1.检查服务器是否被恶意登录
# CentOS
# 1. 查看成功登录
grep "Accepted password for" /var/log/secure
# 2. 查看每个用户名失败的次数
grep "Failed password" /var/log/secure | awk '{if (NF==16){c[$11]++}else{c[$9]++}}END{for(u in c)print u,c[u]}' | sort -k 2 -nr | head
# 3. 查看每个 IP 地址失败的次数
grep "Failed password" /var/log/secure | awk '{if (NF==16){c[$13]++}else{c[$11]++}}END{for(u in c)print u,c[u]}' | sort -k 1 -n | head
# Ubuntu
# 1. 查看近期成功的密码登录:
grep "password" /var/log/auth.log | grep -v Failed | grep -v Invalid
# 2. 查看最近登录失败的 IP 和每个 IP 失败次数:
awk '{if($6=="Failed"&&$7=="password"){if($9=="invalid"){ips[$13]++;users[$11]++}else{users[$9]++;ips[$11]++}}}END{for(ip in ips){print ip, ips[ip]}}' /var/log/auth.log | sort -k2 -rn
#3. 查看近期登录失败的用户名和失败次数:
awk '{if($6=="Failed"&&$7=="password"){if($9=="invalid"){ips[$13]++;users[$11]++}else{users[$9]++;ips[$11]++}}}END{for(user in users){print user, users[user]}}' /var/log/auth.log | sort -k2 -rn
2.查看连接
netstat -anp |grep ESTAB
lsof -i:端口号
ls -l /proc/pid
3.参考博客
fail2ban防ssh爆破 - nihinumbra - 博客园
https://www.jb51.net/article/233737.htm