【shell】每日shell练习：安全日志入侵检测/专业的系统配置文件合规检查

题目7：安全日志入侵检测

描述：分析 auth.log 安全日志，检测潜在的 SSH 暴力破解攻击。

测试数据（保存为 auth_log.txt）：

Dec  1 10:30:15 server1 sshd[1234]: Accepted password for john from 192.168.1.100 port 54321 ssh2
Dec  1 10:31:22 server1 sshd[1235]: Failed password for alice from 192.168.1.200 port 54322 ssh2
Dec  1 10:32:33 server1 sshd[1236]: Failed password for alice from 192.168.1.200 port 54323 ssh2
Dec  1 10:33:44 server1 sshd[1237]: Failed password for alice from 192.168.1.200 port 54324 ssh2
Dec  1 10:34:55 server1 sshd[1238]: Failed password for alice from 192.168.1.200 port 54325 ssh2
Dec  1 10:35:06 server1 sshd[1239]: Failed password for alice from 192.168.1.200 port 54326 ssh2
Dec  1 10:36:17 server1 sshd[1240]: Failed password for alice from 192.168.1.200 port 54327 ssh2
Dec  1 10:37:28 server1 sshd[1241]: Failed password for bob from 192.168.1.201 port 54328 ssh2
Dec  1 10:38:39 server1 sshd[1242]: Failed password for bob from 192.168.1.201 port 54329 ssh2
Dec  1 10:39:50 server1 sshd[1243]: Failed password for charlie from 10.0.0.1 port 12345 ssh2
Dec  1 10:40:01 server1 sshd[1244]: Failed password for charlie from 10.0.0.1 port 12346 ssh2
Dec  1 10:41:12 server1 sshd[1245]: Failed password for charlie from 10.0.0.1 port 12347 ssh2
Dec  1 10:42:23 server1 sshd[1246]: Failed password for charlie from 10.0.0.1 port 12348 ssh2
Dec  1 10:43:34 server1 sshd[1247]: Failed password for charlie from 10.0.0.1 port 12349 ssh2
Dec  1 10:44:45 server1 sshd[1248]: Failed password for charlie from 10.0.0.1 port 12350 ssh2
Dec  1 10:45:56 server1 sshd[1249]: Failed password for charlie from 10.0.0.1 port 12351 ssh2
Dec  1 10:46:07 server1 sshd[1250]: Failed password for charlie from 10.0.0.1 port 12352 ssh2
Dec  1 10:47:18 server1 sshd[1251]: Failed password for charlie from 10.0.0.1 port 12353 ssh2
Dec  1 10:48:29 server1 sshd[1252]: Failed password for charlie from 10.0.0.1 port 12354 ssh2
Dec  1 10:49:40 server1 sshd[1253]: Failed password for charlie from 10.0.0.1 port 12355 ssh2
Dec  1 10:50:51 server1 sshd[1254]: Accepted password for admin from 192.168.1.1 port 22 ssh2
Dec  1 10:51:02 server1 sshd[1255]: Failed password for root from 203.0.113.1 port 54321 ssh2
Dec  1 10:51:13 server1 sshd[1256]: Failed password for root from 203.0.113.1 port 54322 ssh2
Dec  1 10:51:24 server1 sshd[1257]: Failed password for root from 203.0.113.1 port 54323 ssh2
Dec  1 10:51:35 server1 sshd[1258]: Failed password for root from 203.0.113.1 port 54324 ssh2
Dec  1 10:51:46 server1 sshd[1259]: Failed password for root from 203.0.113.1 port 54325 ssh2

#!/bin/bash
# SSH暴力破解检测脚本
echo "===SSH安全检测报告==="
#统计失败登陆尝试
echo "失败登陆尝试统计："
awk '/Failed password/ {ip = $11user = $9failed_attempts[ip]++user_attempts[user]++
}
END{print "按IP地址统计："for (ip in failed_attempts) {if(failed_attempts[ip]>=5){print " ⚠️ "ip": "failed_attempts "次失败尝试"}}print "\n按用户名统计："for (user in user_attempts) {if(user_attempts[user]>=5){print " ⚠️ "user": "user_attempts "次失败尝试"}}
}' auth_log.txt
#检测潜在的暴力破解攻击（同一IP在短时间内多次失败）
echo -e "\n===潜在暴力破解攻击==="
awk '/Failed password/ {ip = $11time = $3attempts[ip]++if (attempts[ip]==5){print " 警告: IP"ip "在短时间内有5次失败登陆尝试"}
}' auth_log.txt
#成功登录统计
echo -e "\n成功登录统计"
grep "Accepted password" | awk '{printf"  ✓ %s 从 %s 登录成功\n",$9,$11
}'
#安全建议
echo -e "\n===安全建议==="
high_attempts=$(awk '/Failed password/ {attempts[$11]++} END {count=0; for(ip in attempts) if(attempts[ip]>=10) count++; print count}' auth_log.txt)
if [[$high_attempts -gt 0]]; thenecho "   建议: 启用fail2ban或配置iptables规则阻止恶意IP"echo "   建议: 禁用root远程登录，使用普通用户+sudo"echo "   建议: 配置SSH密钥认证，禁用密码认证"
elseecho "  ✅ 未发现明显的暴力破解攻击"
fi

