默认情况下,sudo执行的命令都会记录到/var/log/secure,为方便分析,想让它记录到其他地方
visudo
在最后加入以下两行,保存退出
Defaults logfile=/var/log/sudo.log
Defaults !syslog
这样设置后,sudo的日志就会保存到/var/log/sudo.log
文章属于类别 Security
单独记录sudo的日志
syslog记录history历史记录
工作中可能会有无聊的黑客在你服务器上转悠,黑客智商都不错,所有离开的时候就会删除history记录。怎么办才能记录下用户的历史记录呢?
原理:将history记录到syslog上面,并实时的传送到了远端的日志集中服务器上。
方法:使用bash4.1的新功能:历史命令保存到syslog!然后使用syslog-ng构建集中型日志服务器收集主机日志。
1、下载bash:
#wget http://ftp.gnu.org/gnu/bash/bash-4.1.tar.gz
#tar zxvf bash-4.1.tar.gz –C /tmp/bash-4.1
#cd /tmp/bash-4.1
2、修改源码
(根据个人需要,我只保留了pid,uid,sid等,参数请看目录下的shell.c中):
文件bashhist.c大约708行的位置开始,修改成以下一段:
syslog (SYSLOG_FACILITY|SYSLOG_LEVEL, “HISTORY: PID=%d PPID=%d SID=%d User=%s CMD=%s”, getpid(), getppid(), getsid(getpid()), current_user.user_name, line);
else
{
strncpy (trunc, line, SYSLOG_MAXLEN);
trunc[SYSLOG_MAXLEN – 1] = ‘\0’;
syslog (SYSLOG_FACILITY|SYSLOG_LEVEL, “HISTORY (TRUNCATED): PID=%d PPID=%d SID=%d User=%s CMD=%s”, getpid(), getppid(), getsid(getpid()), current_user.user_name, trunc);
}
注:
ppid:跟踪sh切换后的用户
Sid: 跟踪 su 切换后的用户
第二段代表log长度超过600后使用的语句
修改config-top.h文件
/*#define SYSLOG_HISTORY*/
修改为
#define SYSLOG_HISTORY
编译安装
# ./configure –prefix=/usr/local/bash_4.1 && make && make install
修改用户配置:
将用户的bash换成现在的bash4.1
# vi /etc/passwd
dongwm:x:501:501::/home/dongwm:/usr/local/bash_4.1/bin/bash
这样日志就会记在/var/log/messages
结果类似这样:
Dec 23 17:40:28 server -bash: HISTORY: PID=4089 PPID=4088 SID=4089 User=dongwm CMD=exit
Dec 23 17:41:47 server -bash: HISTORY: PID=4282 PPID=4278 SID=4282 User=root CMD=exit
Dec 23 17:41:53 server -bash: HISTORY: PID=4321 PPID=4317 SID=4321 User=root CMD=ssh java00
Dec 23 17:44:09 server -bash: HISTORY: PID=2152 PPID=2137 SID=2152 User=root CMD=vi Clean_javalog.sh
Dec 23 17:45:16 server -bash: HISTORY: PID=2152 PPID=2137 SID=2152 User=root CMD=sh Clean_javalog.sh
Dec 23 17:45:30 server -bash: HISTORY: PID=2152 PPID=2137 SID=2152 User=root CMD=cat /dev/shm/cleanJavaLog.log
Dec 23 17:46:08 server -bash: HISTORY: PID=2152 PPID=2137 SID=2152 User=root CMD=vi Clean_javalog.sh
Dec 23 17:48:54 server -bash: HISTORY: PID=2152 PPID=2137 SID=2152 User=root CMD=cat Clean_javalog.sh
……
在整个环境布置了记录功能,就能方便的查出来谁-在何时,用什么账号,做了什么操作…
3、主机syslog配置(添加日志服务器的地址)
# vi /etc/syslog.conf
在最后添加一列:
*.* @server.dongwm.com
4、搭建日志服务器
请参看:http://wenku.baidu.com/view/c3bb49c58bd63186bcebbc7a.html
转载自:http://salogs.com/2010/12/syslog%E8%AE%B0%E5%BD%95history%E5%8E%86%E5%8F%B2%E8%AE%B0%E5%BD%95/
DDoS deflate – Linux下防御/减轻DDOS攻击
前言
互联网如同现实社会一样充满钩心斗角,网站被DDOS也成为站长最头疼的事。在没有硬防的情况下,寻找软件代替是最直接的方法,比如用iptables,但是iptables不能在自动屏蔽,只能手动屏蔽。今天要说的就是一款能够自动屏蔽DDOS攻击者IP的软件:DDoS deflate。
DDoS deflate介绍
DDoS deflate是一款免费的用来防御和减轻DDoS攻击的脚本。它通过netstat监测跟踪创建大量网络连接的IP地址,在检测到某个结点超过预设的限 制时,该程序会通过APF或IPTABLES禁止或阻挡这些IP.
