入侵檢測
查看日志
系統日志/var/log/messages
- 記錄服務啟動,服務停止,身份切換,系統運行狀態資訊,網路錯誤,IO錯誤等等
- 動態查看
[root@server5 ~]# tail -f /var/log/messages
Dec 15 11:53:07 server1 avahi-daemon[732]: Withdrawing address record for fd15:4ba5:5a2b:1008:4da0:9d6a:40a1:1e34 on ens33.
Dec 15 11:53:07 server1 avahi-daemon[732]: Registering new address record for fe80::d88e:564d:cf7b:13ef on ens33.*.
Dec 15 11:53:07 server1 NetworkManager[800]: <info> [1639540387.4543] device (ens33): ipv6: duplicate address check failed for the fd15:4ba5:5a2b:1008:4da0:9d6a:40a1:1e34/64 lft 86400sec pref 14400sec lifetime 276-276[14400,86400] dev 2 flags noprefixroute,tentative src kernel address
Dec 15 11:53:07 server1 avahi-daemon[732]: Registering new address record for fd15:4ba5:5a2b:1008:b574:ef81:d29e:3c75 on ens33.*.
Dec 15 11:53:07 server1 avahi-daemon[732]: Withdrawing address record for fe80::d88e:564d:cf7b:13ef on ens33.
Dec 15 11:53:31 server1 systemd-logind: New session 3 of user root.
Dec 15 11:53:31 server1 systemd: Started Session 3 of user root.
Dec 15 11:54:15 server1 journal: shell-extensions did not set error for gs_plugin_refresh
Dec 15 11:55:16 server1 chronyd[763]: Selected source 202.118.1.130
Dec 15 11:56:21 server1 chronyd[763]: Source 162.159.200.123 replaced with 119.28.206.193
安全日志/var/log/secure
- 記錄了安全資訊,系統登錄,網路連接等資訊
- 查看遠程登錄失敗日志
[root@server5 ~]# cat /var/log/secure |grep Failed
Dec 15 12:14:51 server1 sshd[4917]: Failed password for root from 192.168.139.10 port 43456 ssh2
Dec 15 12:14:59 server1 sshd[4917]: Failed password for root from 192.168.139.10 port 43456 ssh2
- 查看遠程登錄成功日志
[root@server5 ~]# cat /var/log/secure |grep Accepted
Dec 15 13:38:18 server5 sshd[47938]: Accepted password for root from 192.168.139.10 port 43458 ssh2
- 統計次數
[root@server5 ~]# grep -i Accepted /var/log/secure |awk '{print $(NF-3)}' |sort |uniq -c
3 192.168.139.10
1 192.168.139.20
# 確保統計不出錯
[root@server5 ~]# grep -i Accepted /var/log/secure |awk '{print $(NF-3)}' |grep '^[0-9]' |sort |uniq -c |sort -rn
3 192.168.139.10
1 192.168.139.20
last用戶登錄資訊
- last
[root@server5 ~]# last
zhangsan pts/2 192.168.139.10 Wed Dec 15 13:52 still logged in
root pts/2 192.168.139.20 Wed Dec 15 13:44 - 13:44 (00:00)
root pts/2 192.168.139.10 Wed Dec 15 13:41 - 13:41 (00:00)
root pts/2 192.168.139.10 Wed Dec 15 13:40 - 13:40 (00:00)
root pts/2 192.168.139.10 Wed Dec 15 13:38 - 13:38 (00:00)
- 踢除用戶
[root@server5 ~]# w
13:54:03 up 2:05, 4 users, load average: 0.00, 0.01, 0.05
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
root :0 :0 一16 ?xdm? 1:43 0.52s /usr/libexec/gnome-session-binary --session gnome-cla
root pts/0 :0 一16 19:47 0.17s 0.07s bash
root pts/1 192.168.139.1 11:53 3.00s 0.14s 0.00s w
zhangsan pts/2 192.168.139.10 13:52 1:09 0.01s 0.01s -bash
[root@server5 ~]# pkill -t pts/2
[zhangsan@server5 ~]$ Connection to 192.168.139.50 closed by remote host.
