之前也有实现GrayLog告警联动
【实践】实现GrayLog下产生攻击告警时联动防火墙自动封锁攻击源IP
GrayLog推送态势感知实时攻击告警并实现攻击源IP一键可选式联动封锁
本次实现的最终效果如下
(图片点击放大查看)
在开始本篇实践时遇到了一个系统无法正常启动问题,也记录到本篇文章中了
1、题外话之RHEL9克隆虚拟机无法正常问题处理
克隆的虚拟机启动时卡在此处
(图片点击放大查看)
(图片点击放大查看)
lsblk命令blkid均未发现/data所在的LVM LV卷
(图片点击放大查看)
pvs命令会出现如下报错
(图片点击放大查看)
解决办法参考此链接
https://blog.51cto.com/mlxia/5829465
/etc/lvm/lvm.conf文件中找到如下行,并在下一行添加use_devicesfile = 0即可
# use_devicesfile = 1
use_devicesfile = 0
(图片点击放大查看)
然后重启后就OK正常了
(图片点击放大查看)
接下来进入正题
2、下载并部署webhook
(图片点击放大查看)
https://github.com/adnanh/webhook
下载地址
https://github.com/adnanh/webhook/releases/download/2.8.1/webhook-linux-amd64.tar.gz
(图片点击放大查看)
具体部署步骤
cd /opt
tar -zxvf webhook-linux-amd64.tar.gz
mv webhook-linux-amd64 webhook
chown root:root webhook
mkdir /opt/webhook/logs
(图片点击放大查看)
3、创建hooks.json文件
hooks.json
[
{
"id": "diskinfo",
"execute-command" : "/opt/diskdf_info.sh",
"include-command-output-in-response": true,
"incoming-payload-content-type": "application/json",
"pass-arguments-to-command":
[
{
"source":"url",
"name":"parameter1"
},
{
"source":"url",
"name":"parameter2"
}
]
},
{
"id": "sshloginip_block",
"execute-command" : "/opt/sshloginip_block.sh",
"include-command-output-in-response": true,
"incoming-payload-content-type": "application/json",
"pass-arguments-to-command":
[
{
"source":"url",
"name":"blockIP"
}
]
}
]
(图片点击放大查看)
当然上面只是一个模板,根据你所实际应用情况进行改写
接下来创建一个开机自启动的systemd 服务脚本
vim /etc/systemd/system/webhook.service
插入如下内容
[Unit]
Description=Webhooks
[Service]
ExecStart=/opt/webhook/webhook -port 9001 --verbose -hooks /opt/webhook/hooks.json -hotreload -logfile /opt/webhook/logs/webhook.log
[Install]
WantedBy=multi-user.target
(图片点击放大查看)
systemctl daemon-reload
systemctl enable webhook.service
systemctl start webhook.service
systemctl status webhook.service
netstat -anp | grep 9001
tail -f /opt/webhook/logs/webhook.log
4、安装nginx服务,并配置webhook9001端口的反向代理
cd /etc/nginx/conf.d/
vim nginx2webhook.conf
添加如下行
server {
listen 9090;
server_name _;
#ssl_certificate /my-certificate/my-server.com/fullchain.pem;
#ssl_certificate_key /my-certificate/my-server.com/privkey.pem;
location / {
try_files $uri @proxy;
}
location @proxy {
proxy_pass http://webhooks;
}
}
upstream webhooks {
server 127.0.0.1:9001;
}
(图片点击放大查看)
systemctl enable nginx.service
systemctl start nginx
firewall-cmd --permanent --zone=public --add-port=9090/tcp
5、编写webhook要联动执行的脚本
hooks.json中/opt/diskdf_info.sh和/opt/sshloginip_block.sh
脚本的执行权限记得添加
(图片点击放大查看)
6、验证webhook URL是否可以正常执行脚本
curl -H "Content-Type: application/json" -X POST 'http://192.168.31.54:9090/hooks/diskinfo?parameter1=/data¶meter2=/boot'
curl -H "Content-Type: application/json" -X POST 'http://192.168.31.54:9090/hooks/sshloginip_block?blockIP=2.3.4.5'
(图片点击放大查看)
浏览器输入URL的效果如下
(图片点击放大查看)
这时传参数给shell脚本执行的效果出来了
7、接下来就可以自由发挥
比如如下场景 Graylog接入Linux安全日志,在收到SSH暴力破解攻击告警时,使用Graylog的Alarm Callbacks回调方式将暴力破解攻击IP参数传给shell脚本 shell脚本实现推送到钉钉群机器人告警
这时点击按钮触发wehhook联动执行封禁暴力破解攻击IP的脚本
效果如下
(图片点击放大查看)
(图片点击放大查看)
其中所用的脚本如下 sshloginip_pushtodingtalk.sh
#!/bin/bash
BlockIP=$1
# 判断是否为内网IP
if [[ $BlockIP =~ ^(10.|172.16.|192.168.|100.|198.) ]]; then
echo "Error: $BlockIP is an internal IP. Exiting script."
exit 1
fi
cat > /opt/blockIP_request.json << EOF
{
"msgtype": "actionCard",
"actionCard": {
"title":"调用webhook服务手动封锁攻击IP",
"text":"
##### 请确认是否调用webhook服务并封锁攻击IP n
> ##### <font color=#FF0000> 待封锁的攻击IP:tempIP </font> n
",
"btnOrientation": "1",
"btns": [
{
"title": "同意封锁",
"actionURL": "http://192.168.31.54:9090/hooks/sshloginip_block?blockIP=tempIP"
},
{
"title": "忽略",
"actionURL": "http://192.168.31.54:9090/hooks/sshloginip_block"
}
]
}
}
EOF
sed -i "s^tempIP^$BlockIP^g" /opt/blockIP_request.json
curl -k -H "Content-Type: application/json" -X POST -d @/opt/blockIP_request.json 'https://oapi.dingtalk.com/robot/send?access_token=XXXXX'
本文参考如下链接完成
https://github.com/adnanh/webhook/blob/master/docs/Hook-Examples.md
https://github.com/adnanh/webhook/issues/543
https://cloud.tencent.com/developer/article/1922704
原文始发于微信公众号(WalkingCloud):【Graylog告警联动篇】部署webhook服务实现自动传参并自动执行shell脚本
- 左青龙
- 微信扫一扫
- 右白虎
- 微信扫一扫
评论