zoukankan      html  css  js  c++  java

  • Linux操作系统常规的分析SSH登录日志需要使用的命令和记录

    • 常用的日志文件
    • access-log 记录HTTP日志
    • acc/pacct 记录用户命令
    • aculog 记录MODEM的活动
    • btmp  记录失败的记录
    • lastlog  记录最近几次成功登录的事件和最后一次不成功的登录事件
    • messages 从syslog中记录信息
    • sudolog  记录使用sudo发出的命令
    • sulog  记录使用su命令的记录
    • syslog  从syslog中记录信息
    • utmp  记录当前登录的每个用户
    • wtmp 一个用户每次登录进入和退出事件的永久记录
    • xferlog  记录FTP会话
    • ===========================================================================================================================================================================================
    • 查看日志的具体命令
    • wtmp和utmp文件都是二进制文件,她们是不能被more,cat,tail等命令打开查看,剪切合并的,需要用户通过who,w,users,last等来使用这两个文件包含的信息
    • who命令:查询utmp文件并报告当前登录的每个用户,who默认输出包括用户名,终端类型,登录日期,及远程主机,如果who命令指明了wtmp文件名,则可以通过who命令查询所有以前的记录,who /var/log/wtmp将报告自从wtmp文件创建或删除,修改以来的每一次登录
    • w命令:查询utmp文件并显示当前系统中每个用户和它允许的进程信息
    • users命令:单独的一行打印当前登录的用户,每个显示的用户名对应一个登录会话,如果一个用户有不止一个登录会话,那么其他的用户名将显示相同的次数
    • last命令:往回搜索wtmp来显示自从文件第一次创建以来登录过的用户
    • ===========================================================================================================================================================================================
    • Linux SSH Log日志文件
    • 不同的操作系统其SSH记录日志文件和位置都有所差别,但是常见的目录默认位置是一样的,有secure,auth.log,messages等
    • Centos,Fedora  --> /var/log/secure
    • last命令显示用户最近登录信息
    • last命令用于显示当前操作系统中用户最近登录信息,单独执行last命令,将会读取/var/log/wtmp 文件,并把该文件记录的登录系统的用户名全部显示出来
    • 参数如下:
    <number> 设置显示多少行
-a  --hostslast 把从何处登录的主机名称或IP地址,显示在最后一行
-d  --dns 将IP地址转换成主机名
-f  --file 指定记录文件取代/var/log/wtmp
-F  --fulltimes  打印所有的登录,注销时间和日期
-i  --ip  显示IP地址信息
-n  --limit 设置显示列数
-R  --nohostname 不显示系统的主机名称或IP地址
-s  --since  显示特定时间的行
-t  --until   显示知道特定时间的行
-p  --present 显示指定时间仍在登录的用户
-w  --fullnames  显示所有用户及域名名称
-x  --system  显示系统关机,重新开机,及执行等级的改变等信息
-h  --help  显示帮助信息并退出
-V  --version显示版本信息及退出
    • 查看当前登录的用户信息last
    • 使用脚本分析
    • anyalizeslogs.py /var/log/secure
    • 分析脚本代码
    #/usr/bin/env python3.4  
#Anyalize the /etc/auth.log files to get  
#   1) how many failed login trials  
#   2) how many succeeded login trials  
#   3) how many IP's where the login trials comes from and what they are  
#   4) how many invalid usernames are tested and what they are  
#  
#   usage:  
#       anyalyze <filename>  
#   note: - for standard input stream  
import sys  
import re  
  
  
# # of trials  
DEBUG_FLAG = 0  
INFO_FLAG = 0  
  
def debug(msg):  
    if DEBUG_FLAG:  
        print("[DEBUG] ", msg)  
  
def info(msg):  
    if INFO_FLAG:  
        print("[INFO] ", msg)  
  
def openLog( source ):  
    if( source == "-"):  
        return sys.stdin;  
    else:  
        debug("opening file:" + source)  
        f = open(source,'r')  
        return f  
  
# failed login  
ptnFailed = re.compile(r'Failed password for (?P<user>w+) from (?P<ip>d+.d+.d+.d+)')  
# invalid user trail  
ptnInvalid = re.compile(r'Failed password for invalid user (?P<user>w+) from (?P<ip>d+.d+.d+.d+)')  
# login succeeded  
ptnSuccess = re.compile(r'Accepted password for (?P<user>w+) from (?P<ip>d+.d+.d+.d+)')  
# sudo  
ptnSudo = re.compile(r'session opened for user (?P<user>w+) by (?P<ip>w+)')  
  
