linux安全日志文件 grep "failure" /var/log/secure

old_farmers

linux安全日志文件 grep "failure" /var/log/secure
统计最近一次连续的三分钟内如果IP地址是同一个，登陆用户同一个，登入失败的次数大于等于3次  
想要得到的结果
IP:172.24.24.24  test authentication failure: 4 times
Jun 29 14:08:23 szkrdb03 sshd[13689]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.1.1.1  user=root
Jun 29 14:08:27 szkrdb03 sshd[13690]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.1.1.1  user=root
Jun 29 14:08:31 szkrdb03 sshd[13694]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.2.20.20  user=nagios
Jun 29 14:08:36 szkrdb03 sshd[13916]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.2.20.20  user=root
Jun 29 14:10:52 szkrdb03 sshd[14653]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.2.20.20  user=root
Jun 29 14:10:56 szkrdb03 sshd[14654]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.2.20.20  user=test
Jun 29 14:10:59 szkrdb03 sshd[14655]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.2.20.20  user=root
Jun 29 14:11:13 szkrdb03 sshd[14671]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.24.24.24  user=root
Jun 29 14:11:25 szkrdb03 sshd[14859]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.24.24.24  user=root
Jun 29 14:12:27 szkrdb03 sshd[15089]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.24.24.24  user=test
Jun 29 14:12:31 szkrdb03 sshd[15090]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.24.24.24  user=test
Jun 29 14:12:35 szkrdb03 sshd[15098]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.24.24.24  user=test
Jun 29 14:12:39 szkrdb03 sshd[15284]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.24.33.30  user=root
Jun 29 14:12:43 szkrdb03 sshd[15285]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.24.33.30  user=zabbix

1cpuer

# [ /home/soio/1bs/awks ] {2018-07-02 08:53:48}
: 1530492828:0;➜  awk -F'[ =]' '{sum[$20]+=1}{for(i=1;i<=NF;i++);for(i in sum);if(sum[i]>=3)print $0}' 6.t.kf
Jun 29 14:10:52 szkrdb03 sshd[14653]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.2.20.20  user=root
Jun 29 14:10:56 szkrdb03 sshd[14654]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.2.20.20  user=test
Jun 29 14:10:59 szkrdb03 sshd[14655]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.2.20.20  user=root
Jun 29 14:12:27 szkrdb03 sshd[15089]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.24.24.24  user=test
Jun 29 14:12:31 szkrdb03 sshd[15090]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.24.24.24  user=test
Jun 29 14:12:35 szkrdb03 sshd[15098]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.24.24.24  user=test

christmas1102

没看懂，如果仅仅高亮部分，是想要的结果，那么

1. Jun 29 14:08:36 szkrdb03 sshd[13916]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.2.20.20  user=root
   
2. Jun 29 14:10:52 szkrdb03 sshd[14653]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.2.20.20  user=root
   
3. Jun 29 14:10:59 szkrdb03 sshd[14655]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.2.20.20  user=root

复制代码

这3条数据是不是 3分钟内，同IP USER 且 failure >=3，为什么不要这三条
如果本文本身就是想要的结果，那原文在哪

old_farmers

回复 3# christmas1102

我贴的就是原文，我想要的结果是  连续的三分钟内，IP，用户都是同一个则打印出登录失败次数。例如用户test  IP 172.24.24.24   连续的三分钟内登入失败次数是四次，（高亮部分是为了举例）打印4

实际上这是一件很蛋疼的事情，为了应付客户稽核。客人需要监控 用户连续输入密码错误超过三次就告警。
我原本的脚本，通过zabbix监控。但是bug太多，如果是两分钟内输入错误就不告警....这个只grep failure，不判断用户和IP。
#!/bin/bash
LOG_PATH="/var/log/secure"
mon=$(date +%B)
h=$(date +%d)
ms=$(date +%H:%M)
h=${h/#0/""}
k=" "
count=`grep "$h$k$ms" /var/log/secure | grep -c failure`
echo $count


客人需要监控 用户连续输入密码错误超过三次就告警。
1，假如有超个三个不同的用户同时登陆失败，则/var/log/secure会记录三笔失败记录，但是IP和用户不是同一个。不满足需求
2，假如同一个用户在三台不同主机上登录这台服务器失败，则/var/log/secure也会记录三笔失败记录，还是不满足需求。

