论坛 › Shell/Powershell › 用shell实现简单的IDS检测系统

coverl 发表于 2018-8-21 08:46:15

用shell实现简单的IDS检测系统

　　


[*]#!/bin/bash
[*]#intruder_detect
[*]#author:shanker
[*]#date:2012/4/23
[*]#detect the invlaid users
[*]AUTHLOG=/var/log/secure
[*]if [ -n "$1" ]
[*]then
[*]AUTHLOG=$1
[*]echo "Using log file:$AUTHLOG"
[*]fi
[*]LOG=/tmp/valid.$$.log
[*]grep -vi "invalid" "$AUTHLOG" > $LOG
[*]users=$(grep "Failed password" $LOG | awk '{print $(NF - 5)}'|sort -u)
[*]printf "%-5s|%-10s|%-10s|%-13s|%-33s|%s\n""Sr#" "User" "Attempts" "IP address" "Host_mapping" "Time Range"
[*]ucount=0
[*]ip_list="$(egrep -o "+\.+\.+\.+" $LOG |sort -u)"
[*]for ip in $ip_list
[*]do
[*]grep $ip $LOG > /tmp/temp.$$.log
[*]for user in $users
[*]do
[*]    grep $user /tmp/temp.$$.log > /tmp/$$.log
[*]    cut -c-16 /tmp/$$.log > /tmp/$$.time
[*]    tstart=$(head -1 /tmp/$$.time)
[*]    start=$(date -d "$tstart" "+%s")
[*]    tend=$(tail -1 /tmp/$$.time)
[*]    end=$(date -d "$tend" "+%s")
[*]    limit=$(($end - $start))
[*]    if [ $limit -gt 20 ]
[*]    then
[*]      let ucount++
[*]      IP=$(egrep -o"+\.+\.+\.+" /tmp/$$.log|head -1)
[*]      TIME_RANGE="$tstart--->$tend"
[*]      ATTEMPTS=$(cat /tmp/$$.log|wc -l)
[*]      HOST=$(host $IP |awk '{print $NF}')
[*]      printf "%-5s|%-10s|%-10s|%-13s|%-33s|%s\n" "$ucount" "$user" "$ATTEMPTS" "$IP" "$HOST" "$TIME_RANGE"
[*]    fi
[*]    done
[*]done
[*]rm /tmp/valid.$$.log /tmp/$$.log /tmp/$$.time /tmp/temp.$$.log 2>/dev/null
　　

　　脚本很简单，就是检测20天以内尝试登录系统的用户，尝试次数，ip地址，host名字和日期。

查看完整版本: 用shell实现简单的IDS检测系统