1、编写脚本selinux.sh,实现开启或禁用SELinux功能
1>创建脚本selinux_control.sh
[root@centos7 data]# vim selinux_control.sh
#!/bin/bash
[ -z "$*" ] && { echo -e "Usage:`basename $0` on|off" ;exit 2 ; }
if [ "$1" == "on" ];then
sed -i "s/SELINUX=disabled/SELINUX=enforcing/g" /etc/sysconfig/selinux && setenforce 1
echo "SELINUX enforcing"
elif [ "$1" == "off" ];then
sed -i "s/SELINUX=enforcing/SELINUX=disabled/g" /etc/sysconfig/selinux && setenforce 0
echo "SELINUX disabled"
else
echo "argument error"
fi
2>添加执行权限,检查selinux配置文件
[root@centos7 data]# chmod +x selinux_control.sh
[root@centos7 data]# cat /etc/sysconfig/selinux
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of three values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
3>执行脚本
[root@centos7 data]# sh /selinux_control.sh ###不带参数
Usage:selinux_control.sh on|off
[root@centos7 data]# sh /selinux_control.sh dafda ###带错误参数
argument error
[root@centos7 data]# sh /selinux_control.sh on ###启动selinux
SELINUX enforcing
[root@centos7 data]# cat /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of three values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
[root@centos7 data]# sh selinux_control.sh off ###禁用selinux
SELINUX disabled
[root@centos7 data]# cat /etc/sysconfig/selinux
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of three values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
2、统计/etc/fstab文件中每个文件系统类型出现的次数
[root@centos7 ~]# cat test.locat /etc/fstab | awk '/^UUID/{sum[$3]++}END{for(type in sum){print type,sum[type]}}'
swap 1
xfs 3
3、提取出字符串"Yd$C@M05MB%9&Bdh7dq+YVixp3vpw"中的所有数字
tr提取:
[root@centos7 ~]# echo "Yd$C@M05MB%9&Bdh7dq+YVixp3vpw"|tr -dc "[^0-9]"
05973
grep提取:
[root@centos7 ~]# echo "Yd$C@M05MB%9&Bdh7dq+YVixp3vpw"|grep -o '[0-9]'
0
5
9
7
3
awk提取:
[root@centos7 ~]# echo "Yd$C@M05MB%9&Bdh7dq+YVixp3vpw"|awk -F '[^0-9]+' '{for(i=1;i<=NF;i++){print $i}}'
05
9
7
3
4、解决DOS攻击生产案例:根据web日志或者网络连接数,监控当某个IP 并发连接数或者短时内PV达到100,即调用防火墙命令封掉对应的IP,监控频 率每隔5分钟。防火墙命令为:iptables -A INPUT -s IP -j REJECT
1>创建脚本dos_prevent.sh
[root@centos7 ~]# ip addr show eth0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:be:ff:5b brd ff:ff:ff:ff:ff:ff
inet 192.168.100.7/24 brd 192.168.100.255 scope global noprefixroute eth0
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:febe:ff5b/64 scope link
valid_lft forever preferred_lft forever
[root@centos7 data]# vim dos_prevent.sh
#!/bin/bash
#以IP和时间为下标创建数组,确保短时间内同一IP的大量访问是dos攻击
#判断短时间内同一IP访问次数大于100,将符合条件的IP输出到文件
awk '{sum[$1$4]++}END{for (ip in sum){if(sum[ip]>100)print ip,sum[ip]}}' /var/log/httpd/access_log | cut -d'[' -f1 | uniq > /data/ip.log
while read LINE;do
if [ -n "$LINE" ];then
#检查防火墙规则是否已经添加过攻击IP,如果有,跳过此次循环,否则添加
if iptables -L|grep -q $LINE;then
continue
else
iptables -A INPUT -s $LINE -j REJECT
echo $LINE >> /data/blacklist.log
fi
fi
done < /data/ip.log
[root@centos7 data]# chmod +x dos_prevent.sh
2>添加任务计划,并检查防火墙规则
[root@centos7 ~]# vim /etc/crontab
*/5 * * * * root sh /data/dos_prevent.sh &>/dev/null
[root@centos7 ~]# iptables -nvL
Chain INPUT (policy ACCEPT 426 packets, 67223 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 150 packets, 21356 bytes)
