【shell】每日shell练习：安全日志入侵检测/系统配置文件合规检查

题目7：安全日志入侵检测

描述：分析 auth.log 安全日志，检测潜在的 SSH 暴力破解攻击。

测试数据（保存为 auth_log.txt）：

Dec 1 10:30:15 server1 sshd1234: Accepted password for john from 192.168.1.100 port 54321 ssh2

Dec 1 10:31:22 server1 sshd1235: Failed password for alice from 192.168.1.200 port 54322 ssh2

Dec 1 10:32:33 server1 sshd1236: Failed password for alice from 192.168.1.200 port 54323 ssh2

Dec 1 10:33:44 server1 sshd1237: Failed password for alice from 192.168.1.200 port 54324 ssh2

Dec 1 10:34:55 server1 sshd1238: Failed password for alice from 192.168.1.200 port 54325 ssh2

Dec 1 10:35:06 server1 sshd1239: Failed password for alice from 192.168.1.200 port 54326 ssh2

Dec 1 10:36:17 server1 sshd1240: Failed password for alice from 192.168.1.200 port 54327 ssh2

Dec 1 10:37:28 server1 sshd1241: Failed password for bob from 192.168.1.201 port 54328 ssh2

Dec 1 10:38:39 server1 sshd1242: Failed password for bob from 192.168.1.201 port 54329 ssh2

Dec 1 10:39:50 server1 sshd1243: Failed password for charlie from 10.0.0.1 port 12345 ssh2

Dec 1 10:40:01 server1 sshd1244: Failed password for charlie from 10.0.0.1 port 12346 ssh2

Dec 1 10:41:12 server1 sshd1245: Failed password for charlie from 10.0.0.1 port 12347 ssh2

Dec 1 10:42:23 server1 sshd1246: Failed password for charlie from 10.0.0.1 port 12348 ssh2

Dec 1 10:43:34 server1 sshd1247: Failed password for charlie from 10.0.0.1 port 12349 ssh2

Dec 1 10:44:45 server1 sshd1248: Failed password for charlie from 10.0.0.1 port 12350 ssh2

Dec 1 10:45:56 server1 sshd1249: Failed password for charlie from 10.0.0.1 port 12351 ssh2

Dec 1 10:46:07 server1 sshd1250: Failed password for charlie from 10.0.0.1 port 12352 ssh2

Dec 1 10:47:18 server1 sshd1251: Failed password for charlie from 10.0.0.1 port 12353 ssh2

Dec 1 10:48:29 server1 sshd1252: Failed password for charlie from 10.0.0.1 port 12354 ssh2

Dec 1 10:49:40 server1 sshd1253: Failed password for charlie from 10.0.0.1 port 12355 ssh2

Dec 1 10:50:51 server1 sshd1254: Accepted password for admin from 192.168.1.1 port 22 ssh2

Dec 1 10:51:02 server1 sshd1255: Failed password for root from 203.0.113.1 port 54321 ssh2

Dec 1 10:51:13 server1 sshd1256: Failed password for root from 203.0.113.1 port 54322 ssh2

Dec 1 10:51:24 server1 sshd1257: Failed password for root from 203.0.113.1 port 54323 ssh2

Dec 1 10:51:35 server1 sshd1258: Failed password for root from 203.0.113.1 port 54324 ssh2

Dec 1 10:51:46 server1 sshd1259: Failed password for root from 203.0.113.1 port 54325 ssh2

#!/bin/bash
# SSH暴力破解检测脚本

echo "===SSH安全检测报告==="

#统计失败登陆尝试
echo "失败登陆尝试统计："
awk '/Failed password/ {
    ip = $11
    user = $9
    failed_attempts[ip]++
    user_attempts[user]++
}
END{
    print "按IP地址统计："
    for (ip in failed_attempts) {
        if(failed_attempts[ip]>=5){
            print " ⚠️ "ip": "failed_attempts "次失败尝试"
        }
    }
    print "\n按用户名统计："
    for (user in user_attempts) {
        if(user_attempts[user]>=5){
            print " ⚠️ "user": "user_attempts "次失败尝试"
        }
    }
}' auth_log.txt

#检测潜在的暴力破解攻击（同一IP在短时间内多次失败）
echo -e "\n===潜在暴力破解攻击==="
awk '/Failed password/ {
    ip = $11
    time = $3
    attempts[ip]++
    if (attempts[ip]==5){
        print "🚨 警告: IP"ip "在短时间内有5次失败登陆尝试"
    }
}' auth_log.txt

#成功登录统计
echo -e "\n成功登录统计"
grep "Accepted password" | awk '{
    printf"  ✓ %s 从 %s 登录成功\n",$9,$11
}'

#安全建议
echo -e "\n===安全建议==="
high_attempts=$(awk '/Failed password/ {attempts[$11]++} END {count=0; for(ip in attempts) if(attempts[ip]>=10) count++; print count}' auth_log.txt)

if [[$high_attempts -gt 0]]; then
    echo "  🔒 建议: 启用fail2ban或配置iptables规则阻止恶意IP"
    echo "  🔒 建议: 禁用root远程登录，使用普通用户+sudo"
    echo "  🔒 建议: 配置SSH密钥认证，禁用密码认证"
else
    echo "  ✅ 未发现明显的暴力破解攻击"
fi

