系统日志btmpwtmpSSH日志日志登陆成功计算成功登录的次数正常退出登录密码错误计算登录失败的用户名及次数统计爆破者ip及次数更改密码切换用户MySQL日志登录错误的用户名及次数查看登陆失败的ip及次数FTP日志计算登陆失败的用户的次数计算登陆失败的用户的ip的次数Redis日志MongoDB日志apt-get日志alternatives日志dpkg日志
Linux应急响应-常见服务日志篇
系统日志
btmp
/var/log/btmp,记录所有尝试登录但是登录失败的日志,显示前十条
[email protected]:~# lastb --time-format iso -10root ssh:notty 58.56.52.226 2023-03-11T14:30:23+0800 - 2023-03-11T14:30:23+0800 (00:00)root ssh:notty 58.56.52.226 2023-03-11T14:30:20+0800 - 2023-03-11T14:30:20+0800 (00:00)root ssh:notty 58.56.52.226 2023-03-11T14:30:16+0800 - 2023-03-11T14:30:16+0800 (00:00)root ssh:notty 58.56.52.226 2023-03-11T14:30:05+0800 - 2023-03-11T14:30:05+0800 (00:00)root ssh:notty 58.56.52.226 2023-03-11T14:30:02+0800 - 2023-03-11T14:30:02+0800 (00:00)root ssh:notty 58.56.52.226 2023-03-11T14:29:55+0800 - 2023-03-11T14:29:55+0800 (00:00)ssh:notty 64.62.197.191 2023-03-11T09:26:44+0800 - 2023-03-11T09:26:44+0800 (00:00)ssh:notty 64.62.197.187 2023-03-10T20:29:56+0800 - 2023-03-10T20:29:56+0800 (00:00)admin ssh:notty 43.156.108.211 2023-03-10T07:54:41+0800 - 2023-03-10T07:54:41+0800 (00:00)admin ssh:notty 43.156.108.211 2023-03-10T07:54:39+0800 - 2023-03-10T07:54:39+0800 (00:00)
btmp begins 2023-03-01T07:46:00+0800
[email protected]:~#
lastb | awk'{print $3}'| sort | uniq -c | sort -nawk'{print $3}':截取输出的数据中的第三列sort :将数据进行分类uniq -c :将分类好的数据进行去重并计数sort -n :将分类去重并计数的数据,进行分类并且按照数值进行从小到大排序。
为什么会有Thu这种数据了,我们重新来看lastb,会发现有些用户名是空着的,所以使用awk '{print $3}'时,就会选中到后面的Sun那一列,这一点需要小心
wtmp
/var/log/wtmp,记录了所有的登录过(成功)系统的用户信息
日期格式化:last --time-format iso,看起来更舒服
SSH日志
命令参数,查看网络连接
Proto:协议名
Recv-Q:网络接收队列
表示收到的数据已在本地接收缓冲,但是还有多少没有被进程取走,recv。如果接收队列Recv-Q一直处于阻塞状态,可能是遭受了拒绝服务 denial-of-service 攻击。
send-Q:网路发送队列
对方没有收到的数据或者说没有Ack的,还是本地缓冲区.
如果发送队列Send-Q不能很快的清零,可能是有应用向外发送数据包过快,或者是对方接收数据包不够快。
recv-Q、send-Q这两个值通常应该为0,如果不为0可能是有问题的。packets在两个队列里都不应该有堆积状态。可接受短暂的非0情况。
- Local Address:本地地址
- 0.0.0.0:2000:表示监听服务器上所有ip地址的2000端口(0.0.0.0表示本地所有ip)
- *:80:监听ipv4和ipv6的任意ip的80端口
- :::2000:也表示监听本地所有ip的2000端口。和 0.0.0.0:2000 的区别是这里表示的是IPv6地址,0.0.0.0表示的是本地所有IPv4地址。
- “:::” 这三个 : 的前两个 “::” ,是 “0:0:0:0:0:0:0:0” 的缩写,相当于IPv6的 “0.0.0.0” 。表示本机的所有IPv6地址,第三个 : 是IP和端口的分隔符
- 127.0.0.1:8080:表示监听本机的loopback地址的8080端口。如果某个服务只监听了回环地址,那么只能在本机进行访问,无法通过tcp/ip 协议进行远程访问
- ::1:9000:表示监听IPv6的回环地址的9000端口,::1这个表示IPv6的loopback地址
- 192.168.1.1:80:监听ip为192.168.1.1的80端口
- Foreign Address:外部地址,与本机端口通信的外部socket。显示规则与 Local Address 相同
- State:状态,链路状态,共有11种。state列共有12中可能的状态,前面11种是按照TCP连接建立的三次握手和TCP连接断开的四次挥手过程来描述的。
比较重要的状态参数有两个,ESTABLISHED表示正在进行通讯:
LISTEN:首先服务端需要打开一个socket进行监听,状态为LISTEN。来自远方TCP端口的连接请求ESTABLISHED:代表一个打开的连接,双方可以进行或已经在数据交互了。代表一个打开的连接,数据可以传送给用户
查找特殊权限找好,默认root,-F指的是分隔符
如果第三部分是0,就print第一部分,也就是root
awk -F:'{if($3==0) print $1}'/etc/passwd
查找可以登录的用户
s=$( sudo cat /etc/shadow | grep'^[^:]*:[^*!]'| awk -F:'{print $1}');fori in$s;docat /etc/passwd | grep -v"/bin/false|/nologin"| grep$i;done | sort | uniq |awk -F:'{print $1}'
查看正在连接的ssh session,有很多种方法,如下
