prometheus
$ sudo tee /etc/prometheus/prometheus.yml << 'EOF'
global:
scrape_interval: 15s
evaluation_interval: 15s
alerting:
alertmanagers:
- static_configs:
- targets:
- localhost:9093
rule_files:
- /etc/prometheus/rules/*.yml
scrape_configs:
- job_name: 'prometheus'
static_configs:
- targets: ['localhost:9090']
- job_name: 'node'
static_configs:
- targets: ['localhost:9100']
- job_name: 'alertmanager'
static_configs:
- targets: ['localhost:9093']
EOF
# 创建告警规则
$ sudo mkdir -p /etc/prometheus/rules
$ sudo tee /etc/prometheus/rules/security.yml << 'EOF'
groups:
- name: security
rules:
- alert: HighFailedLoginAttempts
expr: increase(node_ssh_failed_logins_total[5m]) > 10
for: 1m
labels:
severity: critical
annotations:
summary: “High failed login attempts detected”
description: “{{ $value }} failed login attempts in the last 5 minutes”
– alert: SELinuxViolation
expr: increase(node_selinux_violations_total[5m]) > 0
for: 1m
labels:
severity: warning
annotations:
summary: “SELinux violation detected”
description: “{{ $value }} SELinux violations in the last 5 minutes”
– alert: FirewallDown
expr: node_firewall_active == 0
for: 1m
labels:
severity: critical
annotations:
summary: “Firewall is down”
description: “The firewall service is not running”
– alert: UnusualNetworkActivity
expr: rate(node_network_receive_bytes_total[5m]) > 100000000
for: 2m
labels:
severity: warning
annotations:
summary: “Unusual network activity detected”
description: “High network traffic detected: {{ $value }} bytes/sec”
EOF
# 启动Prometheus
$ sudo systemctl start prometheus
$ sudo systemctl enable prometheus
更多学习教程公众号风哥教程itpux_com
Part02-告警配置
2.1 配置Alertmanager
$ sudo dnf install -y alertmanager
# 配置Alertmanager
$ sudo tee /etc/alertmanager/alertmanager.yml << 'EOF'
global:
resolve_timeout: 5m
smtp_smarthost: 'smtp.fgedu.net.cn:587'
smtp_from: 'alertmanager@fgedu.net.cn'
smtp_auth_username: 'alertmanager@fgedu.net.cn'
smtp_auth_password: 'password'
route:
group_by: ['alertname', 'severity']
group_wait: 30s
group_interval: 5m
repeat_interval: 4h
receiver: 'security-team'
routes:
- match:
severity: critical
receiver: 'security-critical'
- match:
severity: warning
receiver: 'security-warning'
receivers:
- name: 'security-team'
email_configs:
- to: 'security@fgedu.net.cn'
send_resolved: true
- name: 'security-critical'
email_configs:
- to: 'security-critical@fgedu.net.cn'
send_resolved: true
webhook_configs:
- url: 'http://localhost:5001/webhook'
send_resolved: true
- name: 'security-warning'
email_configs:
- to: 'security-warning@fgedu.net.cn'
send_resolved: true
inhibit_rules:
- source_match:
severity: 'critical'
target_match:
severity: 'warning'
equal: ['alertname', 'instance']
EOF
# 启动Alertmanager
$ sudo systemctl start alertmanager
$ sudo systemctl enable alertmanager
# 测试告警
$ curl -X POST http://localhost:9093/api/v1/alerts -d '[{
"labels": {
"alertname": "TestAlert",
"severity": "warning"
},
"annotations": {
"summary": "Test alert",
"description": "This is a test alert"
}
}]'
Part03-实时监控
3.1 配置实时监控脚本
$ cat > /usr/local/bin/security-monitor.sh << 'EOFfrom PG视频:www.itpux.com' #!/bin/bash LOG_FILE="/var/log/security-monitor.log" ALERT_EMAIL="security@fgedu.net.cn" log() { echo "$(date): $1" >> $LOG_FILE
}
send_alert() {
echo “$1” | mail -s “Security Alert” $ALERT_EMAIL
}
monitor_logins() {
FAILED_LOGINS=$(grep “Failed password” /var/log/secure | tail -100 | awk ‘{print $11}’ | sort | uniq -c | sort -nr | head -1 | awk ‘{print $1}’)
if [ “$FAILED_LOGINS” -gt 10 ]; then
IP=$(grep “Failed password” /var/log/secure | tail -100 | awk ‘{print $11}’ | sort | uniq -c | sort -nr | head -1 | awk ‘{print $2}’)
log “High failed login attempts from $IP: $FAILED_LOGINS”
send_alert “High failed login attempts from $IP: $FAILED_LOGINS”
fi
}
monitor_sudo() {
SUDO_USAGE=$(grep “COMMAND” /var/log/secure | tail -10)
if echo “$SUDO_USAGE” | grep -q “userdel\|useradd\|passwd”; then
log “Suspicious sudo activity detected”
send_alert “Suspicious sudo activity: $SUDO_USAGE”
fi
}
monitor_network() {
CONNECTIONS=$(ss -tunap | grep ESTAB | wc -l)
if [ “$CONNECTIONS” -gt 100 ]; then
log “High number of connections: $CONNECTIONS”
send_alert “High number of connections: $CONNECTIONS”
fi
}
monitor_processes() {
SUSPICIOUS=$(ps aux | grep -E “nc|netcat|ncat|nmap|masscan” | grep -v grep)
if [ -n “$SUSPICIOUS” ]; then
log “Suspicious processes detected”
send_alert “Suspicious processes: $SUSPICIOUS”
fi
}
monitor_files() {
SUID_FILES=$(find / -perm -4000 -type f -mtime -1 2>/dev/null)
if [ -n “$SUID_FILES” ]; then
log “New SUID files detected”
send_alert “New SUID files: $SUID_FILES”
fi
}
main() {
log “Starting security monitoring cycle”
monitor_logins
monitor_sudo
monitor_network
monitor_processes
monitor_files
log “Security monitoring cycle completed”
}
main
EOF
chmod +x /usr/local/bin/security-monitor.sh
# 创建systemd服务
$ cat > /etc/systemd/system/security-monitor.service << 'EOF'
[Unit]
Description=Security Monitor Service
After=network.target
[Service]
Type=simple
ExecStart=/usr/local/bin/security-monitor.sh
Restart=always
RestartSec=300
[Install]
WantedBy=multi-user.target
EOF
$ sudo systemctl daemon-reload
$ sudo systemctl start security-monitor
$ sudo systemctl enable security-monitor
1. 配置实时监控
2. 设置多级告警
3. 监控关键指标
4. 定期审查告警
5. 优化告警规则
本文由风哥教程整理发布,仅用于学习测试使用,转载注明出处:http://www.fgedu.net.cn/10327.html