题目8：系统配置文件合规检查

描述：检查 SSH 配置文件的安全设置，确保符合安全基线要求。

测试数据（保存为 sshd_config.txt）：

Package generated configuration file

See the sshd_config(5) manpage for details

What ports, IPs and protocols we listen for

Port 22

Use these options to restrict which interfaces/protocols sshd will bind to

#ListenAddress ::

#ListenAddress 0.0.0.0

Protocol 2

HostKeys for protocol version 2

HostKey /etc/ssh/ssh_host_rsa_key

HostKey /etc/ssh/ssh_host_dsa_key

HostKey /etc/ssh/ssh_host_ecdsa_key

HostKey /etc/ssh/ssh_host_ed25519_key

Logging

SyslogFacility AUTH

LogLevel INFO

Authentication:

LoginGraceTime 120

PermitRootLogin yes

StrictModes yes

MaxAuthTries 6

MaxSessions 10

To disable tunneled clear text passwords, change to no here!

PasswordAuthentication yes

PermitEmptyPasswords no

Change to yes to enable challenge-response passwords (beware issues with

some PAM modules and threads)

ChallengeResponseAuthentication no

Kerberos options

#KerberosAuthentication no

#KerberosGetAFSToken no

#KerberosOrLocalPasswd yes

#KerberosTicketCleanup yes

GSSAPI options

#GSSAPIAuthentication no

#GSSAPICleanupCredentials yes

X11Forwarding yes

X11DisplayOffset 10

PrintMotd no

PrintLastLog yes

TCPKeepAlive yes

#UseLogin no

#MaxStartups 10:30:60

#Banner /etc/issue.net

Allow client to pass locale environment variables

AcceptEnv LANG LC_*

Subsystem sftp /usr/lib/openssh/sftp-server

Set this to 'yes' to enable PAM authentication, account processing,

and session processing. If this is enabled, PAM authentication will

be allowed through the ChallengeResponseAuthentication and

PasswordAuthentication. Depending on your PAM configuration,

PAM authentication via ChallengeResponseAuthentication may bypass

the setting of "PermitRootLogin without-password".

If you just want the PAM account and session checks to run without

PAM authentication, then enable this but set PasswordAuthentication

and ChallengeResponseAuthentication to 'no'.

UsePAM yes

#!/bin/bash
# SSH 安全配置检查

echo "===SSH配置安全检查报告==="

#检查各项安全配置
echo "配置检查结果："

#1、检查是否允许root登录
if grep -q "^PermitRootLogin yes" sshd_config.txt; then
    echo "  ❌ PermitRootLogin: 允许root登录 (不安全)"
elif grep -q "^PermitRootLogin no" sshd_config.txt; then
    echo "  ✅ PermitRootLogin: 禁止root登录 (安全)"
else
    echo "  ⚠️  PermitRootLogin: 未明确设置，默认可能允许"
fi

#2、检查密码认证
if grep -q "^PasswordAuthentication yes" sshd_config.txt; then
    echo "  ❌ PasswordAuthentication: 允许密码认证 (建议禁用)"
elif grep -q "^PasswordAuthentication no" sshd_config.txt; then
    echo "  ✅ PasswordAuthentication: 禁用密码认证 (安全)"
else
    echo "  ⚠️  PasswordAuthentication: 未明确设置"
fi

#3、检查认证尝试次数
max_auth=$(grep "MaxAuthTries" sshd_config.txt | awk'{print $2}')
if [[ -n $max_auth ]]; then
    if [[ $max_auth -le 3 ]]; then
        echo "  ✅ MaxAuthTries: $max_auth (合理)"
    else
        echo "  ⚠️  MaxAuthTries: $max_auth (建议设置为3或更小)"
    fi
else
    echo "  ⚠️  MaxAuthTries: 未设置，默认值可能较高"
fi

#4、检查端口设置
port=$(grep "^Port" sshd_config.txt | awk '{print $2}')
if [[ "$port" == "22" ]] || [[ -z "$port" ]]; then
    echo "  ⚠️  Port: 使用默认端口22 (建议修改)"
else
    echo "  ✅ Port: 使用非标准端口 $port (安全)"
fi

#5、检查空密码设置
if grep -q "^PermitEmptyPasswords yes" sshd_config.txt; then
    echo "  ❌ PermitEmptyPasswords: 允许空密码 (非常不安全)"
elif grep -q "^PermitEmptyPasswords no" sshd_config.txt; then
    echo "  ✅ PermitEmptyPasswords: 禁止空密码 (安全)"
else
    echo "  ✅ PermitEmptyPasswords: 默认禁止空密码"
fi

#6、检查X11转发
if grep -q "^X11Forwarding yes" sshd_config.txt; then
    echo "  ⚠️  X11Forwarding: 启用 (非必要时建议禁用)"
elif grep -q "^X11Forwarding no" sshd_config.txt; then
    echo "  ✅ X11Forwarding: 禁用 (安全)"
fi

#生成安全建议
echo -e "\n安全建议"
echo "  🔒 建议修改SSH端口为非标准端口"
echo "  🔒 建议禁用root直接登录"
echo "  🔒 建议禁用密码认证，使用SSH密钥"
echo "  🔒 建议设置MaxAuthTries为3"
echo "  🔒 建议禁用X11Forwarding (如不需要)"