DDoS deflate官方网站:http://deflate.medialayer.com/
如何确认是否受到DDOS攻击?
执行:
netstat -ntu | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -n执行后,将会显示服务器上所有的每个IP多少个连接数。
以下是我自己用VPS测试的结果:
li88-99:~# netstat -ntu | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -n
1 114.226.9.132
1 174.129.237.157
1 58.60.118.142
1 Address
1 servers)
2 118.26.131.78
3 123.125.1.202
3 220.248.43.119
4 117.36.231.253
4 119.162.46.124
6 219.140.232.128
8 220.181.61.31 VPS侦探 http://www.vpser.net/
2311 67.215.242.196每个IP几个、十几个或几十个连接数都还算比较正常,如果像上面成百上千肯定就不正常了。
1、安装DDoS deflate
wget http://www.inetbase.com/scripts/ddos/install.sh //下载DDoS deflate
chmod 0700 install.sh //添加权限
./install.sh //执行2、配置DDoS deflate
下面是DDoS deflate的默认配置位于/usr/local/ddos/ddos.conf ,内容如下:
##### Paths of the script and other files
PROGDIR=”/usr/local/ddos”
PROG=”/usr/local/ddos/ddos.sh”
IGNORE_IP_LIST=”/usr/local/ddos/ignore.ip.list” //IP地址白名单
CRON=”/etc/cron.d/ddos.cron” //定时执行程序
APF=”/etc/apf/apf”
IPT=”/sbin/iptables”
