Linux日志管理与故障排查
系统日志记录了服务器运行状态、安全事件和应用程序行为,是故障排查和安全审计的重要依据。
日志文件结构
Linux 系统日志主要存放在 /var/log/ 目录下:
1
2
3
4
5
6
7
8
9
10
11
| 1234567891011/var/log/
├── auth.log # 认证日志(SSH 登录、sudo 等)
├── syslog # 系统日志
├── kern.log # 内核日志
├── dmesg # 启动日志
├── boot.log # 启动过程日志
├── dpkg.log # 软件包安装日志
├── apt/ # APT 包管理器日志
├── nginx/ # Nginx Web 服务器日志
├── mysql/ # MySQL 数据库日志
└── cron.log # 定时任务日志
|
核心日志命令
查看日志文件
1
2
3
4
5
6
7
8
9
10
11
12
13
14
| 1234567891011121314# 实时查看日志(最后100行)
tail -f /var/log/syslog
# 查看最后 50 行
tail -n 50 /var/log/auth.log
# 分页查看
less /var/log/syslog
# 查看完整内容
cat /var/log/dmesg
# 查看启动日志
dmesg | less
|
搜索和分析日志
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
| 1234567891011121314151617# 搜索关键词
grep "error" /var/log/syslog
# 忽略大小写搜索
grep -i "failed" /var/log/auth.log
# 显示匹配行前后 5 行
grep -C 5 "error" /var/log/syslog
# 统计错误数量
grep -c "error" /var/log/syslog
# 搜索多个模式
grep -E "error|warning|critical" /var/log/syslog
# 组合命令分析
grep "Failed password" /var/log/auth.log | awk '{print $11}' | sort | uniq -c | sort -rn
|
日志轮转配置
1
2
3
4
5
6
7
8
9
| 123456789# 查看日志轮转配置
cat /etc/logrotate.conf
ls -la /etc/logrotate.d/
# 手动执行日志轮转
logrotate -f /etc/logrotate.conf
# 测试轮转配置
logrotate -d /etc/logrotate.conf
|
自定义日志轮转配置示例:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
| 1234567891011121314cat > /etc/logrotate.d/myapp << 'EOF'
/var/log/myapp/*.log {
daily
rotate 7
compress
delaycompress
missingok
notifempty
create 644 root root
postrotate
systemctl reload myapp
endscript
}
EOF
|
实战案例:SSH 暴力破解分析与防护
问题场景
服务器 SSH 服务遭受暴力破解攻击,需要分析日志、识别攻击源并实施防护措施。
解决方案
第一步:分析认证日志
1
2
3
4
5
6
7
8
9
10
11
| 1234567891011# 查看失败的 SSH 登录尝试
grep "Failed password" /var/log/auth.log | tail -20
# 统计攻击 IP 地址
grep "Failed password" /var/log/auth.log | awk '{print $(NF-3)}' | sort | uniq -c | sort -rn | head -10
# 查看攻击时间分布
grep "Failed password" /var/log/auth.log | awk '{print $1, $2, $3}' | sort | uniq -c
# 查看尝试的用户名
grep "Failed password" /var/log/auth.log | awk '{print $(NF-5)}' | sort | uniq -c | sort -rn | head -10
|
第二步:识别攻击模式
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
| 123456789101112131415161718192021222324# 创建分析脚本
cat > /usr/local/bin/analyze-ssh-attack.sh << 'EOF'
#!/bin/bash
LOG_FILE="/var/log/auth.log"
REPORT_FILE="/tmp/ssh-attack-report.txt"
echo "SSH 攻击分析报告" > $REPORT_FILE
echo "生成时间:$(date)" >> $REPORT_FILE
echo "================" >> $REPORT_FILE
echo -e "\n攻击 IP 排行:" >> $REPORT_FILE
grep "Failed password" $LOG_FILE | awk '{print $(NF-3)}' | sort | uniq -c | sort -rn | head -10 >> $REPORT_FILE
echo -e "\n尝试用户名排行:" >> $REPORT_FILE
grep "Failed password" $LOG_FILE | awk '{print $(NF-5)}' | sort | uniq -c | sort -rn | head -10 >> $REPORT_FILE
echo -e "\n攻击时间分布:" >> $REPORT_FILE
grep "Failed password" $LOG_FILE | awk '{print $1, $2}' | sort | uniq -c | tail -24 >> $REPORT_FILE
cat $REPORT_FILE
EOF
chmod +x /usr/local/bin/analyze-ssh-attack.sh
|
第三步:实施防护措施
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
| 12345678910111213141516171819202122232425# 安装 Fail2Ban
apt update
apt install fail2ban -y
# 配置 SSH 防护
cat > /etc/fail2ban/jail.local << 'EOF'
[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 3600
findtime = 600
EOF
# 启动服务
systemctl restart fail2ban
systemctl enable fail2ban
# 查看状态
fail2ban-client status sshd
# 查看被禁 IP
fail2ban-client get sshd banned
|
第四步:配置 SSH 安全加固
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
| 123456789101112131415# 修改 SSH 配置
cat > /etc/ssh/sshd_config << 'EOF'
Port 2222
PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
MaxAuthTries 3
LoginGraceTime 60
ClientAliveInterval 300
ClientAliveCountMax 2
AllowUsers admin deploy
EOF
# 重启 SSH 服务
systemctl restart sshd
|
第五步:创建监控脚本
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
| 12345678910111213141516171819202122232425262728293031323334cat > /usr/local/bin/monitor-ssh.sh << 'EOF'
#!/bin/bash
LOG_FILE="/var/log/auth.log"
ALERT_LOG="/var/log/ssh-alerts.log"
THRESHOLD=10
# 检测最近 5 分钟的失败尝试
COUNT=$(grep "Failed password" $LOG_FILE | \
awk -v d="$(date -d '5 minutes ago' '+%b %d %H:%M')" \
'$1" "$2" "$3 >= d' | wc -l)
if [ $COUNT -gt $THRESHOLD ]; then
echo "$(date): 检测到 $COUNT 次 SSH 失败尝试" >> $ALERT_LOG
# 获取攻击 IP
ATTACKERS=$(grep "Failed password" $LOG_FILE | \
awk -v d="$(date -d '5 minutes ago' '+%b %d %H:%M')" \
'$1" "$2" "$3 >= d' | \
awk '{print $(NF-3)}' | sort | uniq)
echo "攻击 IP: $ATTACKERS" >> $ALERT_LOG
# 临时封禁
for ip in $ATTACKERS; do
iptables -A INPUT -s $ip -p tcp --dport 2222 -j DROP
done
fi
EOF
chmod +x /usr/local/bin/monitor-ssh.sh
# 设置定时检查
echo "*/5 * * * * /usr/local/bin/monitor-ssh.sh" | crontab -
|
验证测试
1
2
3
4
5
6
7
8
9
10
11
12
| 123456789101112# 运行分析脚本
/usr/local/bin/analyze-ssh-attack.sh
# 查看 Fail2Ban 状态
fail2ban-client status
fail2ban-client status sshd
# 查看监控日志
tail -f /var/log/ssh-alerts.log
# 测试 SSH 连接
ssh -p 2222 admin@localhost
|
总结
日志管理的关键点:
- 熟悉日志文件位置和作用
- 掌握 tail、grep、awk 等分析命令
- 配置日志轮转避免磁盘占满
- 使用 Fail2Ban 自动防护暴力破解
- 建立监控脚本及时发现异常