或许简单点 就把我脚本改成3分钟内算了 好难判断。

old_farmers

回复 2# 1cpuer

大哥，能有改进吗？我想要得到的是次数，例如你提取出了test用户在最近连续的三分钟内登录失败了四次，则打印4。不足三次的就不要打印。且不能累加，只能最近三分钟。
我是要做监控的，下面的结果只能是一个数字，再在zabbix server端做控制，超出三次就发邮件。
UserParameter=check_user,/usr/local/zabbix/etc/check_secure.sh
这是以前的脚本。
[root@szkrdb03 etc]# cat check_secure.sh
#!/bin/bash
LOG_PATH="/var/log/secure"
mon=$(date +%B)
h=$(date +%d)
ms=$(date +%H:%M)
h=${h/#0/""}
k=" "
count=`grep "$h$k$ms" /var/log/secure | grep -c failure`
echo $count

wh7211

回复 1# old_farmers


假设当前时间是Jun 29 14:12:43，统计据当前时间最近的3分钟内，相同用户且相同IP且登入失败的次数大于等于3次的数据：

1. awk -vcudate=`date -d 'Jun 29 14:12:43' +%s` '/authentication failure;/{$1=/^Jan/?1:/^Feb/?2:/^Mar/?3:/^Apr/?4:/^May/?5:/^Jun/?6:/^Jul/?7:/^Aug/?8:/^Sep/?9:/^Oct/?10:/^Nov/?11:/^Dec/?12:0;gsub(":"," ",$3);a=mktime("2018 "$1" "$2" "$3"");if(a>=cudate-180){b[$NF" "$(NF-1)]++}}END{for(i in b){if(b[i]>=3){print i,b[i]}}}' file
   
2. user=test rhost=172.24.24.24 3

复制代码

old_farmers

回复 6# wh7211

是真的强~ 我稍微改了一下，毕竟是要最近三分钟内的。但是结果好像会累加啊，应该是13:36:53-13:37:13 之间会是6次，后面又是6次  我只要最新的6次就行了。

[root@RHEL sh]# cat /var/log/secure | grep failure
Jul  3 13:36:53 localhost sshd[3514]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.24.80.43  user=root
Jul  3 13:36:56 localhost sshd[3515]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.24.80.43  user=root
Jul  3 13:36:59 localhost sshd[3516]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.24.80.43  user=root
Jul  3 13:37:05 localhost sshd[3517]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.24.80.43  user=root
Jul  3 13:37:09 localhost sshd[3518]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.24.80.43  user=root
Jul  3 13:37:13 localhost sshd[3519]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.24.80.43  user=root
Jul  3 13:46:05 localhost sshd[3617]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.24.80.43  user=root
Jul  3 13:46:09 localhost sshd[3618]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.24.80.43  user=root
Jul  3 13:46:11 localhost sshd[3622]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.24.80.43  user=root
Jul  3 13:46:14 localhost sshd[3623]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.24.80.43  user=root
Jul  3 13:46:18 localhost sshd[3624]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.24.80.43  user=root
Jul  3 13:46:24 localhost sshd[3625]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.24.80.43  user=root
[root@RHEL sh]# awk -vcudate=`date -d "(cat /var/log/secure |awk '{print $1,$2,$3}')" +%s` '/authentication failure;/{$1=/^Jan/?1:/^Feb/?2:/^Mar/?3:/^Apr/?4:/^May/?5:/^Jun/?6:/^Jul/?7:/^Aug/?8:/^Sep/?9:/^Oct/?10:/^Nov/?11:/^Dec/?12:0;gsub(":"," ",$3);a=mktime("2018 "$1" "$2" "$3"");if(a>=cudate-180){b[$NF" "$(NF-1)]++}}END{for(i in b){if(b>=3){print i,b}}}' /var/log/secure
user=root rhost=172.24.80.43 12

wh7211

回复 7# old_farmers

1. awk -vcudate=$(date -d "$(awk 'END{print $1,$2,$3}' /var/log/secure)" +%s) '/authentication failure;/{$1=/^Jan/?1:/^Feb/?2:/^Mar/?3:/^Apr/?4:/^May/?5:/^Jun/?6:/^Jul/?7:/^Aug/?8:/^Sep/?9:/^Oct/?10:/^Nov/?11:/^Dec/?12:0;gsub(":"," ",$3);a=mktime("2018 "$1" "$2" "$3"");if(a>=cudate-180){b[$NF" "$(NF-1)]++}}END{for(i in b){if(b[i]>=3){print i,b[i]}}}' /var/log/secure
   
