当有人登陆服务器时希望能知道是那个IP在登陆,如果是黑客登陆了也能及时知道。
处理方法是,python时时检查linux下 secure 文件,如果是登陆成功的就发邮件。然后用shell脚本调用py启停,然后配置crontab定时检查py是否运行,如果检查进行不在则进行启动。
python 脚本
#!/bin/python #-*- coding:utf-8 -*- # Filename: # Revision: 1.0 # Date: 2013-3-26 # Author: simonzhang # web: www.simonzhang.net # Email: simon-zzm@163.com ### END INIT INFO import re import os import time import smtplib from email.mime.text import MIMEText #### 基础设置 mail_host = 'smtp.exmail.qq.com' mail_user = 'warning' mail_pwd = 'aaa' mail_to = "simon-zzm@163.com" mail_cc = "simon-zzm@" secure_file = '/var/log/secure' conn_fail_key = 'Failed password' conn_access_key = 'Accepted password' exclude_ip = ['192.168.100.8', \ '192.168.100.10', \ '192.168.100.11'] my_path = os.getcwd() #### def mail_send(text): content = '%s' % text msg = MIMEText(content) msg['From'] = mail_user msg['Subject'] = 'access login server' msg['To'] = mail_to try: s = smtplib.SMTP() s.connect(mail_host) s.login(mail_user, mail_pwd) s.sendmail(mail_user, [mail_to, mail_cc], msg.as_string()) s.close() except Exception, e: print e #### # get local host ip #### def get_ip_address(): ip = os.popen("/sbin/ifconfig | grep 'inet addr' | awk '{print $2}'").read() ip = ip[ip.find(':')+1:ip.find('\n')] return ip #### def parse_secure(_data): # 获取IP地址 re_ip = re.compile(r'''\d{2,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}''',re.DOTALL) try: get_ip = re_ip.findall(_data)[0] except: get_ip = '' #### 获得关键字位置 try: key_index = _data.index(conn_access_key) except: key_index = 0 #### 将正常登陆但不在已知范围的IP获取 if (get_ip not in exclude_ip) and (get_ip != '') and (key_index > 0): return get_ip else: return '' def main(): #### 获取上次分析的最后一行 try: last_line = open('%s/lastline.txt' % my_path, 'rb').readlines()[0][:-1] except: last_line = '' #### 打开安全日志,并记录最后一行 get_secure = open(secure_file, 'rb').readlines() write_line = open('%s/lastline.txt' % my_path, 'wb') write_line.write(get_secure[-1]) write_line.close() #### 获取没有处理的数据,如果最后一行为空着处理全部数据。 if last_line != "": last_id = get_secure.index("%s\n" % last_line) get_secure = get_secure[last_id + 1:] #### 开始处理数据,只处理登陆成功和登陆失败部分数据 access_login_list = '' for _get in get_secure: re_get_ip = parse_secure(_get) if re_get_ip != '': access_login_list += "%s " % re_get_ip #### 判断是否需要报警 if len(access_login_list) > 1: mail_send("%s access login %s server" % (access_login_list, get_ip_address())) if __name__ == '__main__': while True: main() time.sleep(3)
shell 脚本
#! /bin/bash # # make simon-zzm@163.com # # ### END INIT INFO # Source function library. . /etc/profile cd `pwd` key=monitoring_secure.py # See how we were called. case "$1" in stop) /bin/ps -ef|grep "${key}"|grep -v grep |awk ' ''{print $2}'|xargs kill -9 ;; start) /usr/local/bin/python ${key} & ;; restart) stop sleep 1 /usr/local/bin/python ${key} & ;; check) process_count=`/bin/ps -ef|grep "${key}"|grep -v grep|wc -l` case "${process_count}" in 0) $0 start ;; 1) ;; *) $0 stop sleep 1 $0 start ;; esac ;; status) /bin/ps -ef|grep "${key}"|grep -v grep ;; *) echo $"Usage: $0 {stop|start|restart|check|status}" exit 1 esac exit
crontab的配置,每8个小时检查一次。
0 */8 * * * /bin/sh /program/script/check_login_user/monitoring_secure.sh check >/dev/null 2>&1
代码下载
发表评论