异常登录告警
通过企业微信机器人实现 ssh 登陆时,发送 ip 警告
1、生成 ssh 登录日志
cat /etc/ssh/sshrc && chmod +x /etc/ssh/sshrc
cat > /etc/ssh/sshrc << EOF
#!/bin/bash
user=\$USER
ip=\${SSH_CLIENT%% *}
time=\$(date +%F%t%k:%M)
server=\$HOSTNAME
# 判断如果登录者的 IP 地址不是指定的 IP,则触发报警
if [ "\$ip" != "192.168.31.201" ] && [ "\$ip" != "192.168.31.180" ];then
echo -e "被登陆节点: \$server \n登陆时间: \$time \n用户: \$user \n发起登陆 ip :\$ip \n" > /tmp/msg
# 调用给机器人推消息的脚本
python2.7 /tmp/sent_alert_msg.py > /dev/null 2>&1
fi
EOF
2、发送告警信息到企业微信群
# install pip and requests
wget https://bootstrap.pypa.io/pip/2.7/get-pip.py
python2.7 get-pip.py
pip2 install requests
# 向企业微信群发送告警信息
cat > /tmp/sent_alert_msg.py << EOF
## coding: utf-8
import os
import requests
p=os.popen('cat /tmp/msg')
msg=p.read()
if not msg.strip():
'msg is null'
else:
url = "https://qyapi.weixin.qq.com/cgi-bin/webhook/send?key=02691f24-eae3-4d8a-b130-92424570df89"
# url = "https://qyapi.weixin.qq.com/cgi-bin/webhook/send?key=xxxxxxxxxxxxxxxxx"
headers = {"Content-Type": "text/plain"}
data = {
"msgtype": "text",
"text": {
"content": msg,
}
}
r = requests.post(url, headers=headers, json=data)
print(r.text)
EOF
暴力破解
基于 ssh 客户端工具 PuTTY 实现别出心裁的 SSH 暴力破解
https://github.com/InfosecMatter/SSH-PuTTY-login-bruteforcer
实现原理: 通过利用 SSH 客户端工具 PuTTY 的各种命令行参数来实现 SSH 的自动化登录过程
import-module .\ssh-putty-brute.ps1
# Usage:
ssh-putty-brute [-h ip|ips.txt] [-p port] [-u user|users.txt] [-pw pass|pwdlist.txt]
# Examples:
ssh-putty-brute -h 10.10.5.11 -p 22 -u root -pw (gc .\pwdlist.txt)
ssh-putty-brute -h (gc .\ips.txt) -p 22 -u (gc .\users.txt) -pw (gc .\pwds.txt)
1、Nmap 的 ssh-brute NSE 脚本
除了常规的网络扫描,Nmap 还可根据 NSE (Nmap scripting Engine) 的 lua 脚本进行大量渗透工作
# Nmap version 7.80, 系统环境 Ubuntu20
nmap -p 22 --script ssh-brute \
--script-args userdb=users.lst,passdb=pass.lst \
--script-args ssh-brute.timeout=4s 192.168.31.161
2、Metasploit 的 ssh_login scanner
登录日志
tail -f /var/log/secure
# root 账号密码认证成功
Aug 17 15:50:14 dev1 sshd[22678]: Accepted password for root from 192.168.31.201 port 33254 ssh2
Aug 17 15:50:14 dev1 sshd[22678]: pam_unix(sshd:session): session opened for user root by (uid=0)
# root 账号密码认证失败
Aug 17 15:51:51 dev1 unix_chkpwd[22720]: password check failed for user (root)
Aug 17 15:51:51 dev1 sshd[22718]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.31.201 user=root
Aug 17 15:51:51 dev1 sshd[22718]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
Aug 17 15:51:53 dev1 sshd[22718]: Failed password for root from 192.168.31.201 port 33256 ssh2
# root 账号公钥认证成功
Aug 17 15:49:35 dev1 sshd[22615]: Accepted publickey for root from 192.168.31.201 port 33250 ssh2: RSA SHA256:FpQS5Y9RaKumdypU7STH5LPYg7f6ukd7j9OY0rrC0bg
Aug 17 15:49:35 dev1 sshd[22615]: pam_unix(sshd:session): session opened for user root by (uid=0)
登录源访问控制
root 账户的登录源控制不在 access.conf 文件中控制,而是由 /etc/securetty 文件控制
/lib64/security/pam_access.so
pam_access 是 pam 中处理用户访问控制的模块,没有使用 pam 前,linux 对用户的所有访问控制都是借助 hosts.allow, hosts.deny 文件,实现所有服务的访问控制
cat /etc/security/access.conf
-:ALL EXCEPT user01 user03 user02:console
-:user01:192.168.31.
参考
https://www.docs4dev.com/docs/zh/linux-pam/1.1.2/reference/sag-pam_time.html
