第一章 应急响应-Linux日志分析

第一章 应急响应-Linux日志分析

步骤一

首先,明确是要查询登录日志的,在/var/log/auth.log里面

1
2
3
4
root@ip-10-0-10-2:/var/log# cat auth.log.1 | awk  '/Failed password for root from/{print $11}' | uniq
192.168.200.32
192.168.200.2
192.168.200.31

筛选出爆破错误的ip地址

步骤二

1
2
root@ip-10-0-10-3:/var/log# cat auth.log.1 | awk  '/Accepted password for root/{print $11}' | uniq
192.168.200.2

筛选一下爆破成功的就行

步骤三

1
2
3
4
5
6
root@ip-10-0-10-3:/var/log# cat auth.log.1 |awk '/Connection closed by invalid user/{print $11}'| awk '/^[a-z]/{print $0}'|uniq
test1
test2
test3
user
hello

手动添加root就行了,肯定有root,不用多说

步骤四

1
2
3
4
5
root@ip-10-0-10-3:/var/log# cat auth.log.1 |grep --text "192.168.200.2" | awk '/Failed password for root/{a++;print a;next}/Accepted password root/{a++;print a}'
1
2
3
4

感觉题目没说清楚,刚开始把该ip爆破普通用户也算进去了,后面发现只算爆破root的

步骤五

1
2
3
4
root@ip-10-0-10-3:/var/log# cat auth.log.1  |grep --text "new user"

Aug  1 07:50:45 linux-rz useradd[7551]: new user: name=test2, UID=1000, GID=1000, home=/home/test2, shell=/bin/sh
Aug  1 08:18:27 ip-172-31-37-190 useradd[487]: new user: name=debian, UID=1001, GID=1001, home=/home/debian, shell=/bin/bash

稍微删选一下