Connection to 192.168.139.50 closed.
[root@server5 ~]# cat /var/log/messages|grep zhangsan
Dec 15 13:52:54 server5 systemd: Created slice User Slice of zhangsan.
Dec 15 13:52:54 server5 systemd: Started Session 23 of user zhangsan.
Dec 15 13:52:54 server5 systemd-logind: New session 23 of user zhangsan.
Dec 15 13:58:49 server5 systemd: Removed slice User Slice of zhangsan.
- 查看最后5條
[root@server5 ~]# last -a -5
zhangsan pts/2 Wed Dec 15 13:52 - 13:58 (00:05) 192.168.139.10
root pts/2 Wed Dec 15 13:44 - 13:44 (00:00) 192.168.139.20
root pts/2 Wed Dec 15 13:41 - 13:41 (00:00) 192.168.139.10
root pts/2 Wed Dec 15 13:40 - 13:40 (00:00) 192.168.139.10
root pts/2 Wed Dec 15 13:38 - 13:38 (00:00) 192.168.139.10
wtmp begins Sat Jul 24 17:36:07 2021
- 查看指定時間
查看2021-12-15 14:00:00之前的資訊
[root@server5 ~]# last -a -t 20211215140000
zhangsan pts/2 Wed Dec 15 13:52 - 13:58 (00:05) 192.168.139.10
root pts/2 Wed Dec 15 13:44 - 13:44 (00:00) 192.168.139.20
root pts/2 Wed Dec 15 13:41 - 13:41 (00:00) 192.168.139.10
root pts/2 Wed Dec 15 13:40 - 13:40 (00:00) 192.168.139.10
root pts/2 Wed Dec 15 13:38 - 13:38 (00:00) 192.168.139.10
root pts/2 Wed Dec 15 12:15 - 13:36 (01:21) 192.168.139.10
- 查看登錄系統的用戶的資訊
[root@server5 ~]# last -a -f /var/log/btmp
zhagsan ssh:notty Wed Dec 15 13:52 gone - no logout 192.168.139.10
btmp begins Wed Dec 15 13:52:46 2021
- 查看登錄日志
[root@server5 ~]# lastlog
用戶名 埠 來自 最后登陸時間
root pts/2 192.168.139.20 三 12月 15 13:44:35 +0800 2021
bin **從未登錄過**
daemon **從未登錄過**
nfsnobody **從未登錄過**
gdm :0 一 12月 13 16:50:55 +0800 2021
gnome-initial-setup **從未登錄過**
tcpdump **從未登錄過**
avahi **從未登錄過**
zhangsan pts/2 192.168.139.10 三 12月 15 13:52:54 +0800 2021
- 統計當前在線狀態
[root@server5 ~]# w
14:12:18 up 2:23, 3 users, load average: 0.12, 0.06, 0.05
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
root :0 :0 一16 ?xdm? 1:52 0.52s /usr/libexec/gnome-session-binary --session gnome-cla
root pts/0 :0 一16 38:02 0.17s 0.07s bash
root pts/1 192.168.139.1 11:53 2.00s 0.20s 0.00s w
- 踢除用戶
[root@server5 ~]# w
13:54:03 up 2:05, 4 users, load average: 0.00, 0.01, 0.05
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
root :0 :0 一16 ?xdm? 1:43 0.52s /usr/libexec/gnome-session-binary --session gnome-cla
root pts/0 :0 一16 19:47 0.17s 0.07s bash
root pts/1 192.168.139.1 11:53 3.00s 0.14s 0.00s w
zhangsan pts/2 192.168.139.10 13:52 1:09 0.01s 0.01s -bash
[root@server5 ~]# pkill -t pts/2
[zhangsan@server5 ~]$ Connection to 192.168.139.50 closed by remote host.
Connection to 192.168.139.50 closed.
[root@server5 ~]# cat /var/log/messages|grep zhangsan
Dec 15 13:52:54 server5 systemd: Created slice User Slice of zhangsan.
