1、编写脚本selinux.sh,实现开启或禁用SELinux功能
1>创建脚本selinux_control.sh
[root@centos7 data]# vim selinux_control.sh
#!/bin/bash
[ -z "$*" ] && { echo -e "Usage:`basename $0` on|off" ;exit 2 ; }
if [ "$1" == "on" ];then
sed -i "s/SELINUX=disabled/SELINUX=enforcing/g" /etc/sysconfig/selinux && setenforce 1
echo "SELINUX enforcing"
elif [ "$1" == "off" ];then
sed -i "s/SELINUX=enforcing/SELINUX=disabled/g" /etc/sysconfig/selinux && setenforce 0
echo "SELINUX disabled"
else
echo "argument error"
fi
2>添加执行权限,检查selinux配置文件
[root@centos7 data]# chmod +x selinux_control.sh
[root@centos7 data]# cat /etc/sysconfig/selinux
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of three values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
3>执行脚本
[root@centos7 data]# sh /selinux_control.sh ###不带参数
Usage:selinux_control.sh on|off
[root@centos7 data]# sh /selinux_control.sh dafda ###带错误参数
argument error
[root@centos7 data]# sh /selinux_control.sh on ###启动selinux
SELINUX enforcing
[root@centos7 data]# cat /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of three values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
[root@centos7 data]# sh selinux_control.sh off ###禁用selinux
SELINUX disabled
[root@centos7 data]# cat /etc/sysconfig/selinux
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of three values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
2、统计/etc/fstab文件中每个文件系统类型出现的次数
[root@centos7 ~]# cat test.locat /etc/fstab | awk '/^UUID/{sum[$3]++}END{for(type in sum){print type,sum[type]}}'
swap 1
xfs 3
3、提取出字符串"Yd$C@M05MB%9&Bdh7dq+YVixp3vpw"中的所有数字
tr提取:
[root@centos7 ~]# echo "Yd$C@M05MB%9&Bdh7dq+YVixp3vpw"|tr -dc "[^0-9]"
05973
grep提取:
[root@centos7 ~]# echo "Yd$C@M05MB%9&Bdh7dq+YVixp3vpw"|grep -o '[0-9]'
0
5
9
7
3
awk提取:
[root@centos7 ~]# echo "Yd$C@M05MB%9&Bdh7dq+YVixp3vpw"|awk -F '[^0-9]+' '{for(i=1;i<=NF;i++){print $i}}'
05
9
7
3
4、解决DOS攻击生产案例:根据web日志或者网络连接数,监控当某个IP 并发连接数或者短时内PV达到100,即调用防火墙命令封掉对应的IP,监控频 率每隔5分钟。防火墙命令为:iptables -A INPUT -s IP -j REJECT
1>创建脚本dos_prevent.sh
[root@centos7 ~]# ip addr show eth0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:be:ff:5b brd ff:ff:ff:ff:ff:ff
inet 192.168.100.7/24 brd 192.168.100.255 scope global noprefixroute eth0
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:febe:ff5b/64 scope link
valid_lft forever preferred_lft forever
[root@centos7 data]# vim dos_prevent.sh
#!/bin/bash
#以IP和时间为下标创建数组,确保短时间内同一IP的大量访问是dos攻击
#判断短时间内同一IP访问次数大于100,将符合条件的IP输出到文件
awk '{sum[$1$4]++}END{for (ip in sum){if(sum[ip]>100)print ip,sum[ip]}}' /var/log/httpd/access_log | cut -d'[' -f1 | uniq > /data/ip.log
while read LINE;do
if [ -n "$LINE" ];then
#检查防火墙规则是否已经添加过攻击IP,如果有,跳过此次循环,否则添加
if iptables -L|grep -q $LINE;then
continue
else
iptables -A INPUT -s $LINE -j REJECT
echo $LINE >> /data/blacklist.log
fi
fi
done < /data/ip.log
[root@centos7 data]# chmod +x dos_prevent.sh
2>添加任务计划,并检查防火墙规则
[root@centos7 ~]# vim /etc/crontab
*/5 * * * * root sh /data/dos_prevent.sh &>/dev/null
[root@centos7 ~]# iptables -nvL
Chain INPUT (policy ACCEPT 426 packets, 67223 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 150 packets, 21356 bytes)
