题目7:安全日志入侵检测
描述:分析 auth.log 安全日志,检测潜在的 SSH 暴力破解攻击。
测试数据(保存为 auth_log.txt):
Dec 1 10:30:15 server1 sshd[1234]: Accepted password for john from 192.168.1.100 port 54321 ssh2
Dec 1 10:31:22 server1 sshd[1235]: Failed password for alice from 192.168.1.200 port 54322 ssh2
Dec 1 10:32:33 server1 sshd[1236]: Failed password for alice from 192.168.1.200 port 54323 ssh2
Dec 1 10:33:44 server1 sshd[1237]: Failed password for alice from 192.168.1.200 port 54324 ssh2
Dec 1 10:34:55 server1 sshd[1238]: Failed password for alice from 192.168.1.200 port 54325 ssh2
Dec 1 10:35:06 server1 sshd[1239]: Failed password for alice from 192.168.1.200 port 54326 ssh2
Dec 1 10:36:17 server1 sshd[1240]: Failed password for alice from 192.168.1.200 port 54327 ssh2
Dec 1 10:37:28 server1 sshd[1241]: Failed password for bob from 192.168.1.201 port 54328 ssh2
Dec 1 10:38:39 server1 sshd[1242]: Failed password for bob from 192.168.1.201 port 54329 ssh2
Dec 1 10:39:50 server1 sshd[1243]: Failed password for charlie from 10.0.0.1 port 12345 ssh2
Dec 1 10:40:01 server1 sshd[1244]: Failed password for charlie from 10.0.0.1 port 12346 ssh2
Dec 1 10:41:12 server1 sshd[1245]: Failed password for charlie from 10.0.0.1 port 12347 ssh2
Dec 1 10:42:23 server1 sshd[1246]: Failed password for charlie from 10.0.0.1 port 12348 ssh2
Dec 1 10:43:34 server1 sshd[1247]: Failed password for charlie from 10.0.0.1 port 12349 ssh2
Dec 1 10:44:45 server1 sshd[1248]: Failed password for charlie from 10.0.0.1 port 12350 ssh2
Dec 1 10:45:56 server1 sshd[1249]: Failed password for charlie from 10.0.0.1 port 12351 ssh2
Dec 1 10:46:07 server1 sshd[1250]: Failed password for charlie from 10.0.0.1 port 12352 ssh2
Dec 1 10:47:18 server1 sshd[1251]: Failed password for charlie from 10.0.0.1 port 12353 ssh2
Dec 1 10:48:29 server1 sshd[1252]: Failed password for charlie from 10.0.0.1 port 12354 ssh2
Dec 1 10:49:40 server1 sshd[1253]: Failed password for charlie from 10.0.0.1 port 12355 ssh2
Dec 1 10:50:51 server1 sshd[1254]: Accepted password for admin from 192.168.1.1 port 22 ssh2
Dec 1 10:51:02 server1 sshd[1255]: Failed password for root from 203.0.113.1 port 54321 ssh2
Dec 1 10:51:13 server1 sshd[1256]: Failed password for root from 203.0.113.1 port 54322 ssh2
Dec 1 10:51:24 server1 sshd[1257]: Failed password for root from 203.0.113.1 port 54323 ssh2
Dec 1 10:51:35 server1 sshd[1258]: Failed password for root from 203.0.113.1 port 54324 ssh2
Dec 1 10:51:46 server1 sshd[1259]: Failed password for root from 203.0.113.1 port 54325 ssh2
bash
#!/bin/bash
# SSH暴力破解检测脚本
echo "===SSH安全检测报告==="
#统计失败登陆尝试
echo "失败登陆尝试统计:"
awk '/Failed password/ {
ip = $11
user = $9
failed_attempts[ip]++
user_attempts[user]++
}
END{
print "按IP地址统计:"
for (ip in failed_attempts) {
if(failed_attempts[ip]>=5){
print " ⚠️ "ip": "failed_attempts "次失败尝试"
}
}
print "\n按用户名统计:"
for (user in user_attempts) {
if(user_attempts[user]>=5){
print " ⚠️ "user": "user_attempts "次失败尝试"
}
}
}' auth_log.txt
#检测潜在的暴力破解攻击(同一IP在短时间内多次失败)
echo -e "\n===潜在暴力破解攻击==="
awk '/Failed password/ {
ip = $11
time = $3
attempts[ip]++
if (attempts[ip]==5){
print "🚨 警告: IP"ip "在短时间内有5次失败登陆尝试"
}
}' auth_log.txt
#成功登录统计
echo -e "\n成功登录统计"
grep "Accepted password" | awk '{
printf" ✓ %s 从 %s 登录成功\n",$9,$11
}'
#安全建议
echo -e "\n===安全建议==="
high_attempts=$(awk '/Failed password/ {attempts[$11]++} END {count=0; for(ip in attempts) if(attempts[ip]>=10) count++; print count}' auth_log.txt)
if [[$high_attempts -gt 0]]; then
echo " 🔒 建议: 启用fail2ban或配置iptables规则阻止恶意IP"
echo " 🔒 建议: 禁用root远程登录,使用普通用户+sudo"
echo " 🔒 建议: 配置SSH密钥认证,禁用密码认证"
else
echo " ✅ 未发现明显的暴力破解攻击"
fi题目8:系统配置文件合规检查
描述:检查 SSH 配置文件的安全设置,确保符合安全基线要求。
测试数据(保存为 sshd_config.txt):
Package generated configuration file
See the sshd_config(5) manpage for details
What ports, IPs and protocols we listen for
Port 22
Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
Logging
SyslogFacility AUTH
LogLevel INFO
Authentication:
LoginGraceTime 120
PermitRootLogin yes
StrictModes yes
MaxAuthTries 6
MaxSessions 10
To disable tunneled clear text passwords, change to no here!