Dec 15 13:52:54 server5 systemd: Started Session 23 of user zhangsan.
Dec 15 13:52:54 server5 systemd-logind: New session 23 of user zhangsan.
Dec 15 13:58:49 server5 systemd: Removed slice User Slice of zhangsan.
計劃任務
- 注意查看是否被惡意改動
[root@server5 ~]# crontab -l
* * * * * echo hello >> /root/1.txt
[root@server5 ~]# cat /var/spool/cron/root
* * * * * echo hello >> /root/1.txt
查看計劃任務日志
[root@server5 ~]# tail -5 /var/log/cron
Dec 15 14:01:01 server5 CROND[48405]: (root) CMD (run-parts /etc/cron.hourly)
Dec 15 14:01:01 server5 run-parts(/etc/cron.hourly)[48405]: starting 0anacron
Dec 15 14:01:01 server5 run-parts(/etc/cron.hourly)[48414]: finished 0anacron
Dec 15 14:10:01 server5 CROND[48511]: (root) CMD (/usr/lib64/sa/sa1 1 1)
Dec 15 14:14:53 server5 crontab[48557]: (root) LIST (root)
防止日志被惡意洗掉
- chattr +a 只能追加
[root@server5 ~]# chattr +a /var/log/secure
[root@server5 ~]# lsattr /var/log/secure
-----a---------- /var/log/secure
查看啟動時默認加載檔案
-
注意查看是否被惡意改動
-
/etc/rc.local
[root@server5 ~]# cat /etc/rc.local
#!/bin/bash
# THIS FILE IS ADDED FOR COMPATIBILITY PURPOSES
#
# It is highly advisable to create own systemd services or udev rules
# to run scripts during boot instead of using this file.
#
# In contrast to previous versions due to parallel execution during boot
# this script will NOT be run after all other services.
#
# Please note that you must run 'chmod +x /etc/rc.d/rc.local' to ensure
# that this script will be executed during boot.
touch /var/lock/subsys/local
查看例外流量
iftop動態查看網卡介面流量
[root@server1 ~]# yum install -y epel-release.noarch
[root@server1 ~]# yum install -y iftop
[root@server1 ~]# iftop -i ens33
interface: ens33
IP address is: 192.168.139.10
MAC address is: 00:0c:29:17:9d:b3
# 鍵入q退出
流量監控
- 常用監控軟體zabbix,Prometheus等
資料包抓取
- 常用抓包工具:wireshark,tcpdump,sniffer
- 這里重點介紹tcpdump(不需要圖形化界面,常用于生產環境抓包,但抓取的包不便于分析,常將tcpdump抓取的包匯入到wireshark中分析)
- tcpdump安裝
[root@server1 ~]# yum install -y tcpdump.x86_64
- 幫助資訊
[root@server1 ~]# tcpdump --help
tcpdump version 4.9.2
libpcap version 1.5.3
OpenSSL 1.0.2k-fips 26 Jan 2017
Usage: tcpdump [-aAbdDefhHIJKlLnNOpqStuUvxX#] [ -B size ] [ -c count ]
[ -C file_size ] [ -E algo:secret ] [ -F file ] [ -G seconds ]
[ -i interface ] [ -j tstamptype ] [ -M secret ] [ --number ]
[ -Q|-P in|out|inout ]
[ -r file ] [ -s snaplen ] [ --time-stamp-precision precision ]
[ --immediate-mode ] [ -T type ] [ --version ] [ -V file ]
[ -w file ] [ -W filecount ] [ -y datalinktype ] [ -z postrotate-command ]
[ -Z user ] [ expression ]
[root@server1 ~]# man tcpdump
- 常用選項匯總
| 選項 | 說明 | 用法 |
|---|---|---|
| -i | 指定網路介面 | -i any 所有網卡介面 |
| -nn | 直接以IP和埠號顯示 | |
| -v | 輸出詳細資訊 | -nnv 可連用 |
| -c | 指定抓包數 | -c 100 |
| -w | 指定保存檔案 | -w file1.tcpdump |
