这篇文章介绍了如何分析/var/log/secure日志文件,包括定位爆破主机的IP地址、爆破用户名字典、登录成功的IP地址、增加和删除的用户、su和sudo的日志等内容。这些技巧可以帮助应急响应和取证工作。
/var/log/secure日志分析
- 定位有多少IP在爆破主机的 root 帐号?
grep "Failed password for root" /var/log/secure | awk '{print $11}' | sort | uniq -c | sort -nr | more
- 定位有哪些 IP 在爆破?
grep "Failed password" /var/log/secure|grep -E -o "(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?).(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?).(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?).(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)"|uniq -c
- 爆破用户名字典是什么?
grep "Failed password" /var/log/secure|perl -e 'while($_=<>){ /for(.*?) from/; print "$1\n";}'|uniq -c|sort -nr
- 登录成功的 IP 有哪些?
grep "Accepted " /var/log/secure | awk '{print $11}' | sort | uniq -c | sort -nr | more
- 登录成功的日期、用户名、IP
grep "Accepted " /var/log/secure | awk '{print $1,$2,$3,$9,$11}'
- 爆破用户名字典都有哪些?
grep "Failed password" /var/log/secure|perl -e 'while($_=<>){ /for(.*?) from/; print "$1\n";}'|uniq -c|sort -nr
- 增加了哪些用户?
grep "useradd" /var/log/secure
- 删除了哪些用户?
grep "userdel" /var/log/secure
- su 切换用户的日志
Jul 10 00:38:13 localhost su: pam_unix(su-l:session): session opened for user good by root(uid=0)
- sudo 授权执行的日志
sudo -lJul 10 00:43:09 localhost sudo: good : TTY=pts/4 ; PWD=/home/good ; USER=root ; COMMAND=/sbin/shutdown -r now