pkts bytes target prot opt in out source destination
3>在另一台机器上使用ab测试
[root@centos6 ~]# ip addr show eth0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:8c:f8:9c brd ff:ff:ff:ff:ff:ff
inet 192.168.100.6/24 brd 192.168.100.255 scope global eth0
inet6 fe80::20c:29ff:fe8c:f89c/64 scope link
valid_lft forever preferred_lft forever
[root@centos6 ~]# ab -c20 -n200 192.168.100.7/index.html
This is ApacheBench, Version 2.3 <$Revision: 655654 $>
Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/
Licensed to The Apache Software Foundation, http://www.apache.org/
Benchmarking 192.168.100.7 (be patient)
Completed 100 requests
Completed 200 requests
Finished 200 requests
Server Software: Apache/2.4.6
Server Hostname: 192.168.100.7
Server Port: 80
Document Path: /index.html
Document Length: 208 bytes
Concurrency Level: 20
Time taken for tests: 0.068 seconds
Complete requests: 200
Failed requests: 0
Write errors: 0
Non-2xx responses: 200
Total transferred: 77400 bytes
HTML transferred: 41600 bytes
Requests per second: 2925.90 [#/sec] (mean)
Time per request: 6.835 [ms] (mean)
Time per request: 0.342 [ms] (mean, across all concurrent requests)
Transfer rate: 1105.79 [Kbytes/sec] received
Connection Times (ms)
min mean[+/-sd] median max
Connect: 0 0 0.7 0 3
Processing: 2 6 1.8 6 10
Waiting: 0 6 1.8 6 9
Total: 3 6 1.8 6 11
Percentage of the requests served within a certain time (ms)
50% 6
66% 7
75% 8
80% 9
90% 9
95% 10
98% 10
99% 10
100% 11 (longest request)
4>检查cron服务日志,并检查防火墙规则
[root@centos7 ~]# tail -f /var/log/cron
Apr 21 21:01:01 centos7 run-parts(/etc/cron.hourly)[6270]: finished 0anacron
Apr 21 22:01:01 centos7 CROND[6670]: (root) CMD (run-parts /etc/cron.hourly)
Apr 21 22:01:01 centos7 run-parts(/etc/cron.hourly)[6670]: starting 0anacron
Apr 21 22:01:01 centos7 run-parts(/etc/cron.hourly)[6679]: finished 0anacron
Apr 21 22:51:01 centos7 crond[628]: (*system*) RELOAD (/etc/crontab)
Apr 21 22:55:01 centos7 CROND[7124]: (root) CMD (sh /data/dos_prevent.sh &>/dev/null)
Apr 21 22:56:10 centos7 crond[628]: (CRON) INFO (Shutting down)
Apr 21 22:56:10 centos7 crond[7151]: (CRON) INFO (RANDOM_DELAY will be scaled with factor 13% if used.)
Apr 21 22:56:10 centos7 crond[7151]: (CRON) INFO (running with inotify support)
Apr 21 22:56:10 centos7 crond[7151]: (CRON) INFO (@reboot jobs will be run at computer's startup.)
Apr 21 22:57:01 centos7 crond[7151]: (*system*) RELOAD (/etc/crontab)
Apr 21 23:00:01 centos7 CROND[7197]: (root) CMD (sh /data/dos_prevent.sh &>/dev/null)
Apr 21 23:01:01 centos7 CROND[7209]: (root) CMD (run-parts /etc/cron.hourly)
Apr 21 23:01:01 centos7 run-parts(/etc/cron.hourly)[7209]: starting 0anacron
Apr 21 23:01:01 centos7 run-parts(/etc/cron.hourly)[7218]: finished 0anacron
[root@centos7 ~]# iptables -nvL
Chain INPUT (policy ACCEPT 195 packets, 45949 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 192.168.100.6 0.0.0.0/0 reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 33 packets, 3656 bytes)
pkts bytes target prot opt in out source destination
验证成功!
扫一扫
1万+
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
