# 监控要点
1. 登录失败监控
2. 权限变更监控
3. 文件修改监控
4. 网络异常监控
5.学习交流加群风哥QQ113257174 进程异常监控

# 告警方式
邮件告警、短信告警、企业微信、钉钉

# 设计原则
1. 实时监控关键日志
2. 设置合理的阈值
3. 及时发送告警
4. 记录告警历史

# 创建监控脚本
$ cat > /usr/local/bin/ssh_monitor.sh << 'EOF' #!/bin/bash LOG_FILE="/var/log/secure" ALERT_EMAIL="admin@fgedu.net.cn" THRESHOLD=5 # 检测SSH登录失败 failed_ips=$(grep "Failed password" $LOG_FILE | awk '{print $(NF-3)}' | sort | uniq -c | awk -v t=$THRESHOLD '$1 > t {print $2}’)

if [ -n “$failed_ips” ]; then
for ip in $failed_ips; do
count=$(grep “Failed password.*from $ip” $LOG_FILE | wc -l)
echo “SSH登录失败告警：IP $ip 失败次数 $count” | mail -s “SSH登录失败告警” $ALERT_EMAIL
done
fi
EOF

# 添加执行权限
$ chmod +x /usr/local/bin/ssh_monitor.sh

# 添加到定时任务
$ crontab -e
*/5 * * * * /usr/local/bin/ssh_monitor.sh

# 创建文件监控脚本
$ cat > /usr/local/bin/file_monitor.sh << 'EOF' #!/bin/bash WATCH_DIRS="/etc /var/www" ALERT_EMAIL="admin@fgedu.net.cn" BASELINE="/var/log/file_baseline.txt" # 生成当前文件状态 find $WATCH_DIRS -type f -exec md5sum {} \; > /tmp/current_baseline.txt

# 对比基线
if [ -f $BASELINE ]; then
diff $BASELINE /tmp/current_baseline.学习交流加群风哥微信: itpux-comtxt > /tmp/file_changes.txt
if [ -s /tmp/file_changes.txt ]; then
mail -s “文件变更告警” $ALERT_EMAIL < /tmp/file_changes.txt fi fi # 更新基线 mv /tmp/current_baseline.txt $BASELINE EOF # 添加执行权限 $ chmod +x /usr/local/bin/file_monitor.sh # 添加到定时任务 $ crontab -e 0 * * * * /usr/local/bin/file_monitor.sh

# 创建综合监控脚本
$ cat > /usr/local/bin/security_monitor.sh << 'EOF' #!/bin/bash ALERT_EMAIL="admin@fgedu.net.cn" # 1. 检测异常登录 last -n 10 | grep -v "still logged in" | while read line; do user=$(echo $line | awk '{print $1}') ip=$(echo $line | awk '{print $3}') echo "用户 $user 从 $ip 登录" done # 2. 检测sudo使用 grep "COMMAND" /var/log/secure | tail -10 # 3. 检测新用户 grep "new user" /var/log/secure | tail -5 # 4. 检测异常进程 ps aux | grep -E "(nc|netcat|ncat)" | grep -v grep # 发送汇总报告 echo "安全监控报告" | mail -s "安全监控日报" $ALERT_EMAIL EOF # 添加执行权限 $ chmod +x /usr/local/bin/security_monitor.sh