闲来无事,看了下访问本主机的日志信息,结果不看不知道,一看虽没吓一跳,但至少没让我意外。好家伙,这么多记录,先来看看他们的行为: #cat /var/log/secure | grep Failed |wc -l 3393 一共发现接近3400条登陆失败的记录!!不到一天时间,不少了吧? #cat /var/log/secure | head -n 100 | grep Failed Mar 12 04:22:46 sshd[21607]: Failed password for invalid user 1 from 212.15.99.53 port 45244 ssh2 Mar 12 04:26:06 sshd[21637]: Failed password for invalid user 2 from 212.15.99.53 port 41958 ssh2 Mar 12 04:29:23 sshd[21659]: Failed password for invalid user 3 from 212.15.99.53 port 38680 ssh2 Mar 12 04:32:35 sshd[21685]: Failed password for invalid user teamspeak from 212.15.99.53 port 35402 ssh2 Mar 12 04:35:50 sshd[21713]: Failed password for invalid user teamspeak from 212.15.99.53 port 60350 ssh2 Mar 12 04:39:10 sshd[21739]: Failed password for invalid user teamspeak from 212.15.99.53 port 57078 ssh2 Mar 12 04:42:37 sshd[21774]: Failed password for invalid user teamspeak from 212.15.99.53 port 53790 ssh2 Mar 12 04:43:34 sshd[21788]: Failed password for root from 5.188.203.113 port 7002 ssh2 Mar 12 04:43:39 sshd[21791]: Failed password for invalid user mcserver from 5.101.0.51 port 57443 ssh2 Mar 12 04:45:59 sshd[21809]: Failed password for invalid user teamspeak from 212.15.99.53 port 50510 ssh2 …… 212.15.99.53这个家伙从今天凌晨三点开始,几乎没有间断过采取不同的用户名和密码尝试登陆我的主机。 从日志记录信息不难看出,所有尝试登陆Failed记录的最后三个字串是port 端口号 ssh2这个形式,利用这个特性非常方便提取入侵者的IP。通过强大的awk命令即可列出所有入侵者登陆失败的IP地址: #cat /var/log/secure|awk '/Failed/{print $(NF-3)}' 将提取出来的IP结合sort命令进行排序,就可将同一IP的尝试记录排列放在一起。输出放至ip1.tmp文件中: #cat /var/log/secure|awk '/Failed/{print $(NF-3)}'|sort > ip1.tmp 结合uniq -c命令的重行计数功能,删除ip1.tmp文件中接连相同的重复行。我用awk将其格式化成IP tried times: count的形式输出至ip2.tmp文件中: #cat ip1.tmp | uniq -c|awk '{print $2 "\t" "tried times: "$1;}' > ip2.tmp 再用sort做一次按照入侵失败次数从多到少的排序,排序结果输出至hacker.iplist文件之中: #sort -nrk 2 -t: ip2.tmp > hacker.iplist 删除两个临时文件: #rm -f *.tmp 现在看一下hacker.iplist文件中统计出来的ssh非法访问数据: 数据1:有多少IP尝试通过ssh非法登陆本机,但失败了?数据是:70个 #cat hacker.iplist | wc -l 70 数据2:尝试次数top 10。 114.32.120.181这个IP尝试了1400多次!! #head hacker.iplist 114.32.120.181 tried times: 1462 218.65.30.53 tried times: 840 145.249.106.78 tried times: 424 5.135.167.146 tried times: 308 212.15.99.53 tried times: 49 173.249.15.111 tried times: 45 103.99.0.205 tried times: 30 5.188.10.156 tried times: 24 188.166.218.235 tried…

2018年03月13日 0Comments 2313Browse 8Like Read more