| -r | 指定讀取檔案 | -r file1.tcpdump |
| port | 指定埠 | port 22 |
| net | 指定網段 | net 192.168.139.0/24 |
| host | 指定主機 | host 192.168.139.10 |
| 指定協議 | arp | icmp | udp | tcp | ip | vrrp | |
| and|or|not | 指定邏輯關系 | host 192.168.139.10 and port 22 |
| tcp[13] | 指定TCP的標志位 | tcp[13]==18 |
- 抓取指定數量的包
[root@server1 ~]# tcpdump -i ens33 -nnv -c 3
tcpdump: listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
01:31:59.425640 IP (tos 0x10, ttl 64, id 20374, offset 0, flags [DF], proto TCP (6), length 164)
192.168.139.10.22 > 192.168.139.1.50180: Flags [P.], cksum 0x97f3 (incorrect -> 0xa671), seq 2409031745:2409031869, ack 3240402273, win 257, length 124
01:31:59.426051 IP (tos 0x10, ttl 64, id 20375, offset 0, flags [DF], proto TCP (6), length 332)
192.168.139.10.22 > 192.168.139.1.50180: Flags [P.], cksum 0x989b (incorrect -> 0xd4ee), seq 124:416, ack 1, win 257, length 292
01:31:59.426336 IP (tos 0x0, ttl 128, id 20424, offset 0, flags [DF], proto TCP (6), length 40)
192.168.139.1.50180 > 192.168.139.10.22: Flags [.], cksum 0x6c54 (correct), ack 416, win 4106, length 0
3 packets captured
3 packets received by filter
0 packets dropped by kernel
- 保存抓取的包
保存
[root@server1 ~]# tcpdump -i ens33 -nnv -w ./file1.tcpdump
tcpdump: listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
^C105 packets captured
109 packets received by filter
0 packets dropped by kernel
讀取檔案(建議匯出到wireshark中)
[root@server1 ~]# tcpdump -i ens33 -nnv -r ./file1.tcpdump
- 抓取指定埠資料包
[root@server1 ~]# tcpdump -i ens33 -nnv port 22
- 抓取指定網段的包
[root@server1 ~]# tcpdump -i ens33 -nnv net 192.168.139.0/24
- 抓取指定主機的包
[root@server1 ~]# tcpdump -i ens33 -nnv host 192.168.139.50
- 指定協議
[root@server1 ~]# tcpdump -i ens33 -nnv arp
- 多條件(and|or|not)
[root@server1 ~]# tcpdump -i ens33 -nnv host 192.168.139.50 and port 22
[root@server1 ~]# tcpdump -i ens33 -nnv port 22 or 80
[root@server1 ~]# tcpdump -i ens33 -nnv not port 22
括號需要進行轉義
[root@server1 ~]# tcpdump -i ens33 -nnv host 192.168.139.50 and \( port 22 or 80\)
- 按照TCP的標志位來抓包
僅抓取SYN=1的包
|C|E|U|A|P|R|S|F|
|--------------- |
|0 0 0 0 0 0 1 0 |
|--------------- |
|7 6 5 4 3 2 1 0|
tcp[13] == 2^1
[root@server1 ~]# tcpdump -i ens33 -nnv tcp[13]==2
tcpdump: listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
02:27:09.131125 IP (tos 0x0, ttl 64, id 3847, offset 0, flags [DF], proto TCP (6), length 60)
192.168.139.50.54412 > 192.168.139.10.22: Flags [S], cksum 0x4710 (correct), seq 2439561938, win 29200, options [mss 1460,sackOK,TS val 10407381 ecr 0,nop,wscale 7], length 0
抓取SYN=1且Ack=1的包
|C|E|U|A|P|R|S|F|
|--------------- |
|0 0 0 1 0 0 1 0 |
|--------------- |
|7 6 5 4 3 2 1 0|
tcp[13] == 2^1 + 2^4 = 18
[root@server1 ~]# tcpdump -i ens33 -nnv tcp[13]==18