# >0: valid user & incorreck password  
# <0: invalid user  
nFailed = {}  
nSuccess = {}  
nSuccess_records = {}  
ipFailed={}  
ipSuccess={}  
  
if(len(sys.argv) < 2):  
    print("Usage:")  
    print("	"+sys.argv[0]+" <filename>")  
    print("Note: <filename> can be - for standard input stream")  
    exit(0)  
  
log = openLog(sys.argv[1])  
for line in log:  
    m = ptnFailed.search(line)  
    debug(m)  
    if not m:  
        m = ptnInvalid.search(line)  
        debug(m)  
    if m:  
        user =  m.group(ptnInvalid.groupindex['user'])  
        if user not in nFailed:  
            info("[FAILED] Found a new user <" + user + ">");  
            nFailed[user] = 0  
        nFailed[user] = nFailed[user]+1  
        ip = m.group(ptnInvalid.groupindex['ip'])  
        if ip not in ipFailed:  
            ipFailed[ip] = 0  
            info("[FAILED] Found a new ip <" + ip + ">");  
        ipFailed[ip] = ipFailed[ip] + 1  
    else:  
        m = ptnSuccess.search(line)  
        if not m:  
            m = ptnSudo.search(line)  
        debug(m)  
        if m:  
            print(line)  
            user =  m.group(ptnSuccess.groupindex['user'])  
            if user not in nSuccess:  
                nSuccess[user] = 0  
                info("[SUCCESS] Found a new user <" + user + ">");  
            nSuccess[user] = nSuccess[user]+1  
            ip = m.group(ptnSuccess.groupindex['ip'])  
            if ip not in ipSuccess:  
                ipSuccess[ip] = 0  
                info("[SUCCESS] Found a new ip <" + ip + ">");  
            ipSuccess[ip] = ipSuccess[ip] + 1  
        else:  
            debug("*** Unknown:" + line)  
# TODO: close(log)  
      
print("nFailed:" )  
print(nFailed)  
print("nSuccess:" )  
print(nSuccess)  
  
# a key-value list  
# it assure that the order is the same to the coming order  
class KeyValue:  
    def __init__(self, key, value):  
        self.key = key  
        self.value = value  
  
    def __repr__(self):  
        return repr((self.key, self.value))  
  
# return a KeyValue list because of the order of the keys in a dictionary  
# is unexpected, not same to the order as they are put in  
def sortDict(adict):  
    result=[]  
    keys = sorted(adict.keys(),key=adict.__getitem__, reverse = True)  
  
    for k in keys:  
        result.append(KeyValue(k,adict[k]))  
    return result  
  
# convert a KeyValue list to html table  
# @return a html string  
def KeyValueList2Html(kvlist, headerMap):  
    html ="<table>
"  
      
    hkey = 'Key'  
    hvalue = 'Value'  
    if headerMap:  
        hkey = headerMap['key'];  
        hvalue = headerMap['value'];  
        debug(hkey)  
        debug(hvalue)  
    html+= "<th>"+"<td>"+hkey+'</td>'+'<td>'+hvalue+'</td>'+ '</th>
'  
    for kv in kvlist:  
        html += "<tr>"+"<td>"+kv.key+'</td>'+'<td>'+str(kv.value)+'</td>'+ '</tr>
'  
    html += "</table>
"  
    return html  
  
print("------------ Tested user list *Failed* -------------", sortDict(nFailed))  
print("------------ Source IP *Failed* ------------------",sortDict(ipFailed))  
print("------------ Login Success  -------------", sortDict(nSuccess))  
print("------------ Source IP *Success* -----------------", sortDict(ipSuccess))  
  
# writing result to a HTML report  
print("Wring result to result.html ...")  
reportFilename = 'auth.log-analysis.html'  
report = open(reportFilename, 'w')  
if report:  
    title = 'Auth Log Analysis'  
    report.write('<html>
')  
    report.write('<head>'+title+'</head>
')  
    report.write('<style>'  
                 + 'table {border:black 1px solid}'  
                 +'</style>')  
                   
  
    report.write("------------ Tested user list *Failed* -------------
")  
    report.write(KeyValueList2Html(sortDict(nFailed),{'key':'username','value':'# of trial'}))  
    report.write("------------ Source IP *Failed* ------------------")  
    report.write(KeyValueList2Html(sortDict(ipFailed),{'key':'source IP','value':'# of trial'}))  
      
    report.write("------------ Login Success  -------------")  
    report.write(KeyValueList2Html(sortDict(nSuccess),{'key':'username','value':'# of trial'}))      
    report.write("------------ Source IP *Success* -----------------")  
    report.write(KeyValueList2Html(sortDict(ipSuccess),{'key':'source IP','value':'# of login'}))  
  
      
    report.write('<body>
')  
    report.write('</body>
')  
    report.write('</html>
')  
#    close(report)  
    print('OK')  
else:  
    print('Failed to open file:', reportFilename)
    迷茫的人生,需要不断努力,才能看清远方模糊的志向!
  • 相关阅读:
    LED显示屏设备智能监控运维管理解决方案
    网络监控系统七大开源工具分析
    银行设备综合监控运维管理解决方案
    柯南「云断案」不再难,身在何处都如亲临现场
    七牛云联合云上钢琴,推动智慧教育生态繁荣
    七牛云联手开泰银行,加速等保 2.0 合规落地
    【七牛云X创客匠人】知识付费私域流量场中的技术实践
    七牛云正式加入 CNCF,积极推动云原生全球发展
    Protocol buffer 编码和解码 谷歌 整数变长编码
    mybatis利用动态SQL进行模糊查询遇到的问题
  • 原文地址:https://www.cnblogs.com/autopwn/p/13665692.html
Copyright © 2011-2022 走看看