检查服务器机器是否已被暴力破解

#!/bin/bash # 设置日志文件路径模式 LOGFILES="/var/log/secure*" # 文件存储外网登录尝试 OUTPUT_FILE="potential_bruteforce_attempts.txt" # 用于检查是否是外网IP的函数 is_external_ip() { ip=$1 # 此处假设外网IP不包括私有地址和本地回环地址 if [[ $ip =~ ^10\. || $ip =~ ^172\.(1[6-9]|2[0-9]|3[0-1])\. || $ip =~ ^192\.168\. || $ip =~ ^127\. ]]; then return 1 # 是内网IP else return 0 # 是外网IP fi } # 确保输出文件是空的 > "$OUTPUT_FILE" # 检查日志文件并分析 for LOGFILE in $LOGFILES; do if [[ -f "$LOGFILE" ]]; then echo "Analyzing log file: $LOGFILE" # 分析文件并提取含外网IP的成功登录尝试 grep "Accepted password" "$LOGFILE" | while read line; do if [[ $line =~ Accepted\ password.*from\ ([^ ]+) ]]; then ip=${BASH_REMATCH[1]} if is_external_ip "$ip"; then echo "$line" # 打印到终端 echo "$line" >> "$OUTPUT_FILE" # 写入到文件 fi fi done # 分析失败的尝试，并检查是否后续有成功的登录 awk ' /Failed password/ {fail[$(NF-3)]++} # 记录失败尝试次数 /Accepted password/ { if (fail[$(NF-3)] > 3) { # 检查是否存在多次失败尝试 print "Brute-force detected: IP " $(NF-3) " had " fail[$(NF-3)] " failures before a success on line " NR print "Brute-force detected: IP " $(NF-3) " had " fail[$(NF-3)] " failures before a success on line " NR >> "'$OUTPUT_FILE'" } delete fail[$(NF-3)] # 重置失败计数 } ' "$LOGFILE" else echo "Log file does not exist: $LOGFILE" fi done echo "Analysis complete. Check $OUTPUT_FILE for potential brute-force attempts."