tcpdump: listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
02:30:17.991000 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
192.168.139.10.22 > 192.168.139.50.54414: Flags [S.], cksum 0x97bc (incorrect -> 0x8e2a), seq 1084900368, ack 3292405268, win 28960, options [mss 1460,sackOK,TS val 26330013 ecr 10596245,nop,wscale 7], length 0
查看可疑行程
PS
[root@server1 ~]# ps
PID TTY TIME CMD
1732 pts/1 00:00:00 bash
2104 pts/1 00:00:00 ps
[root@server1 ~]# pstree
systemd─┬─NetworkManager───2*[{NetworkManager}]
├─atd
├─auditd───{auditd}
├─crond
├─dbus-daemon
├─irqbalance
├─login───bash
├─lvmetad
├─master─┬─pickup
│ └─qmgr
├─polkitd───6*[{polkitd}]
├─rsyslogd───2*[{rsyslogd}]
├─sshd─┬─sshd───bash───pstree
│ └─sshd───bash
├─systemd-journal
├─systemd-logind
├─systemd-udevd
└─tuned───4*[{tuned}]
[root@server1 ~]# pstree -p
systemd(1)─┬─NetworkManager(672)─┬─{NetworkManager}(685)
│ └─{NetworkManager}(688)
├─atd(677)
├─auditd(640)───{auditd}(641)
├─crond(675)
├─dbus-daemon(664)
├─irqbalance(669)
├─login(679)───bash(1398)
├─lvmetad(514)
├─master(1096)─┬─pickup(1969)
│ └─qmgr(1106)
├─polkitd(671)─┬─{polkitd}(682)
│ ├─{polkitd}(683)
│ ├─{polkitd}(684)
│ ├─{polkitd}(686)
│ ├─{polkitd}(692)
│ └─{polkitd}(700)
├─rsyslogd(898)─┬─{rsyslogd}(912)
│ └─{rsyslogd}(921)
├─sshd(895)─┬─sshd(1730)───bash(1732)───pstree(2107)
│ └─sshd(1986)───bash(1988)
├─systemd-journal(495)
├─systemd-logind(668)
├─systemd-udevd(520)
└─tuned(897)─┬─{tuned}(1303)
├─{tuned}(1304)
├─{tuned}(1306)
└─{tuned}(1308)
top
[root@server1 ~]# top
top - 02:37:54 up 7:31, 3 users, load average: 0.00, 0.01, 0.05
Tasks: 109 total, 1 running, 108 sleeping, 0 stopped, 0 zombie
%Cpu(s): 0.0 us, 0.0 sy, 0.0 ni,100.0 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st
KiB Mem : 1863016 total, 1313968 free, 139552 used, 409496 buff/cache
KiB Swap: 2097148 total, 2097148 free, 0 used. 1568588 avail Mem
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
1 root 20 0 125396 3864 2580 S 0.0 0.2 0:02.82 systemd
2 root 20 0 0 0 0 S 0.0 0.0 0:00.04 kthreadd
4 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 kworker/0:0H
6 root 20 0 0 0 0 S 0.0 0.0 0:00.60 ksoftirqd/0
7 root rt 0 0 0 0 S 0.0 0.0 0:00.11 migration/0
netstat | ss
[root@server1 ~]# ss -tnalp
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 *:22 *:* users:(("sshd",pid=895,fd=3))
LISTEN 0 100 127.0.0.1:25 *:* users:(("master",pid=1096,fd=13))
LISTEN 0 128 [::]:22 [::]:* users:(("sshd",pid=895,fd=4))
LISTEN 0 100 [::1]:25 [::]:* users:(("master",pid=1096,fd=14))
lsof
查看檔案正在被哪個行程使用
[root@server1 ~]# yum install -y lsof.x86_64
[root@server1 ~]# lsof /usr/sbin/vsftpd
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