PasswordAuthentication yes
PermitEmptyPasswords no
Change to yes to enable challenge-response passwords (beware issues with
some PAM modules and threads)
ChallengeResponseAuthentication no
Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no
#MaxStartups 10:30:60
#Banner /etc/issue.net
Allow client to pass locale environment variables
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
Set this to 'yes' to enable PAM authentication, account processing,
and session processing. If this is enabled, PAM authentication will
be allowed through the ChallengeResponseAuthentication and
PasswordAuthentication. Depending on your PAM configuration,
PAM authentication via ChallengeResponseAuthentication may bypass
the setting of "PermitRootLogin without-password".
If you just want the PAM account and session checks to run without
PAM authentication, then enable this but set PasswordAuthentication
and ChallengeResponseAuthentication to 'no'.
UsePAM yes
bash
#!/bin/bash
# SSH 安全配置检查
echo "===SSH配置安全检查报告==="
#检查各项安全配置
echo "配置检查结果:"
#1、检查是否允许root登录
if grep -q "^PermitRootLogin yes" sshd_config.txt; then
echo " ❌ PermitRootLogin: 允许root登录 (不安全)"
elif grep -q "^PermitRootLogin no" sshd_config.txt; then
echo " ✅ PermitRootLogin: 禁止root登录 (安全)"
else
echo " ⚠️ PermitRootLogin: 未明确设置,默认可能允许"
fi
#2、检查密码认证
if grep -q "^PasswordAuthentication yes" sshd_config.txt; then
echo " ❌ PasswordAuthentication: 允许密码认证 (建议禁用)"
elif grep -q "^PasswordAuthentication no" sshd_config.txt; then
echo " ✅ PasswordAuthentication: 禁用密码认证 (安全)"
else
echo " ⚠️ PasswordAuthentication: 未明确设置"
fi
#3、检查认证尝试次数
max_auth=$(grep "MaxAuthTries" sshd_config.txt | awk'{print $2}')
if [[ -n $max_auth ]]; then
if [[ $max_auth -le 3 ]]; then
echo " ✅ MaxAuthTries: $max_auth (合理)"
else
echo " ⚠️ MaxAuthTries: $max_auth (建议设置为3或更小)"
fi
else
echo " ⚠️ MaxAuthTries: 未设置,默认值可能较高"
fi
#4、检查端口设置
port=$(grep "^Port" sshd_config.txt | awk '{print $2}')
if [[ "$port" == "22" ]] || [[ -z "$port" ]]; then
echo " ⚠️ Port: 使用默认端口22 (建议修改)"
else
echo " ✅ Port: 使用非标准端口 $port (安全)"
fi
#5、检查空密码设置
if grep -q "^PermitEmptyPasswords yes" sshd_config.txt; then
echo " ❌ PermitEmptyPasswords: 允许空密码 (非常不安全)"
elif grep -q "^PermitEmptyPasswords no" sshd_config.txt; then
echo " ✅ PermitEmptyPasswords: 禁止空密码 (安全)"
else
echo " ✅ PermitEmptyPasswords: 默认禁止空密码"
fi
#6、检查X11转发
if grep -q "^X11Forwarding yes" sshd_config.txt; then
echo " ⚠️ X11Forwarding: 启用 (非必要时建议禁用)"
elif grep -q "^X11Forwarding no" sshd_config.txt; then
echo " ✅ X11Forwarding: 禁用 (安全)"
fi
#生成安全建议
echo -e "\n安全建议"
echo " 🔒 建议修改SSH端口为非标准端口"
echo " 🔒 建议禁用root直接登录"
echo " 🔒 建议禁用密码认证,使用SSH密钥"
echo " 🔒 建议设置MaxAuthTries为3"
echo " 🔒 建议禁用X11Forwarding (如不需要)"