[email protected]:/opt/collie# who -asystem boot 2022-02-19 01:02LOGIN tty1 2022-02-18 17:02 821 id=tty1LOGIN ttyS0 2022-02-18 17:02 810 id=tyS0root - pts/0 2023-03-11 11:38 . 1300 (58.56.52.226)root - pts/1 2023-03-11 11:38 02:39 1319 (58.56.52.226)run-level 5 2022-02-18 17:03pts/2 2023-03-05 15:02 20164 id=ts/2 term=0exit=0pts/3 2023-03-01 10:06 16760 id=ts/3 term=0exit=0pts/4 2022-12-10 21:39 7303 id=ts/4 term=0exit=0pts/5 2022-12-10 21:39 7338 id=ts/5 term=0exit=0[email protected]:/opt/collie# w14:18:45 up 385 days, 21:16, 4 users, load average: 0.13, 0.16, 0.17USER TTY FROM LOGIN@ IDLE JCPU PCPU WHATroot pts/0 58.56.52.226 11:38 5.00s 0.19s 0.00s wroot pts/1 58.56.52.226 11:38 2:39m 19.58s 19.55s top[email protected]:/opt/collie# last -p nowroot pts/1 58.56.52.226 Sat Mar 11 11:38 still loggedinroot pts/0 58.56.52.226 Sat Mar 11 11:38 still loggedin
wtmp begins Wed Mar 1 09:40:18 2023
[email protected]:/opt/collie# netstat -tnpa | grep 'ESTABLISHED.*sshd'
tcp 0 0 172.24.17.27:22 58.56.52.226:61764 ESTABLISHED 1318/sshd: [email protected]
tcp 0 52 172.24.17.27:22 58.56.52.226:61763 ESTABLISHED 1263/sshd: [email protected]
[email protected]:/opt/collie# pgrep -af sshd
1165 /usr/sbin/sshd -D
1263 sshd: [email protected]/0,pts/1
1318 sshd: [email protected]
[email protected]:/opt/collie# echo $SSH_CONNECTION
58.56.52.226 61763 172.24.17.27 22
[email protected]:/opt/collie# ss | grep ssh
tcp ESTAB 0 0 172.24.17.27:ssh 58.56.52.226:61764
tcp ESTAB 0 0 172.24.17.27:ssh 58.56.52.226:61763
[email protected]:/opt/collie#
日志
Ubuntu:/var/log/auth.logCentos:/var/log/secure
注意有些日志会打包,auth.log就是secure日志
登陆成功
[email protected]:/opt/collie# cat /var/log/auth.log | grep "Accept"Mar 5 13:41:06 mon0dy-ubuntu sshd[16791]: Accepted passwordforroot from 58.56.52.226 port 22646 ssh2Mar 5 13:41:07 mon0dy-ubuntu sshd[16843]: Accepted passwordforroot from 58.56.52.226 port 22648 ssh2Mar 5 13:41:26 mon0dy-ubuntu sshd[17180]: Accepted passwordforroot from 58.56.52.226 port 22650 ssh2Mar 5 14:00:31 mon0dy-ubuntu sshd[32618]: Accepted passwordforroot from 58.56.52.226 port 6205 ssh2Mar 5 14:00:31 mon0dy-ubuntu sshd[32641]: Accepted passwordforroot from 58.56.52.226 port 6206 ssh2
计算成功登录的次数
[email protected]:/var/log# cat /var/log/auth.log | grep "Accept" | perl -e 'while($_=<>){ /for(.*?)from/; print "$1n";}'|sort|uniq -c|sort -nr26 root
正常退出
pam_unix(sshd:session): session closed代表正常关闭session,所以只要在auth.log找这个特征就行
[email protected]:/var/log# cat /var/log/auth.log | grep "pam_unix(sshd:session): session closed"Mar 5 14:01:11 mon0dy-ubuntu sshd[1010]: pam_unix(sshd:session): session closedforuser rootMar 5 14:01:54 mon0dy-ubuntu sshd[1918]: pam_unix(sshd:session): session closedforuser rootMar 5 14:02:25 mon0dy-ubuntu sshd[2606]: pam_unix(sshd:session): session closedforuser rootMar 5 14:03:49 mon0dy-ubuntu sshd[4296]: pam_unix(sshd:session): session closedforuser rootMar 5 14:06:06 mon0dy-ubuntu sshd[6988]: pam_unix(sshd:session): session closedforuser rootMar 5 14:06:38 mon0dy-ubuntu sshd[7633]: pam_unix(sshd:session): session