本帖最后由 kashu 于 2013-7-1 14:04 编辑
首相通过iptables的 LOG操作 将所有相关连接事件记录到/var/log/messages 日志文件中,然后通过脚本做相关的统计:
以下是防火墙的设置,简要复制下:
[iyunv@localhost ~]# iptables -nL
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8
LOG all -- 0.0.0.0/0 0.0.0.0/0 state INVALID LOG flags 6 level 4 prefix `DROP_INVALID'
DROP all -- 0.0.0.0/0 0.0.0.0/0 state INVALID
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 LOG flags 6 level 4 prefix `SSH_CONNECT======>'
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 LOG flags 6 level 4 prefix `FTP__CONNECT===>'
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:21
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:8008 LOG flags 6 level 4 prefix `HTTP8008__CONNECT===>'
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:8008
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:808 LOG flags 6 level 4 prefix `SQUID_CONNECT=======>'
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:808
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:1723
ACCEPT 47 -- 0.0.0.0/0 0.0.0.0/0
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 LOG flags 6 level 4 prefix `HTTP_80======>'
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:666
=====================================================================================
大部分都是公司内部使用 所以端口显得有点那个啥。。。。
LOG操作: iptables -A INPUT -p tcp 22 -j LOG --log-prefix "SSH_CONNECT===>" --log-ip-options --log-tcp-options
基本都都是类似的操作添加,,我们只对做LOG操作的项目做连接统计,然后看下 messages文件中内容的大体格式:
[iyunv@localhost ~]# ls -lh /var/log/mes*
-rw------- 1 root root 375K 5ÔÂ 28 15:16 /var/log/messages
-rw------- 1 root root 70M 5ÔÂ 25 14:04 /var/log/messages-201305_24
-rw------- 1 root root 7.2M 5ÔÂ 28 14:37 /var/log/messages-201305_25
-rw------- 1 root root 4.1M 5ÔÂ 27 00:05 /var/log/messages-201305_26
-rw------- 1 root root 5.8M 5ÔÂ 28 00:05 /var/log/messages-201305_27
只复制下一个记录条目:
May 28 15:17:28 localhost kernel: SQUID_CONNECT=======>IN=eth0 OUT= MAC=00:24:1d:10:02:de:f8:66:f2:d1:da:c0:08:00 SRC=182.41.211.206 DST=112.253.22.13 LEN=52 TOS=0x00 PREC=0x00 TTL=118 ID=22209 DF PROTO=TCP SPT=1530 DPT=808 WINDOW=8192 RES=0x00 SYN URGP=0 OPT (020405A00103030201010402)
然后就可以写脚本进行相关统计了,脚本如下:
============================================================================================
[iyunv@localhost ~]# cat Backup_Messages.sh
[Bash shell] 纯文本查看 复制代码 #!/bin/bash
DATE=`/bin/date +%Y%m_%d`
File_Name=/var/log/messages-$DATE
/usr/bin/chattr -a /var/log/messages
/bin/cp /var/log/messages $File_Name
/bin/echo >/var/log/messages
/usr/bin/chattr +a /var/log/messages
ECHO(){
/bin/echo "******$2******"
/bin/echo "The sum of $1 connections: $Connection_Sum"
/bin/echo "The sum of $1 Connect_IP: $IP_Sum"
}
function Mon(){
N=1
while [ $# -ne 0 ]
do
Connection_Sum=`/bin/grep "$1" $File_Name|wc -l`
IP_Sum=`/bin/grep "$1" $File_Name|awk '{print $9}' |awk -F = '{print $2}'|sort -n|uniq -c|wc -l`
/bin/echo -e "\n\n\n">>$File_Name
/bin/echo ======================================>>$File_Name
case $N in
1) ECHO INVALID INVALID_DROP>>$File_Name;;
2) ECHO SSH SSH_22>>$File_Name;;
3) ECHO FTP FTP_21>>$File_Name;;
4) ECHO 8008 HTTP_8008>>$File_Name;;
5) ECHO SQUID SQUID_808>>$File_Name;;
6) ECHO 80 HTTP_80>>$File_Name;;
*) exit 0;;
esac
/bin/echo "Following is the List:">>$File_Name
/bin/grep "$1" $File_Name|awk '{print $9}' |awk -F = '{print $2}'|sort -n|uniq -c|sort -n -r>>$File_Name
shift;let N++
done
}
Mon DROP_INVALID SSH_CONNECT FTP__CONNECT HTTP8008__CONNECT SQUID_CONNECT HTTP_80
/usr/bin/chattr +i $File_Name
==========================================================================================
脚本很简单就是手动截断日志,然后在每个当天日志的末尾添加上统计数据,贴下结果吧
[iyunv@localhost log]# ls -lh mess*
-rw------- 1 root root 577 5ÔÂ 28 15:25 messages
-rw------- 1 root root 70M 5ÔÂ 25 14:04 messages-201305_24
-rw------- 1 root root 7.2M 5ÔÂ 28 14:37 messages-201305_25
-rw------- 1 root root 4.1M 5ÔÂ 27 00:05 messages-201305_26
-rw------- 1 root root 5.8M 5ÔÂ 28 00:05 messages-201305_27
-rw------- 1 root root 35K 5ÔÂ 28 14:50 messages-201305_28
=================
[iyunv@localhost log]# lsattr mess*
-----a-------e- messages
----i--------e- messages-201305_24
----i--------e- messages-201305_25
----i--------e- messages-201305_26
----i--------e- messages-201305_27
----i--------e- messages-201305_28
可以看到 日志截断后 大小 和特殊属性都即刻生效,看下今天28号截止此刻的访问情况:
[iyunv@localhost log]# cat messages-201305_28
(此处的详细记录滤过。。)
=====================================
******INVALID_DROP******
The sum of INVALID connections: 3
The sum of INVALID Connect_IP: 3
Following is the List:
1 60.15.119.182
1 212.1.208.107
1 200.124.141.82
======================================
******SSH_22******
The sum of SSH connections: 1
The sum of SSH Connect_IP: 1
Following is the List:
1 218.65.61.80
======================================
******FTP_21******
The sum of FTP connections: 8
The sum of FTP Connect_IP: 2
Following is the List:
6 182.41.211.206
2 61.179.50.3
======================================
******HTTP_8008******
The sum of 8008 connections: 7
The sum of 8008 Connect_IP: 1
Following is the List:
7 112.253.22.13
======================================
******SQUID_808******
The sum of SQUID connections: 27
The sum of SQUID Connect_IP: 1
Following is the List:
27 182.41.211.206
======================================
******HTTP_80******
The sum of 80 connections: 76
The sum of 80 Connect_IP: 4
Following is the List:
48 36.233.98.150
25 125.39.45.154
2 124.238.249.171
1 111.161.20.214
[iyunv@localhost log]# crontab -l
00 00 * * * sh ~/Backup_Messages.sh
每天凌晨执行一次
我只是做了一下统计 ,当然最好还是根据统计做下限制操作等等
| 
QQ群⑧:
窥视卡
雷达卡
发表于 2013-5-29 08:54:14
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡
发表于 2013-6-4 09:45:41