vsftpd 2305 root txt REG 253,0 175440 34598 /usr/sbin/vsftpd
查看埠對應的行程
[root@server1 ~]# lsof -i:21
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
vsftpd 2305 root 4u IPv6 28498 0t0 TCP *:ftp (LISTEN)
[root@server1 ~]# lsof -i:80
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
httpd 2207 root 4u IPv6 28161 0t0 TCP *:http (LISTEN)
httpd 2209 apache 4u IPv6 28161 0t0 TCP *:http (LISTEN)
httpd 2210 apache 4u IPv6 28161 0t0 TCP *:http (LISTEN)
httpd 2211 apache 4u IPv6 28161 0t0 TCP *:http (LISTEN)
httpd 2212 apache 4u IPv6 28161 0t0 TCP *:http (LISTEN)
httpd 2213 apache 4u IPv6 28161 0t0 TCP *:http (LISTEN)
檔案完整性檢查
rpm -V 查看是否被修改
查看程式是否被改動過(改動過有輸出資訊)
[root@server1 ~]# rpm -V bash
[root@server1 ~]# rpm -V kernel
[root@server1 ~]# rpm -V vsftpd
S.5....T. c /etc/vsftpd/vsftpd.conf
查看檔案是否被改動過
[root@server1 ~]# rpm -Vf /etc/ssh/sshd_config
[root@server1 ~]# rpm -Vf /etc/vimrc
S.5....T. c /etc/vimrc
md5sum/sha1sum檢測
將/etc下的所有檔案的md5值保存
[root@server1 ~]# find /etc/ -type f -exec md5sum {} \; >/tmp/`date +%F%H%M`-md5.txt
[root@server1 ~]# ls /tmp
2021-12-170905-md5.txt
改動后,重新獲取md5值
[root@server1 ~]# useradd lisi
[root@server1 ~]# find /etc/ -type f -exec md5sum {} \; >/tmp/`date +%F%H%M`-md5.txt
[root@server1 ~]# ls /tmp
2021-12-170905-md5.txt 2021-12-170907-md5.txt
比對
[root@server1 ~]# diff /tmp/2021-12-170905-md5.txt /tmp/2021-12-170907-md5.txt
131,132c131,132
< 6f7bff7528a7070187413f81aabc4ec6 /etc/group
< 65c1ca34722f36e894242feab65ed5d9 /etc/gshadow
---
> 6d19d476fa4c7fbbd05a1a7953c0924e /etc/group
> 99dd21b5cf1c71a2e3f7f1cc0748ce85 /etc/gshadow
142c142
< ae3528ee5249fb2ddf53fc7e234878b7 /etc/passwd-
---
> 3cd3164769c7b752d66029dc55b73aa2 /etc/passwd-
144c144
< 64c95b17cdf5a238a0ebea457f5eb669 /etc/shadow-
---
> 3ace88c62868ca706d2c06a495ccf8a8 /etc/shadow-
164c164
< 3cd3164769c7b752d66029dc55b73aa2 /etc/passwd
---
> 17a763851849be93b48f8cce372eaec0 /etc/passwd
192c192
< 3ace88c62868ca706d2c06a495ccf8a8 /etc/shadow
---
> d88f5089fb906976e57a6b8593b18172 /etc/shadow
198c198
< 2400442adc077d0d6cb87e17f0235fb6 /etc/subgid
---
> e99230901b3bbc937cd8e272f78a5de7 /etc/subgid
200c200
< 2400442adc077d0d6cb87e17f0235fb6 /etc/subuid
---
> e99230901b3bbc937cd8e272f78a5de7 /etc/subuid
1647,1648c1647,1648
< 075a96365cd07c64136dd35d5a31f988 /etc/gshadow-
< 56b4e499638cda31f965a5379f93b6a9 /etc/group-
---
> 65c1ca34722f36e894242feab65ed5d9 /etc/gshadow-
> 6f7bff7528a7070187413f81aabc4ec6 /etc/group-
1745,1746c1745,1746
< d41d8cd98f00b204e9800998ecf8427e /etc/subuid-
< d41d8cd98f00b204e9800998ecf8427e /etc/subgid-
---
> 2400442adc077d0d6cb87e17f0235fb6 /etc/subuid-
> 2400442adc077d0d6cb87e17f0235fb6 /etc/subgid-
轉載請註明出處,本文鏈接:https://www.uj5u.com/qita/385491.html
標籤:其他