closedforuser rootMar 5 14:06:40 mon0dy-ubuntu sshd[7712]: pam_unix(sshd:session): session closedforuser rootMar 5 14:06:48 mon0dy-ubuntu sshd[7908]: pam_unix(sshd:session): session closedforuser rootMar 5 14:06:57 mon0dy-ubuntu sshd[8132]: pam_unix(sshd:session): session closedforuser rootMar 5 14:07:05 mon0dy-ubuntu sshd[8328]: pam_unix(sshd:session): session closedforuser rootMar 5 14:07:13 mon0dy-ubuntu sshd[8519]: pam_unix(sshd:session): session closedforuser root
登录密码错误
输错几次密码
出现了message repeated 2 times和PAM 2 more authentication failures,代表连续输错密码
Mar 11 14:29:53 mon0dy-ubuntu sshd[10106]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=58.56.52.226 user=rootMar 11 14:29:55 mon0dy-ubuntu sshd[10106]: Failed passwordforroot from 58.56.52.226 port 23238 ssh2Mar 11 14:30:05 mon0dy-ubuntu sshd[10106]: message repeated 2times: [ Failed passwordforroot from 58.56.52.226 port 23238 ssh2]Mar 11 14:30:05 mon0dy-ubuntu sshd[10106]: Connection closed by authenticating user root 58.56.52.226 port 23238 [preauth]Mar 11 14:30:05 mon0dy-ubuntu sshd[10106]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=58.56.52.226 user=root
如果短时间内有大量的Failed password,说明被爆破了
cat /var/log/auth.log | grep "Failed password for root"
计算登录失败的用户名及次数
invalid user说明这个用户并不存在,perl -e是输入语句来执行代码,可以用while read line;do;done来实现类似的功能,这里是匹配for和from中间的值,也就是root
[email protected]:/var/log# cat /var/log/auth.log | grep "Failed password" | perl -e 'while($_=<>){ /for(.*?)from/; print "$1n";}'|sort|uniq -c|sort -nr41 root1 invalid user yogesh1 invalid user wojcikowski1 invalid user vinicius1 invalid user ubnt1 invalid user tarun1 invalid user svcpunejenkins1 invalid user sharan1 invalid user sardari1 invalid user sanchit1 invalid user sadegh1 invalid user ravinder1 invalid user nishant1 invalid user nisha1 invalid user myproxyoauth1 invalid user monitoring1 invalid user michele1 invalid user manmohan1 invalid user majid1 invalid user karthik1 invalid user jhms1 invalid user jeffery1 invalid user jaya1 invalid user ian1 invalid user helen1 invalid user harsh1 invalid user esmat1 invalid user cloud1 invalid user amit1 invalid user akshat1 invalid user afshin1 invalid user admin1 invalid user abrar1 invalid user a[email protected]:/var/log#
统计爆破者ip及次数
[email protected]:/var/log# cat /var/log/auth.log | grep "Failed password for" | grep "root" | grep -Po '(1d{2}|2[0-4]d|25[0-5]|[1-9]d|[1-9])(.(1d{2}|2[0-4]d|25[0-5]|[1-9]d|d)){3}' |sort|uniq -c|sort -nr 25 213.87.10.36 110.40.210.694 58.56.52.2263 101.34.44.1342 190.14.158.761 47.252.18.38[email protected]:/var/log#
计算多个账号的ip及次数
这里是root用户和yogesh用户,继续加的话就加|用户名,当然我们也可以用awk,这里的grep -Po是匹配指定的两个字符串之间的内容,这里的正则是很标准的匹配ipv4地址的写法
[email protected]:/var/log# cat /var/log/auth.log | grep "Failed password for" | grep "root|yogesh" | grep -Po '(1d{2}|2[0-4]d|25[0-5]|[1-9]d|[1-9])(.(1d{2}|2[0-4]d|25[0-5]|[1-9]d|d)){3}' |sort|uniq -c|sort -nr25 213.87.10.36 110.40.210.694 58.56.52.2263 101.34.44.1342 190.14.158.761 47.252.18.381 112.28.234.131
