Linux应急响应中,我们遇到有ia锁的,通过chattr可能修改不了,原因是crontan 实时写入导致停不了,加/解不了锁,这时候我们要用kill -STOP停掉进程,而不是kill -9。
扩展知识:
爆破应急
1、统计了下日志,确认服务器遭受暴力破解
grep -o "Failed password" /var/log/secure|uniq -c
2、输出登录爆破的第一行和最后一行,确认爆破时间范围:
grep "Failed password" /var/log/secure|head -1
grep "Failed password" /var/log/secure|tail -1
3.进一步定位哪些机器在暴力破解
grep "Failed password" /var/log/secure|grep -E -o "(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)"|sort|uniq -c | sort -nr
ubuntu:
grep "Failed password" /var/log/auth.log|grep -E -o "(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)"|sort|uniq -c | sort -nr
4、爆破用户名字典都有哪些?
grep "Failed password" /var/log/secure|perl -e 'while($_=<>){ /for(.*?) from/; print "$1\n";}'|sort|uniq -c|sort -nr
5. 查看登录成功的日期、用户名、IP:
grep "Accepted " /var/log/secure | awk '{print $1,$2,$3,$9,$11}'
ubuntu
grep "Accepted " /var/log/auth.log | awk '{print $1,$2,$3,$9,$11}'
6.顺便统计一下登录成功的IP有哪些:
grep "Accepted " /var/log/secure | awk '{print $11}' | sort | uniq -c | sort -nr
ubuntu:
grep "Accepted " /var/log/auth.log | awk '{print $11}' | sort | uniq -c | sort -nr