0

一段时间以来,Lurker 在这里为我的问题得到了很多很好的答案。希望这里有一些见解,请!我正在努力使用一些类似的 bash 脚本。

此处的目的是在 auth.log 中 grep“断开连接”并获取以下 IP 地址。然后我使用非常有用的extreme-ip-lookup.com 工具找到IP 地址的地理位置。它们在 AWS 上的 Ubuntu 16.04 服务器上运行。

我得到的结果好坏参半 - 我看到很多相同的 IP 地址(这是一个 AWS 服务器)没有出现在 auth.log 中,我很好奇信息的来源。最终,我在这里生成的结果将成为我将此服务器从公共可访问性中删除并使其仅私有的理由。它会在内部破坏一些东西,但会使环境更加安全。太神奇了,我什至不得不为此而战。

将 $ipaddy 变量(它显示为空白)和管道信息回显到文件中也存在问题。但这是另一个问题。;)

编码..

#!/bin/bash

tail -f /var/log/auth.log | \
while read line ; do
        ipaddy=$( echo "$line" | grep "Disconnected from" | cut -d: -f4 |awk '{print $3}' )
        if [ $? = 0 ]
        then
        curl "extreme-ip-lookup.com/csv/$ipaddy"
        echo ""
        fi
done

# cat auth.log | grep "Disconnected from" | cut -d: -f4 |awk '{print $3}'

底部标出的行是我的测试行,它正确输出了 IP 地址列表。

请参阅下面的输出结果。

-- -cat auth.log 命令的结果 | grep "断开连接"-

3 月 21 日 20:57:04 ip-10-10-100-22 sshd[11823]:从 115.238.245.6 端口 52720 [preauth] 断开连接 3 月 21 日 20:58:48 ip-10-10-100-22 sshd[11839 ]:从 93.147.131.23 端口 34934 [preauth] 断开连接 3 月 21 日 21:02:40 ip-10-10-100-22 sshd [11868]:从 221.194.47.221 端口 50977 [preauth] 断开连接 [preauth] Mar 21 21:03:02 ip-10-10-100-22 sshd[11884]:与 221.194.47.243 端口 47179 [preauth] 断开连接 3 月 21 日 21:04:52 ip-10-10-100-22 sshd[11900]:与 115.238.245.6 断开连接端口 53163 [preauth] 3 月 21 日 21:09:03 ip-10-10-100-22 sshd[12064]:从 122.226.181.164 端口 60190 [preauth] 3 月 21 日 21:16:46 ip-10-10-100 断开-22 sshd[12080]:从 221.194.47.233 端口 54297 [preauth] 3 月 21 日 21:23:01 ip-10-10-100-22 sshd[12123]:从 62.210.205.35 端口 38513 [preauth] 断开连接21:31:54 ip-10-10-100-22 sshd[12229]:与 221.194 断开连接。47.236 端口 55644 [preauth] 3 月 21 日 21:38:34 ip-10-10-100-22 sshd[12247]:从 62.241.131.10 端口 51984 [preauth] 3 月 21 日 21:38:54 ip-10-10-断开100-22 sshd[12267]:与 221.194.47.245 端口 41003 [preauth] 断开连接 3 月 21 日 21:42:35 ip-10-10-100-22 sshd[12286]:与 218.65.30.25 端口 15680 [preauth] 断开连接21 21:42:49 ip-10-10-100-22 sshd[12302]:从 121.18.238.39 端口 34310 [preauth] 断开连接 3 月 21 日 21:44:12 ip-10-10-100-22 sshd[12318] : 从 177.70.27.200 端口 34968 [preauth] 断开49 ip-10-10-100-22 sshd[12302]:从 121.18.238.39 端口 34310 [preauth] 断开连接 3 月 21 日 21:44:12 ip-10-10-100-22 sshd[12318]:从 177.70 断开连接。 27.200 端口 34968 [preauth]49 ip-10-10-100-22 sshd[12302]:从 121.18.238.39 端口 34310 [preauth] 断开连接 3 月 21 日 21:44:12 ip-10-10-100-22 sshd[12318]:从 177.70 断开连接。 27.200 端口 34968 [preauth]

-- 脚本运行一段时间的结果。这是 34.224.62.79 地址出现在 auth.log 中的 NOWHERE ELSE 让我感到困惑。我知道它们很可能是 AWS 内部的,但为什么它们也没有出现在 auth.log 中?