pkts bytes target prot opt in out source destination
3>在另一台机器上使用ab测试
[root@centos6 ~]# ip addr show eth0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:8c:f8:9c brd ff:ff:ff:ff:ff:ff
inet 192.168.100.6/24 brd 192.168.100.255 scope global eth0
inet6 fe80::20c:29ff:fe8c:f89c/64 scope link
valid_lft forever preferred_lft forever
[root@centos6 ~]# ab -c20 -n200 192.168.100.7/index.html
This is ApacheBench, Version 2.3 <$Revision: 655654 $>
Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/
Licensed to The Apache Software Foundation, http://www.apache.org/
Benchmarking 192.168.100.7 (be patient)
Completed 100 requests
Completed 200 requests
Finished 200 requests
Server Software: Apache/2.4.6
Server Hostname: 192.168.100.7
Server Port: 80
Document Path: /index.html
Document Length: 208 bytes
Concurrency Level: 20
Time taken for tests: 0.068 seconds
Complete requests: 200
Failed requests: 0
Write errors: 0
Non-2xx responses: 200
Total transferred: 77400 bytes
HTML transferred: 41600 bytes
Requests per second: 2925.90 [#/sec] (mean)
Time per request: 6.835 [ms] (mean)
Time per request: 0.342 [ms] (mean, across all concurrent requests)
Transfer rate: 1105.79 [Kbytes/sec] received
Connection Times (ms)
min mean[+/-sd] median max
Connect: 0 0 0.7 0 3
Processing: 2 6 1.8 6 10
Waiting: 0 6 1.8 6 9
Total: 3 6 1.8 6 11
Percentage of the requests served within a certain time (ms)
50% 6
66% 7
75% 8
80% 9
90% 9
95% 10
98% 10
99% 10
100% 11 (longest request)
4>检查cron服务日志,并检查防火墙规则
[root@centos7 ~]# tail -f /var/log/cron
Apr 21 21:01:01 centos7 run-parts(/etc/cron.hourly)[6270]: finished 0anacron
Apr 21 22:01:01 centos7 CROND[6670]: (root) CMD (run-parts /etc/cron.hourly)
Apr 21 22:01:01 centos7 run-parts(/etc/cron.hourly)[6670]: starting 0anacron
Apr 21 22:01:01 centos7 run-parts(/etc/cron.hourly)[6679]: finished 0anacron
Apr 21 22:51:01 centos7 crond[628]: (*system*) RELOAD (/etc/crontab)
Apr 21 22:55:01 centos7 CROND[7124]: (root) CMD (sh /data/dos_prevent.sh &>/dev/null)
Apr 21 22:56:10 centos7 crond[628]: (CRON) INFO (Shutting down)
Apr 21 22:56:10 centos7 crond[7151]: (CRON) INFO (RANDOM_DELAY will be scaled with factor 13% if used.)
Apr 21 22:56:10 centos7 crond[7151]: (CRON) INFO (running with inotify support)
Apr 21 22:56:10 centos7 crond[7151]: (CRON) INFO (@reboot jobs will be run at computer's startup.)
Apr 21 22:57:01 centos7 crond[7151]: (*system*) RELOAD (/etc/crontab)
Apr 21 23:00:01 centos7 CROND[7197]: (root) CMD (sh /data/dos_prevent.sh &>/dev/null)
Apr 21 23:01:01 centos7 CROND[7209]: (root) CMD (run-parts /etc/cron.hourly)
Apr 21 23:01:01 centos7 run-parts(/etc/cron.hourly)[7209]: starting 0anacron
Apr 21 23:01:01 centos7 run-parts(/etc/cron.hourly)[7218]: finished 0anacron
[root@centos7 ~]# iptables -nvL
Chain INPUT (policy ACCEPT 195 packets, 45949 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 192.168.100.6 0.0.0.0/0 reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 33 packets, 3656 bytes)
pkts bytes target prot opt in out source destination
验证成功!
352
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