更改密码
可以看到更改了git用户的密码
Mar 11 17:18:42 mon0dy-ubuntu passwd[12484]: pam_unix(passwd:chauthtok): authentication failure; logname=root uid=1003 euid=0 tty= ruser= rhost= user=gitMar 11 17:18:50 mon0dy-ubuntu passwd[12660]: pam_unix(passwd:chauthtok): authentication failure; logname=root uid=1003 euid=0 tty= ruser= rhost= user=gitMar 11 17:19:13 mon0dy-ubuntu su[12417]: pam_unix(su:session): session closedforuser gitMar 11 17:19:22 mon0dy-ubuntu passwd[13410]: pam_unix(passwd:chauthtok): password changedforgit
切换用户
可以看到这里用户从root切换到了git
Mar 11 17:15:38 mon0dy-ubuntu su[7951]: Successful suforgit by rootMar 11 17:15:38 mon0dy-ubuntu su[7951]: + /dev/pts/2 root:gitMar 11 17:15:38 mon0dy-ubuntu su[7951]: pam_unix(su:session): session openedforuser git by root(uid=0)Mar 11 17:15:38 mon0dy-ubuntu su[7951]: pam_systemd(su:session): Cannot create session: Already runningina sessionMar 11 17:15:42 mon0dy-ubuntu su[7951]: pam_unix(su:session): session closedforuser git
MySQL日志
正常来说,mysql的日志在/var/log/mysql/error.log,但是宝塔安装的MySQL日志路径不在这,先随便找一段
之后搜索grep -r "Skipping generation of RSA key pair as key files are present in data directory" /www/server
找到error日志为/www/server/data/mon0dy-ubuntu.err,慢查询日志为/www/server/data/mysql-slow.log(如果利用了慢查询注入就需要看慢查询日志了)
本次第一次输入正确密码,第二三次错误
看日志,正确记录下了
登录错误的用户名及次数
这里的四次是有两次是我在本机测试的,另外两次是远程登录失败
[email protected]:/www/server# cat /www/server/data/mon0dy-ubuntu.err | grep "Access denied for user" | grep "using password: YES" | awk -F "'" '{print $2}' | sort | uniq -c | sort -nr4 wan[email protected]:/www/server#
查看登陆失败的ip及次数
[email protected]:/www/server# cat /www/server/data/mon0dy-ubuntu.err | grep "Access denied for user" | grep "using password: YES" | awk -F "'" '{print $2}' | sort| uniq | while read line;do echo $line;cat /www/server/data/mon0dy-ubuntu.err | grep "Access denied for user" | grep "using password" | awk -F "'" '{print $4}' | sort | uniq -c | sort -nr; donewan3 localhost2 58.56.52.226[email protected]:/www/server#
FTP日志
用宝塔新建一个ftp
登录,试几次密码失败的,再用正确密码登录
[email protected]:~# netstat -pantu | grep ftptcp 0 0 172.24.17.27:39091 0.0.0.0:* LISTEN 9975/pure-ftpd (IDLtcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN 1091/pure-ftpd (SERtcp 0 0 172.24.17.27:21 58.56.52.226:57508 ESTABLISHED 10359/pure-ftpd (IDtcp 7 0 172.24.17.27:21 58.56.52.226:57497 ESTABLISHED 9975/pure-ftpd (IDLtcp6 0 0 :::21 :::* LISTEN 1091/pure-ftpd (SER
但是并没有找到所谓的pureftpd.log,经过查资料,发现pureftpd的日志是存在了/var/log/syslog,可以看到刚才下载的flag
最开始的几次登陆失败
计算登陆失败的用户的次数
[email protected]:~# cat /var/log/syslog | grep 'Authentication failed for user' | cut -d "[" -f 3 | cut -d "]" -f 1 | sort | uniq -c | sort -nr5 mon[email protected]:~#
cat是切片的意思, cut -d'分隔字符' -f fields (用于有特定分隔字符),-d :后面接分隔字符。与 -f 一起使用;-f :依据 -d 的分隔字符将一段信息分割成为数段,用 -f 取出第几段的意思。
如果不切片
这里的第一个-f 3就是取第三段,也就是mon],再切],取第一个就是取]左面的,也就是mon
计算登陆失败的用户的ip的次数
首先就是切片获得用户名,也就是mon,之后在切片获取ip,因为格式是([email protected]),所以要切@和)