成功,34.224.62.79,,住宅,,,"北美",US,"美国",弗吉尼亚州,阿什本,39.0481,-77.4728,"亚马逊技术公司","哈里伯顿公司"成功,221.194.47.233,,住宅,,,Asia,CN,China,河北,保定,38.8511,115.4903,"河北联通省网","河北联通省网"成功,34.224.62.79,,住宅,,,"北美",US "United States",Virginia,Ashburn,39.0481,-77.4728,,"Amazon Technologies Inc.","Halliburton Company" 成功,34.224.62.79,,住宅,,,"North America",US,"United States",Virginia ,Ashburn,39.0481,-77.4728,"Amazon Technologies Inc.","Halliburton Company" 成功,34.224.62.79,,住宅,,,"北美",US,"美国",Virginia,Ashburn,39.0481,-77.4728,"Amazon Technologies Inc.","Halliburton Company" success,34.224.62.79,,Residential,,,"North America",US,"United States",Virginia,Ashburn,39.0481,- 77.4728,"Amazon Technologies Inc.","Halliburton Company" 成功,62.210.205.35,aurora.appturesque.com,Business,Appturesque.com,www.appturesque.com,Europe,FR,France,,,,48.8582,2.3387," Online SAS","Magic Online ISP" success,34.224.62.79,,Residential,,,"North America",US,"United States",Virginia,Ashburn,39.0481,-77.4728,"Amazon Technologies Inc.","Halliburton Company" success,34.224.62.79,,Residential,,,"North America",US,"United States",Virginia,Ashburn,39.0481,-77.4728,"Amazon Technologies Inc.","Halliburton Company" 成功,34.224.62.79,,住宅,,,"North America",US,"United States",Virginia,Ashburn,39.0481,-77.4728,"Amazon Technologies Inc.","Halliburton Company" 成功,34.224. 62.79,,Residential,,,"North America",US,"United States",Virginia,Ashburn,39.0481,-77.4728,"Amazon Technologies Inc.","Halliburton Company" success,221.194.47.236,,Residential,,, Asia,CN,China,Hebei,Baoding,38.8511,115.4903,"中国联通河北省网","中国联通河北省网"成功,34.224.62.79,,住宅,,,"北美",US,美国",Virginia,Ashburn,39.0481,-77.4728,"Amazon Technologies Inc.","Halliburton Company" 成功,62.241.131.10,host-62-241-131-10.static.link.com.eg,Residential,,,Africa,EG,Egypt,"Al Qahirah",Cairo,30.0771,31.2859,"Link Egypt","Link Egypt" 成功,34.224.62.79,,住宅,,,"北美",US,"美国", Virginia,Ashburn,39.0481,-77.4728,"Amazon Technologies Inc.","Halliburton Company" success,221.194.47.245,,住宅,,,Asia,CN,China,河北,保定,38.8511,115.4903,河北联通网络","中国联通河北省网络"成功,34.224.62.79,,住宅,,,"北美",US,"美国",弗吉尼亚州,阿什本,39.0481,-77.4728,"亚马逊科技公司", Halliburton Company"成功,218.65.30.25,,住宅,,,,Asia,CN,China,Jiangxi,Nanchang,28.5500,115.9333,"ChinaNet江西省网","CHINANET JIANGXI PROVINCE NETWORK"成功,34.224.62.79,,住宅,,,"北美",US,"United States",Virginia,Ashburn,39.0481,-77.4728,"Amazon Technologies Inc.","Halliburton Company" 成功,121.18.238.39,,住宅, ,,Asia,CN,China,Hebei,Hebei,39.8897,115.2750,"中国联通河北省网","中国联通河北省网"成功,34.224.62.79,,住宅,,,"北美",US,美国”,Virginia,Ashburn,39.0481,-77.4728,”Amazon Technologies Inc.”,”Halliburton Company”成功,177.70.27.200,v9duckz3sq.undercloud.net,住宅,,”南美”,BR,Brazil,, ,-22.8305,-43.2192,"Desenvolve Solucoes de Internet Ltda","Desenvolve Solucoes de Internet Ltda" 成功,34.224.62.79,,住宅,,,"北美",US,美国",Virginia,Ashburn,39.0481,-77.4728,"Amazon Technologies Inc.","哈里伯顿公司"成功,122.226.181.166,,住宅,,,亚洲,CN,中国,江苏,台州,32.4907,119.9081,”杭州天健信息科技》、《CHINANET浙江省网》

4

1 回答 1

0

令人惊讶的是,早上新鲜的眼睛可以为您做些什么!

我采用了更简单的方法(我猜),只是先输出了 IP 列表,然后将该列表读入我的查找中,而不是实时执行,并且稍微收紧了脚本。

#!/bin/bash

cat /var/log/auth.log | grep "Disconnected from" | cut -d: -f4 |awk '{print $3}' >> ipattempts.txt

cat ipattempts.txt |
while read line ; do
        echo $line
        curl extreme-ip-lookup.com/csv/$line >> sshattempts.txt
        echo "" >> sshattempts.txt
done

我上一篇文章中错误的 IP 地址实际上是另一台服务器的公共 IP 与该服务器通信。为什么它出现在查找中但没有出现在 auth.log 中仍然是个谜。

但是我在最后一天输出了一个几乎 1000 次错误 SSH 尝试的列表,其中大约一半来自中国和俄罗斯,今天早上我把正确的人吓坏了。;-)

于 2018-03-22T14:54:16.693 回答