题目8：系统配置文件合规检查

描述：检查 SSH 配置文件的安全设置，确保符合安全基线要求。

测试数据（保存为 sshd_config.txt）：

# Package generated configuration file
# See the sshd_config(5) manpage for details

# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key

# Logging
SyslogFacility AUTH
LogLevel INFO

# Authentication:
LoginGraceTime 120
PermitRootLogin yes
StrictModes yes
MaxAuthTries 6
MaxSessions 10

# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication yes
PermitEmptyPasswords no

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no

#MaxStartups 10:30:60
#Banner /etc/issue.net

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

Subsystem sftp /usr/lib/openssh/sftp-server

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes

#!/bin/bash
# SSH 安全配置检查
echo "===SSH配置安全检查报告==="
#检查各项安全配置
echo "配置检查结果："
#1、检查是否允许root登录
if grep -q "^PermitRootLogin yes" sshd_config.txt; thenecho "  ❌ PermitRootLogin: 允许root登录 (不安全)"
elif grep -q "^PermitRootLogin no" sshd_config.txt; thenecho "  ✅ PermitRootLogin: 禁止root登录 (安全)"
elseecho "  ⚠️  PermitRootLogin: 未明确设置，默认可能允许"
fi
#2、检查密码认证
if grep -q "^PasswordAuthentication yes" sshd_config.txt; thenecho "  ❌ PasswordAuthentication: 允许密码认证 (建议禁用)"
elif grep -q "^PasswordAuthentication no" sshd_config.txt; thenecho "  ✅ PasswordAuthentication: 禁用密码认证 (安全)"
elseecho "  ⚠️  PasswordAuthentication: 未明确设置"
fi
#3、检查认证尝试次数
max_auth=$(grep "MaxAuthTries" sshd_config.txt | awk'{print $2}')
if [[ -n $max_auth ]]; thenif [[ $max_auth -le 3 ]]; thenecho "  ✅ MaxAuthTries: $max_auth (合理)"elseecho "  ⚠️  MaxAuthTries: $max_auth (建议设置为3或更小)"fi
elseecho "  ⚠️  MaxAuthTries: 未设置，默认值可能较高"
fi
#4、检查端口设置
port=$(grep "^Port" sshd_config.txt | awk '{print $2}')
if [[ "$port" == "22" ]] || [[ -z "$port" ]]; thenecho "  ⚠️  Port: 使用默认端口22 (建议修改)"
elseecho "  ✅ Port: 使用非标准端口 $port (安全)"
fi
#5、检查空密码设置
if grep -q "^PermitEmptyPasswords yes" sshd_config.txt; thenecho "  ❌ PermitEmptyPasswords: 允许空密码 (非常不安全)"
elif grep -q "^PermitEmptyPasswords no" sshd_config.txt; thenecho "  ✅ PermitEmptyPasswords: 禁止空密码 (安全)"
elseecho "  ✅ PermitEmptyPasswords: 默认禁止空密码"
fi
#6、检查X11转发
if grep -q "^X11Forwarding yes" sshd_config.txt; thenecho "  ⚠️  X11Forwarding: 启用 (非必要时建议禁用)"
elif grep -q "^X11Forwarding no" sshd_config.txt; thenecho "  ✅ X11Forwarding: 禁用 (安全)"
fi
#生成安全建议
echo -e "\n安全建议"
echo "   建议修改SSH端口为非标准端口"
echo "   建议禁用root直接登录"
echo "   建议禁用密码认证，使用SSH密钥"
echo "   建议设置MaxAuthTries为3"
echo "   建议禁用X11Forwarding (如不需要)"