2. user=root rhost=172.24.80.43 6

复制代码

old_farmers

回复 8# wh7211

完全达到想要的结果，大神，膜拜一下。[root@RHEL sh]# tail -20 /var/log/secure
Jul  3 15:49:09 localhost sshd[4017]: PAM [error: <*unknown module path*>: cannot open shared object file: No such file or directory]
Jul  3 15:49:09 localhost sshd[4017]: PAM adding faulty module: <*unknown module path*>
Jul  3 15:49:10 localhost sshd[4021]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.24.80.43  user=root
Jul  3 15:49:11 localhost sshd[4013]: PAM (sshd) illegal module type: UserPAM
Jul  3 15:49:11 localhost sshd[4013]: PAM pam_parse: expecting return value; [...yes]
Jul  3 15:49:11 localhost sshd[4013]: PAM (sshd) no module name supplied
Jul  3 15:49:11 localhost sshd[4013]: PAM unable to dlopen(<*unknown module path*>)
Jul  3 15:49:11 localhost sshd[4013]: PAM [error: <*unknown module path*>: cannot open shared object file: No such file or directory]
Jul  3 15:49:11 localhost sshd[4013]: PAM adding faulty module: <*unknown module path*>
Jul  3 15:49:13 localhost sshd[4022]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.24.80.61  user=test
Jul  3 15:49:14 localhost sshd[4023]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.24.80.43  user=root
Jul  3 15:49:17 localhost sshd[4025]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.24.80.43  user=root
Jul  3 15:49:18 localhost sshd[4024]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.24.80.61  user=test
Jul  3 15:49:20 localhost sshd[4026]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.24.80.43  user=root
Jul  3 15:49:21 localhost sshd[4027]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.24.80.61  user=test
Jul  3 15:49:24 localhost sshd[4028]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.24.80.43  user=root
Jul  3 15:49:25 localhost sshd[4029]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.24.80.61  user=test
Jul  3 15:49:29 localhost sshd[4030]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.24.80.43  user=root
Jul  3 15:49:30 localhost sshd[4031]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.24.80.61  user=test
Jul  3 15:49:35 localhost sshd[4032]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.24.80.61  user=test
[root@RHEL sh]# awk -vcudate=$(date -d "$(awk 'END{print $1,$2,$3}' /var/log/secure)" +%s) '/authentication failure;/{$1=/^Jan/?1:/^Feb/?2:/^Mar/?3:/^Apr/?4:/^May/?5:/^Jun/?6:/^Jul/?7:/^Aug/?8:/^Sep/?9:/^Oct/?10:/^Nov/?11:/^Dec/?12:0;gsub(":"," ",$3);a=mktime("2018 "$1" "$2" "$3"");if(a>=cudate-180){b[$NF" "$(NF-1)]++}}END{for(i in b){if(b>=3){print i,b}}}' /var/log/secure
user=test rhost=172.24.80.61 6
user=root rhost=172.24.80.43 6
[root@RHEL sh]#

wh7211

回复 9# old_farmers

优化一下，不用扫描2次文件

1. awk '/authentication failure;/{$1=/^Jan/?1:/^Feb/?2:/^Mar/?3:/^Apr/?4:/^May/?5:/^Jun/?6:/^Jul/?7:/^Aug/?8:/^Sep/?9:/^Oct/?10:/^Nov/?11:/^Dec/?12:0;gsub(":"," ",$3);a[NR]=mktime("2018 "$1" "$2" "$3"");cudate=a[NR];b[NR]=$NF" "$(NF-1)}END{for(i in a){if(a[i]>=cudate-180){c[b[i]]++}};for(j in c){if(c[j]>=3){print j,c[j]}}}' /var/log/secure
   
2. user=test rhost=172.24.80.61 6
   
3. user=root rhost=172.24.80.43 6

复制代码