[email protected]:~# cat /var/log/syslog | grep 'Authentication failed for user' | cut -d "[" -f 3 | cut -d "]" -f 1 | sort | uniq | while read line;do echo $line;cat /var/log/syslog | grep $line | grep "Authentication failed for user" |cut -d "@" -f 2 | cut -d ')' -f 1 | sort | uniq -c | sort -nr; donemon5 58.56.52.226[email protected]:~#
这样就对起来了
Redis日志
其配置文件位于/www/server/redis/redis.conf,默认日志位于/var/log/redis下,但是宝塔安装的redis日志位于/www/server/redis/redis.log
可以看到默认是没有密码的,是注释掉的
配置文件中也会写日志保存路径,日志等级默认为notice,还有debug、verbose、warning三个等级
其日志其实也就是命令行输出的log
日志等级改成verbose,ip改成0.0.0.0,protected-mod更改为no,之后重启
连接上去,随便执行点命令
在回来看日志,发现他只记录ip,不记录具体执行的命令
MongoDB日志
通过查看status可以快速确定config所在位置
然后就可以获得logpath
使用宝塔安装的一般在/www/server/mongodb/log/config.log
然后在本机操作一下
之后看日志,只看有用的部分
认证前的连接
{"t":{"$date":"2023-03-11T19:40:36.272+08:00"},"s":"I","c":"NETWORK","id":22943,"ctx":"listener","msg":"Connection accepted","attr":{"remote":"58.56.52.226:8198","connectionId":3,"connectionCount":1}}
认证失败日志:Authentication failed
密码错误:
{"t":{"$date":"2023-03-11T19:34:47.264+08:00"},"s":"I","c":"ACCESS","id":20249,"ctx":"conn2","msg":"Authentication failed","attr":{"mechanism":"SCRAM-SHA-1","speculative":false,"principalName":"admin","authenticationDatabase":"admin","remote":"58.56.52.226:19368","extraInfo":{},"error":"AuthenticationFailed: SCRAM authentication failed, storedKey mismatch"}}
账号错误:
{"t":{"$date":"2023-03-11T19:40:49.427+08:00"},"s":"I","c":"ACCESS","id":20249,"ctx":"conn3","msg":"Authentication failed","attr":{"mechanism":"SCRAM-SHA-1","speculative":false,"principalName":"root","authenticationDatabase":"admin","remote":"58.56.52.226:8198","extraInfo":{},"error":"UserNotFound: Could not find user "root" for db "admin""}}
认证成功:Authentication succeeded
{"t":{"$date":"2023-03-11T19:35:02.646+08:00"},"s":"I","c":"ACCESS","id":20250,"ctx":"conn2","msg":"Authentication succeeded","attr":{"mechanism":"SCRAM-SHA-1","speculative":false,"principalName":"admin","authenticationDatabase":"admin","remote":"58.56.52.226:19368","extraInfo":{}}}
连接者的部分信息:连接者的机器版本:ubuntu18,以及MongoDB版本:3.6.3
{"t":{"$date":"2023-03-11T19:40:36.272+08:00"},"s":"I","c":"NETWORK","id":51800,"ctx":"conn3","msg":"client metadata","attr":{"remote":"58.56.52.226:8198","client":"conn3","doc":{"application":{"name":"MongoDB Shell"},"driver":{"name":"MongoDB Internal Client","version":"3.6.3"},"os":{"type":"Linux","name":"Ubuntu","architecture":"x86_64","version":"18.04"}}}}
查看以root登录的次数
[email protected]:/etc# cat /www/server/mongodb/log/config.log | grep "Could not find user" | awk -F '"' '{print $36}' | sort|uniq -c|sort -nr1 root[email protected]:/etc#
apt-get日志
/var/log/apt/history.log,记录apt-get历史命令,包括安装了什么,更新了什么,具体的软件包版本
/var/log/apt/term.log,则是记录安装过程
alternatives日志
/var/log/alternatives.log
软件更新,用于管理相同功能的不同软件或者是统一软件的不同版本,通常在upgrade是留下,记录更新时间和具体的替换过程
dpkg日志
安装包管理器日志,记录所有的安装,包括编译安装的,非apt-get安装的,比如这里的mysql57就是通过宝塔编译安装的
作者:mon0dyhttps://forum.butian.net/share/2170
原文始发于微信公众号(Hacking黑白红):Linux应急响应-常见服务日志篇
- 我的微信
- 微信扫一扫
-
- 我的微信公众号
- 微信扫一扫
-
评论