标签归档:ssh

linux ssh爆破应急响应相关命令

1、查看ssh端口(默认22)可疑连接
[root@host ~]#netstat -anplt |grep 22

2、查看除root外是否有特权账户
awk -F: ‘$3==0{print $1}’ /etc/passwd

3、查看可疑远程登录的账号信息
awk ‘/$1|$6/{print $1}’ /etc/shadow

4、查看ssh登录失败的记录
grep -o “Failed password” /var/log/secure|uniq -c

5、查看登录爆破的时间范围
grep “Failed password” /var/log/secure|head -1
grep “Failed password” /var/log/secure|tail -1

6、查看爆破的源IP
grep “Failed password” /var/log/secure|grep -E -o
“(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?).(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?).(25
[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?).(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)”|uniq -c
| sort -nr

7、查看爆破用户名字典
grep “Failed password” /var/log/secure|
perl -e ‘while($_=<>){ /for(.*?) from/; print “$1n”;}’
|uniq -c|sort -nr

8、查看登录成功的日期、用户名、IP日志
grep “Accepted ” /var/log/secure | awk
‘{print $1,$2,$3,$9,$11}’

9、查看登录成功的IP
grep “Accepted ” /var/log/secure | awk ‘{print $11}’
| sort | uniq -c | sort -nr | more

linux ssh爆破应急响应相关命令

1、查看ssh端口(默认22)可疑连接
[root@host ~]#netstat -anplt |grep 22

2、查看除root外是否有特权账户
awk -F: ‘$3==0{print $1}’ /etc/passwd

3、查看可疑远程登录的账号信息
awk ‘/$1|$6/{print $1}’ /etc/shadow

4、查看ssh登录失败的记录
grep -o “Failed password” /var/log/secure|uniq -c

5、查看登录爆破的时间范围
grep “Failed password” /var/log/secure|head -1
grep “Failed password” /var/log/secure|tail -1

6、查看爆破的源IP
grep “Failed password” /var/log/secure|grep -E -o
“(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?).(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?).(25
[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?).(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)”|uniq -c
| sort -nr

7、查看爆破用户名字典
grep “Failed password” /var/log/secure|
perl -e ‘while($_=<>){ /for(.*?) from/; print “$1n”;}’
|uniq -c|sort -nr

8、查看登录成功的日期、用户名、IP日志
grep “Accepted ” /var/log/secure | awk
‘{print $1,$2,$3,$9,$11}’

9、查看登录成功的IP
grep “Accepted ” /var/log/secure | awk ‘{print $11}’
| sort | uniq -c | sort -nr | more


H3C交换机配置SSH源地址登录限制和SNMP源地址限制的方法

需求1:对SSH远程管理进行限源,仅允许10.0.1.0/24,210.1.0.0/24段ip进行登录;
需求2:对SNMP管理进行限源,仅允许210.1.0.200-210.1.0.202这3个ip进行访问。

配置方法:
ssh登录后,输入:
sys
acl number 2000 match-order config
rule 1 permit source 10.0.1.0 0.0.0.255
rule 2 permit source 210.1.0.0 0.0.0.255
rule 3 deny source any
quit
acl number 2001 match-order config
rule 1 permit source 210.1.0.200 0
rule 2 permit source 210.1.0.201 0
rule 3 permit source 210.1.0.202 0
rule 4 deny source any
quit
ssh server acl 2000
snmp-agent community read public acl 2001
save

即可。