我希望我能很好地解释这一点。我会尽力而为。由于有许多类似的问题和示例,因此它们都没有满足我正在寻找的内容。我正在尝试从我的服务器中删除这些所谓的"攻击者"。
我在寻找什么:
- 列表应该排序;假设前 20 名
- 该列表应该是 uniq;带有唯一 IP 范围的列表
- 该列表应仅显示末尾带有 0 的 IP
例如,我们的日志中有以下IP:
122.155.223.48
116.110.220.28
116.110.220.166
116.196.94.108
118.70.113.1
116.110.220.94
116.110.220.34
118.70.113.2
125.19.37.226
现在我需要一个列表来显示它们,如下所示:
4x 116.110.220.0
2x 118.70.113.0
1x 116.196.94.0
1x 122.155.223.0
1x 125.19.37.0
如您所见,它将最后一个八位字节 (?( 合并为 0,并按命中量对它们进行排序。 这样,我可以阻止我的 3 台服务器上的完整范围。
要查找哪些日志和什么字符串?
我想扫描服务器上的所有/var/log/secure 日志以查找上述列表,这将包括(示例(:安全、安全-20191124、安全-20191201 等。
要查找的字符串是:密码失败
到目前为止,我使用的代码是:
grep "Failed password for" /var/log/secure | grep -Po "[0-9]+.[0-9]+.[0-9]+.[0-9]+" | sort | uniq -c
这部分有效,但是它不会对 20 个 IP 进行排序,也不会对最后一个八位字节为 .0 进行排序(并合并这些 IP(,此外,它不会在热门点击中对它们进行排序(只是随机(。
无论如何,有一个可行的解决方案吗?
提前感谢您的帮助!
更新
Thibaud Ledent 提供的解决方案在上述情况下运行良好,但如果安全日志显示如下条目,则无法正常工作:
Dec 18 19:24:58 serverc1 sshd[14698]: refused connect from 212.69.19.250 (212.69.19.250)
Dec 18 19:25:03 serverc1 sshd[14699]: refused connect from 197.51.144.150 (197.51.144.150)
Dec 18 19:42:52 serverc1 sshd[14700]: refused connect from 113.225.182.207 (113.225.182.207)
Dec 18 19:42:52 serverc1 sshd[14701]: refused connect from 113.225.182.207 (113.225.182.207)
Dec 18 20:56:23 serverc1 sshd[14711]: refused connect from 41.176.150.253 (41.176.150.253)
Dec 18 20:59:28 serverc1 sshd[14714]: refused connect from 95.110.201.243 (95.110.201.243)
Dec 18 21:22:46 serverc1 sshd[14722]: refused connect from 107.189.10.44 (107.189.10.44)
Dec 19 00:04:15 serverc1 sshd[15134]: refused connect from 83.97.20.49 (83.97.20.49)
Dec 19 01:52:03 serverc1 sshd[15156]: refused connect from 27.78.12.22 (27.78.12.22)
Dec 19 01:52:05 serverc1 sshd[15157]: refused connect from 27.78.12.22 (27.78.12.22)
Dec 19 01:52:16 serverc1 sshd[15158]: refused connect from 27.78.14.83 (27.78.14.83)
Dec 19 01:52:20 serverc1 sshd[15159]: refused connect from 27.78.12.22 (27.78.12.22)
Dec 19 01:52:20 serverc1 sshd[15160]: refused connect from 27.78.12.22 (27.78.12.22)
Dec 19 01:52:21 serverc1 sshd[15161]: refused connect from 27.78.14.83 (27.78.14.83)
Dec 19 01:52:22 serverc1 sshd[15162]: refused connect from 27.78.14.83 (27.78.14.83)
Dec 19 01:52:24 serverc1 sshd[15163]: refused connect from 27.78.12.22 (27.78.12.22)
Dec 19 01:52:30 serverc1 sshd[15168]: refused connect from 27.78.14.83 (27.78.14.83)
Dec 19 01:52:32 serverc1 sshd[15169]: refused connect from 27.78.14.83 (27.78.14.83)
Dec 19 02:04:58 serverc1 sshd[15189]: refused connect from 195.24.207.252 (195.24.207.252)
Dec 19 02:22:38 serverc1 sshd[15192]: refused connect from 65.49.20.66 (65.49.20.66)
Dec 19 05:04:25 serverc1 sshd[15244]: refused connect from 45.227.255.48 (45.227.255.48)
Dec 19 05:28:09 serverc1 sshd[15247]: refused connect from 203.162.150.234 (203.162.150.234)
Dec 19 05:28:12 serverc1 sshd[15248]: refused connect from 203.162.150.234 (203.162.150.234)
Dec 19 05:31:48 serverc1 sshd[15249]: refused connect from 125.160.17.32 (125.160.17.32)
Dec 19 09:09:06 serverc1 sshd[15297]: refused connect from 139.162.122.110 (139.162.122.110)
Dec 19 09:09:12 serverc1 sshd[15298]: refused connect from 139.162.122.110 (139.162.122.110)
Dec 19 09:54:55 serverc1 sshd[15299]: refused connect from 45.33.70.146 (45.33.70.146)
Dec 19 09:55:00 serverc1 sshd[15300]: refused connect from 45.33.70.146 (45.33.70.146)
Dec 19 09:55:06 serverc1 sshd[15301]: refused connect from 45.33.70.146 (45.33.70.146)
Dec 19 09:55:11 serverc1 sshd[15302]: refused connect from 45.33.70.146 (45.33.70.146)
Dec 19 09:55:16 serverc1 sshd[15303]: refused connect from 45.33.70.146 (45.33.70.146)
Dec 19 10:11:33 serverc1 sshd[15321]: refused connect from 45.33.70.146 (45.33.70.146)
Dec 19 12:49:55 serverc1 sshd[15463]: refused connect from 66.70.188.152 (66.70.188.152)
Dec 19 12:57:29 serverc1 sshd[15466]: refused connect from 107.189.10.141 (107.189.10.141)
Dec 19 13:18:09 serverc1 sshd[15474]: refused connect from 111.59.92.70 (111.59.92.70)
Dec 19 14:34:03 serverc1 sshd[15484]: refused connect from 120.50.182.178 (120.50.182.178)
显然,我将他的解决方案更改为:
grep " refused connect from" -r /var/log/secure | grep -oE "[0-9]+.[0-9]+.[0-9]+.0" | sort | uniq -c | sort -r | head -n 20
但它根本不显示结果?
也许是因为显示IP的两次或类似?
grep "Failed password for" -r /var/log/secure | grep -oE "[0-9]+.[0-9]+.[0-9]+.0" | sort | uniq -c | sort -r | head -n 20
详:
第 1 步。在文件夹/var/log/secure 中找到带有"密码失败"的行:
grep "Failed password for" -r /var/log/secure
第 2 步。过滤以 .0 结尾的 IP:
grep -oE "[0-9]+.[0-9]+.[0-9]+.0"
(或者如果你想要所有的IP:grep -oE "[0-9]+.[0-9]+.[0-9]+.[0-9]+"
(
第 3 步。计算出现次数:
sort | uniq -c
第 4 步。使用前面的计数数字对它们进行排序:
sort -r
第5步。显示前 20 个 IP:
head -n 20