检查服务器机器是否已被暴力破解
最编程
2024-04-23 07:32:42
...
#!/bin/bash
# 设置日志文件路径模式
LOGFILES="/var/log/secure*"
# 文件存储外网登录尝试
OUTPUT_FILE="potential_bruteforce_attempts.txt"
# 用于检查是否是外网IP的函数
is_external_ip() {
ip=$1
# 此处假设外网IP不包括私有地址和本地回环地址
if [[ $ip =~ ^10\. || $ip =~ ^172\.(1[6-9]|2[0-9]|3[0-1])\. || $ip =~ ^192\.168\. || $ip =~ ^127\. ]]; then
return 1 # 是内网IP
else
return 0 # 是外网IP
fi
}
# 确保输出文件是空的
> "$OUTPUT_FILE"
# 检查日志文件并分析
for LOGFILE in $LOGFILES; do
if [[ -f "$LOGFILE" ]]; then
echo "Analyzing log file: $LOGFILE"
# 分析文件并提取含外网IP的成功登录尝试
grep "Accepted password" "$LOGFILE" | while read line; do
if [[ $line =~ Accepted\ password.*from\ ([^ ]+) ]]; then
ip=${BASH_REMATCH[1]}
if is_external_ip "$ip"; then
echo "$line" # 打印到终端
echo "$line" >> "$OUTPUT_FILE" # 写入到文件
fi
fi
done
# 分析失败的尝试,并检查是否后续有成功的登录
awk '
/Failed password/ {fail[$(NF-3)]++} # 记录失败尝试次数
/Accepted password/ {
if (fail[$(NF-3)] > 3) { # 检查是否存在多次失败尝试
print "Brute-force detected: IP " $(NF-3) " had " fail[$(NF-3)] " failures before a success on line " NR
print "Brute-force detected: IP " $(NF-3) " had " fail[$(NF-3)] " failures before a success on line " NR >> "'$OUTPUT_FILE'"
}
delete fail[$(NF-3)] # 重置失败计数
}
' "$LOGFILE"
else
echo "Log file does not exist: $LOGFILE"
fi
done
echo "Analysis complete. Check $OUTPUT_FILE for potential brute-force attempts."