Centos系列入侵检测脚本
脚本程序用于打印出大于两分钟的源地址请求次数,时间,可根据具体判断是否加入host_denys文件中
#!/bin/bash
#
# chkconfig: - 90 10
# description: Intrusion detection script
# System: CentOS 6 x64
# Version: 1.0
#
# @name: intruder_detect.sh
# @author: brocade
# @created: 27.9.2015
# @Script Version: v1.0
#
#
# Source function library.
. /etc/init.d/functions
# Variables
# Edit these to match your system settings
# cat /etc/hosts.allow
# sshd:192.168.86.1:allow
# cat /etc/hosts.deny
# sshd:192.168.87.62:deny
# sshd:all:deny
AUTHLOG=/var/log/auth.log # CentOS7: /var/log/secure, Ubuntu: /var/log/auth.log
if [[ -n $1 ]];
then
AUTHLOG=$1
echo Using Log file : $AUTHLOG
fi
LOG=/tmp/valid.$$.log
grep -v "invalid" $AUTHLOG > $LOG
users=$(grep "Failed password" $LOG |awk '{print $(NF-5)}' |sort |uniq)
printf "%-5s|%-10s|%-10s|%-13s|%-33s|%s\n" "Sr#" "User" "Attempts" "IP address" "Host_Mapping" "Time range"
ucount=0;
ip_list="$(egrep -o "[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+" $LOG |sort |uniq)"
##################
for ip in $ip_list
do
grep $ip $LOG > /tmp/temp.$$.log
for user in $users;
do
grep $user /tmp/temp.$$.log > /tmp/$$.log
cut -c-16 /tmp/$$.log >$$.time
tstart=$(head -1 $$.time);
start=$(date -d "$tstart" "+%s");
tend=$(tail -1 $$.time);
end=$(date -d "$tend" "+%s")
limit=$(( $end - $start ))
if [ $limit -gt 120 ];
then
let ucount++;
IP=$(egrep -o "[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+" /tmp/$$.log |head -1);
TIME_RANGE="$tstart-->$tend"
ATTEMPTS=$(cat /tmp/$$.log|wc -l);
HOST=$(host $IP |awk '{print $NF}' )
printf "%-5s|%-10s|%-10s|%-10s|%-33s|%-s\n" "$ucount" "$user" "$ATTEMPTS" "$IP" "$HOST" "$TIME_RANGE";
fi
done
done
rm /tmp/valid.$$.log /tmp/$$.log $$.time /tmp/temp.$$.log 2>/dev/null
