Linux??????
???????????? ???????[ 2017/3/24 10:52:49 ] ?????????????? Linux
????Linux ???????
????????????????????????????????????????????д??????????????????????????Щ?????????????????????????????????????????????????????????????????Щ????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
????????????????????????????ò??????????????н?????????????????????????????????????????????ζ????????????????Ч??
??????? Grep ????
?????????????????????????????????????????????????????? grep ??????????й????????? Linux ???а?????У?????????????????????????????????????????????????д???????????????????????????????????????????????????????????
???????????
?????????и?????????? Ubuntu ?????????????? “user hoover”??
????$ GREP "USER HOOVER" /VAR/LOG/AUTH.LOG
????ACCEPTED PASSWORD FOR HOOVER FROM 10.0.2.2 PORT 4792 SSH2
????PAM_UNIX(SSHD:SESSION): SESSION OPENED FOR USER HOOVER BY (UID=0)
????PAM_UNIX(SSHD:SESSION): SESSION CLOSED FOR USER HOOVER
??????????????????????????磬???????????????????????????“4792” ??????????????????URLs??????????????????????????? Ubuntu ??????????????? Apache ???????????????????????
????$ grep "4792" /var/log/auth.log
????Accepted password for hoover from 10.0.2.2 port 4792 ssh2
????74.91.21.46 - - [31/Mar/2015:19:44:32 +0000] "GET /scripts/samples/search?q=4972HTTP/1.0" 404 545 "-" "-”
????????????
??????????????????????????grep ?????????????????????????????к???????????????????????????????????????B ????????????????????????A ?????????????????????????????????????????????????? admin ????????? ???????????????????????????????Ч???????????????
????$ grep -B 3 -A 2 'Invalid user' /var/log/auth.log
????Apr 28 17:06:20 ip-172-31-11-241 sshd[12545]: reverse mapping checking getaddrinfo for 216-19-2-8.commspeed.net [216.19.2.8] failed - POSSIBLE BREAK-IN ATTEMPT!
????Apr 28 17:06:20 ip-172-31-11-241 sshd[12545]: Received disconnect from 216.19.2.8: 11: Bye Bye [preauth]
????Apr 28 17:06:20 ip-172-31-11-241 sshd[12547]: <b>Invalid user</b>; admin from 216.19.2.8
????Apr 28 17:06:20 ip-172-31-11-241 sshd[12547]: input_userauth_request: invalid user admin [preauth]
????Apr 28 17:06:20 ip-172-31-11-241 sshd[12547]: Received disconnect from 216.19.2.8: 11: Bye Bye [preauth]
????Tail????
???????????? tail ?? grep ??????????????????????У????????????????????????????н????????????????????????????????????????á?
????$ tail -f /var/log/auth.log | grep 'Invalid user'
????Apr 30 19:49:48 ip-172-31-11-241 sshd[6512]: Invalid user ubnt from 219.140.64.136
????Apr 30 19:49:49 ip-172-31-11-241 sshd[6514]: Invalid user; admin from 219.140.64.136
?????????? grep ????????????????????Χ??Ryan ???????и??????????
????????????????и???Ч???????????????????????????????????????в????????????????????????????? G ???? T ??????????????£??? grep ??????????????????????????????С??????????????? Lucene ????????????????????????湤??????????ò?????? ????????????ε?????????????????
??????Cut??AWK ?? Grok ???????
?????????й???
????Linux ??????????????????????????й???????????????????????????????????????????????????????????
????Cut ????
????cut ???????????????????н?????Ρ????????????????????????????????λ??????
????????????????????????????????????
????pam_unix(su:auth): authentication failure; logname=hoover uid=1000 euid=0 tty=/dev/pts/0 ruser=hoover rhost= user=root
?????????????????????? cut ?????????????????????????? Ubuntu ????????
????$ grep "authentication failure" /var/log/auth.log | cut -d '=' -f 8
????root
????hoover
????root
????nagios
????nagios
????AWK ????
???????????????? awk??????и?????????ε?????????????????????????????????????κκ????????????
?????????????????????? Ubuntu ???????μ?????????????????????????????
????Mar 24 08:28:18 ip-172-31-11-241 sshd[32701]: input_userauth_request: invalid user guest [preauth]
????????????? awk ???????????????????????? /sshd.*invalid user/ ??? sshd ??Ч?????????С??????? { print $9 } ?????????Σ??????????????????????????????
????$ awk '/sshd.*invalid user/ { print $9 }' /var/log/auth.log
????guest
????admin
????info
????test
????ubnt
?????????? Awk ???????л????????????????????????????ε??????
?????????????
??????????????y???????????????????????????????????????????????????????????????????繫?? Linux ????? web ????????????????????????????λ??????????????????д???????????
????????????????????? sshd ????????????????????????????????Ρ??????????? Loggly?????????????????????????
???????????????????????????????????????????????? Grok????????????????????????????? JSON ????????? Grok ??????????????????? Logstash ???????? ??
????filter{
????grok {
????match => {"message" => "%{CISCOTIMESTAMP:timestamp} %{HOST:host} %{WORD:program}%{NOTSPACE} %{NOTSPACE}%{NUMBER:duration}%{NOTSPACE} %{GREEDYDATA:kernel_logs}"
????}
????}
?????????? Grok ???????????????
??????? Rsyslog ?? AWK ????
?????????????????????Σ??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
??????????????????????
????????????????????????????????????????????????????????????У??????????????????????????????????????????????????????????????????????????м??????????
????1???? Rsyslog ??????????????????????????? sshd ??ó???????д????? sshd-messages ??????У?????????????????????????????????????????????????????? Rsyslog.conf ???????????
????:programname?? isequal?? “sshd” /var/log/sshd-messages
????&~
????2??????????й?????? awk ??????????ε????????? sshd ??????????? Ubuntu ????????
????$ awk '/sshd.*invalid user/ { print $9 }' /var/log/auth.log
????guestadmin
????info
????test
????ubnt
????3???????????????????????????????????????????????й??????????????? syslog ???????Σ?????????? Loggly ?????????????С?????????????????????????? sshd ?????á?
??????????????????
?????????????????????????????е???????????????? syslog ???ò?????????????????????????????????????
?????????????????????????????????????????? rsyslog ???????????????????????У??????????????????????????????? Rsyslog ???????????????pri-text ??棬?????????
????"<%pri-text%> : %timegenerated%??%HOSTNAME%??%syslogtag%??%msg%n"
??????????????????£?????????????? err??
????<authpriv.err> : Mar 11 18:18:00??hoover-VirtualBox??su[5026]:?? pam_authenticate: Authentication failure
??????????? awk ??grep ????????????????? Ubuntu ?μ?????????????????????? . ?? > ?????????????????Ρ?
????$ grep '.err>' /var/log/auth.log
????<authpriv.err> : Mar 11 18:18:00??hoover-VirtualBox??su[5026]:?? pam_authenticate: Authentication failure
????????????????????????????????????????????????? syslog ????????????????Ρ???????£??????????????????
???????? Loggly ??????????? syslog ??????Σ? Error ????????????????????????? Error ????
??????
???·???
??????????????????
2023/3/23 14:23:39???д?ò??????????
2023/3/22 16:17:39????????????????????Щ??
2022/6/14 16:14:27??????????????????????????
2021/10/18 15:37:44???????????????
2021/9/17 15:19:29???·???????·
2021/9/14 15:42:25?????????????
2021/5/28 17:25:47??????APP??????????
2021/5/8 17:01:11
sales@spasvo.com