除root之外,是否还有其它特权用户(uid 为0)。正常情况下不能再有其它特权用户
[root@Practice_Server ~]# awk -F: '$3==0{print $1}' /etc/passwd
root
可以远程登录的帐号信息
[root@Practice_Server ~]# awk '/\$1|\$6/{print $1}' /etc/shadow
root:$6$kNuIN5uRF9pC34Yr$tBDJV8PJRdCMAjVsdVX3fPqGox.W41E3pr5m/CWt208nzOWgk.HOf4/Euby99jIwgyK.regsRKU0L8raDubMO/::0:99999:7:::
/var/log/secure,这个日志文件记录了验证和授权方面的信息,只要涉及账号和密码的程序都会记录下来。
统计了下日志,发现登录失败的记录
[root@Practice_Server ~]# grep -o "Failed password" /var/log/secure|uniq -c
输出登录爆破的第一行和最后一行,确认爆破时间范围:
[root@Practice_Server ~]# grep "Failed password" /var/log/secure
Mar 31 17:27:01 Practice_Server sshd[7417]: Failed password for root from 192.168.110.178 port 57972 ssh2
Mar 31 17:27:19 Practice_Server sshd[7417]: Failed password for root from 192.168.110.178 port 57972 ssh2
Mar 31 17:28:50 Practice_Server sshd[7417]: Failed password for root from 192.168.110.178 port 57972 ssh2
[root@Practice_Server ~]# grep "Failed password" /var/log/secure|head -1
Mar 31 17:27:01 Practice_Server sshd[7417]: Failed password for root from 192.168.110.178 port 57972 ssh2
[root@Practice_Server ~]# grep "Failed password" /var/log/secure|tail -1
Mar 31 17:28:50 Practice_Server sshd[7417]: Failed password for root from 192.168.110.178 port 57972 ssh2
进一步定位有哪些IP在爆破?
grep "Failed password" /var/log/secure|grep -E -o "(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)"|uniq -c | sort -nr
爆破用户名字典都有哪些?
grep "Failed password" /var/log/secure|perl -e 'while($_=<>){ /for(.*?) from/;print "$1\n";}'|uniq -c|sort -nr
这个需要有perl环境。安装perl支持
yum install perl
yum install cpan #perl需要的程序库,需要cpan的支持
登录成功的日期、用户名、IP:
[root@Practice_Server ~]# grep "Accepted " /var/log/secure|awk '{print $1,$2,$3,$9,$11}'
Mar 31 17:16:59 root 192.168.110.178
Mar 31 17:19:06 root 192.168.110.178
统计一下登录成功的IP有哪些
grep "Accepted " /var/log/secure | awk '{print $11}' | sort | uniq -c | sort -nr| more
处理措施