内容简介:本文风哥教程参考Linux官方文档、Red Hat Enterprise Linux官方文档、Ansible Automation Platform官方文档、Docker官方文档、Kubernetes官方文档和Podman官方文档等内容,详细介绍了相关技术的配置和使用方法。
本
风哥提示:
文档详细介绍Linux安全日志的分析方法和工具。
Part01-日学习交流加群风哥QQ113257174志分析基础
1.1 常见安全日志
/var/log/messages – 系统消息日志
/var/log/secure – 安全相关日志
/var/log/audit/audit.log – 审计日志
/var/log/cron – 计划任务日志
/var/log/maillog – 邮件服务日志
/var/log/httpd/ – Web服务日志
/var/log/nginx/ – Nginx日志
/var/log/mysql/ – MySQL日志
# 查看系统日志
$ sudo journalctl -f
# 查看安全日志
$ sudo tail -f /var/log/secure
# 查看审计日志
$ sudo ausearch -m all | tail -100
# 查看SSH登录日志
$ sudo grep “sshd” /var/log/secure
# 查看失败登录
$ sudo grep “Failed password” /var/log/secure
# 查看成功登录
$ sudo grep “Accepted” /var/log/secure
# 查看sudo使用记录
$ sudo grep “sudo” /var/log/secure
Part02-日志分析工具
2.1 使用grep分析日志
$ sudo grep “Failed password” /var/log/secure | wc -l
# 统计失败登录IP
$ sudo grep “Failed password” /var/log/secure | awk ‘{print $11}’ | sort | uniq -c | sort -nr
# 统计成功登录用户
$ sudo grep “Accepted” /var/log/secure | awk ‘{print $9}’ | sort | uniq -c | sort -nr
# 查看特定时间日志
$ sudo grep “Apr 4” /var/log/secure
# 查看特定用户活动
$ sudo grep “user1” /var/log/secure
# 查看SSH暴力破解
$ sudo grep “Failed password” /var/log/secure | awk ‘{print $11}’ | sort | uniq -c | sort -nr | head -10
# 查看异更多学习教程公众号风哥教程itpux_com常登录时间
$ sudo grep “Accepted” /var/log/secure | awk ‘{print $1, $2, $3, $9}’
# 查看root登录
$ sudo grep “root” /var/log/secure | grep “Accepted”
# 查看用户切换
$ sudo grep “su:” /var/log/secure
# 查看服务启动停止
$ sudo grep “systemd” /var/log/messages | grep “Started\|Stopped”
Part03-日志分析脚本
3.1 自动化日志分析
$ cat > /usr/local/bin/log-analyzer.sh << 'EOF' #!/bin/bash REPORT_FILE="/tmp/security-report-$(date +%Y%m%d).txt" echo "Security Log Analysis Report" > $REPORT_FILE
echo “Date: $(date)” >> $REPORT_FILE
echo “================================” >> $REPORT_FILE
analyze_failed_logins() {
echo -e “\n[Failed Login Attempts]” >> $REPORT_FILE
echo “Total failed attempts: $(grep -c “Failed password” /var/log/secure)” >> $REPORT_FILE
echo -e “\nTop 10 attacking IPs:” >> $REPORT_FILE
grep “Failed password” /var/log/secure | awk ‘{print $11}’ | sort | uniq -c | sort -nr | head -10 >> $REPORT_FILE
}
analyze_successful_logins() {
echo -e “\n[Successful Logins]” >> $REPORT_FILE
echo “Total successful logins: $(grep -c “Accepted” /var/log/secure)” >> $REPORT_FILE
echo -e “\nLogin by user:” >> $REPORT_FILE
grep “Accepted” /var/log/secure | awk ‘{print $9}’ | sort | uniq -c | sort -nr >> $REPORT_FILE
}
analyze_sudo_usage() {
echo -e “\n[Sudo Usage]” >> $REPORT_FILE
echo “Total sudo commands: $(grep -c “sudo” /var/log/secure)” >> $REPORT_FILE
echo -e “\nSudo by user:” >> $REPORT_FILE
grep “sudo” /var/log/secure | awk ‘{print $5}’ | sort | uniq -c | sort -nr >> $REPORT_FILE
}
analyze_ssh_connections() {
echo -e “\n[SSH Connections]” >> $REPORT_FILE
echo “Total SSH connections: $(grep -c “session opened” /var/log/secure)” >> $REPORT_FILE
echo -e “\nConnections by IP:” >> $REPORT_FILE
grep “session opened” /var/log/secure | awk -F’from ‘ ‘{print $2}’ | awk ‘{print $1}’ | sort | uniq -c | sort -nr >> $REPORT_FILE
}
analyze_service_changes() {
echo -e “\n[Service Changes]” >> $REPORT_FILE
grep “Started\|Stopped” /var/log/messages | tail -20 >> $REPORT_FILE
}
main() {
analyze_failed_logins
analyze_successful_logins
analyze_sudo_usage
analyze_ssh_connections
analyze_service_changes
echo -e “\nReport saved to: $REPORT_FILE”
cat $REPORT_FILE
}
main
EOF
chmod +x /usr/local/bin/log-analyzer.sh
Part04-日志告警
4.1 配置日志告警
$ cat > /usr/local/bin/log-alert.sh << 'EOF' #!/bin/bash LOG_FILE="/var/log/secure" ALERT_EMAIL="security@fgedu.net.cn" ALERT_THRESHOLD=10 check_failed_logins() { FAILED_COUNT=$(grep "Failed password" $LOG_FILE | tail -100 | wc -l) if [ $FAILED_COUNT -gt $ALERT_THRESHOLD ]; then ATTACKER_IP=$(grep "Failed password" $LOG_FILE | tail -100 | awk '{print $11}' | sort | uniq -c | sort -nr | head -1 | awk '{print $2}') echo "High number of failed login attempts detected: $FAILED_COUNT" | mail -s "Security Alert: Brute Force Attack" $ALERT_EMAIL echo "Attacker IP: $ATTACKER_IP" | mail -s "Security Alert: Brute Force Attack" $ALERT_EMAIL fi } check_root_login() { if grep -q "Accepted.*root" $LOG_FILE; then echo "Root login detected!" | mail -s "Security Alert: Root Login" $ALERT_EMAIL fi } check_new_users() { if grep -q "new user" $LOG_FILE; then NEW_USER=$(grep "new user" $LOG_FILE | tail -1) echo "New user created: $NEW_USER" | mail -s "Security Alert: New User" $ALERT_EMAIL fi } check_suspicious_activity() { SUSPICIOUS=$(grep -E "invalid user|illegal user|authentication failure" $LOG_FILE | tail -10) if [ -n "$SUSPICIOUS" ]; then echo "Suspicious activity detected:\n$SUSPICIOUS" | mail -s "Security Alert: Suspicious Activity" $ALERT_EMAIL fi } main() { check_failed_logins check_root_login check_new_users check_suspicious_activity } main EOF chmod +x /usr/local/bin/log-alert.sh # 配置定期检查 $ cat > /etc/cron.hourly/log-alert << 'EOF' #!/bin/bash /usr/local/bin/log-alert.sh EOF chmod +x /etc/cron.hourly/log-alert
1. 定期分析安全日志
2. 配置自动化告警
3. 关注异常活动
4. 保存历史日志
5. 建立日志基线
本文由风哥教程整理发布,仅用于学习测试使用,转载注明出处:http://www.fgedu.net.cn/10327.html