##### frequency in minutes for running the script
##### Caution: Every time this setting is changed, run the script with –cron
##### option so that the new frequency takes effect
FREQ=1 //检查时间间隔,默认1分钟
##### How many connections define a bad IP? Indicate that below.
NO_OF_CONNECTIONS=150 //最大连接数,超过这个数IP就会被屏蔽,一般默认即可
##### APF_BAN=1 (Make sure your APF version is atleast 0.96)
##### APF_BAN=0 (Uses iptables for banning ips instead of APF)
APF_BAN=1 //使用APF还是iptables。推荐使用iptables,将APF_BAN的值改为0即可。
##### KILL=0 (Bad IPs are’nt banned, good for interactive execution of script)
##### KILL=1 (Recommended setting)
KILL=1 //是否屏蔽IP,默认即可
##### An email is sent to the following address when an IP is banned.
##### Blank would suppress sending of mails
EMAIL_TO=”root” //当IP被屏蔽时给指定邮箱发送邮件,推荐使用,换成自己的邮箱即可
##### Number of seconds the banned ip should remain in blacklist.
BAN_PERIOD=600 //禁用IP时间,默认600秒,可根据情况调整用户可根据给默认配置文件加上的注释提示内容,修改配置文件。
喜欢折腾的可以用Web压力测试软件测试一下效果,相信DDoS deflate还是能给你的VPS或服务器抵御一部分DDOS攻击,给你的网站更多的保护。
转载自:VPS侦探 http://www.VPSer.Net
How to: Linux / UNIX Delete or Remove Files With Inode Number
An inode identifies the file and its attributes such as file size, owner, and so on. A unique inode number within the file system identifies each inode. But, why to delete file by an inode number? Sure, you can use rm command to delete file. Sometime accidentally you creates filename with control characters or characters which are unable to be input on a keyboard or special character such as ?, * ^ etc. Removing such special character filenames can be problem. Use following method to delete a file with strange characters in its name:
Please note that the procedure outlined below works with Solaris, FreeBSD, Linux, or any other Unixish oses out there:
Find out file inode
First find out file inode number with any one of the following command:
stat {file-name}
OR
ls -il {file-name}
Use find command to remove file:
Use find command as follows to find and remove a file:
find . -inum [inode-number] -exec rm -i {} \;
When prompted for confirmation, press Y to confirm removal of the file.
Delete or remove files with inode number
Let us try to delete file using inode number.
(a) Create a hard to delete file name:
$ cd /tmp
$ touch “\+Xy \+\8”
$ ls
(b) Try to remove this file with rm command:
$ rm \+Xy \+\8
(c) Remove file by an inode number, but first find out the file inode number:
$ ls -ilOutput:
781956 drwx—— 3 viv viv 4096 2006-01-27 15:05 gconfd-viv
781964 drwx—— 2 viv viv 4096 2006-01-27 15:05 keyring-pKracm
782049 srwxr-xr-x 1 viv viv 0 2006-01-27 15:05 mapping-viv
781939 drwx—— 2 viv viv 4096 2006-01-27 15:31 orbit-viv
781922 drwx—— 2 viv viv 4096 2006-01-27 15:05 ssh-cnaOtj4013
781882 drwx—— 2 viv viv 4096 2006-01-27 15:05 ssh-SsCkUW4013
782263 -rw-r–r– 1 viv viv 0 2006-01-27 15:49 \+Xy \+\8Note: 782263 is inode number.
(d) Use find command to delete file by inode:
Find and remove file using find command, type the command as follows:
$ find . -inum 782263 -exec rm -i {} \;
Note you can also use add \ character before special character in filename to remove it directly so the command would be:
$ rm “\+Xy \+\8”
If you have file like name like name “2005/12/31” then no UNIX or Linux command can delete this file by name. Only method to delete such file is delete file by an inode number. Linux or UNIX never allows creating filename like 2005/12/31 but if you are using NFS from MAC OS or Windows then it is possible to create a such file.
转载自:http://www.cyberciti.biz/tips/delete-remove-files-with-inode-number.html
Linux : How to delete file securely
Recently we had lot of discussion regarding this issue. How to remove files securely so that it cannot be undeleted. Peter Gutmann paper “Secure Deletion of Data from Magnetic and Solid-State Memory” has very good information. Here are some commands/tools available under Debian GNU/Linux (it should work with other Linux distributions) to delete file securely.
srm: Securely remove files or directories
This command is a replacement for rm command. It works under Linux/BSD/UNIX-like OSes. It removes each specified file by overwriting, renaming, and truncating it before unlinking. This prevents other people from undelete or recovering any information about the file from the command line. Because it does lots of operation on file/directory for secure deletion, it also takes lot of time to remove it. Download srm from http://sourceforge.net/projects/srm (RPM file is also available for RPM based Linux distributions)
i) Untar and install the srm:
# ./configure
# make
# make install ii) How to use srm?
srm syntax is like rm command. Read man srm. Here is simple example:
$ srm privateinfo.docwipe: It is a secure file wiping utility
Download wipe from http://wipe.sourceforge.net/
i) Untar and install the wipe
# ./configure
# make
# make installii) How to use wipe?
$ wipe filenameRead man page of wipe for information.
shred: Delete a file securely, first overwriting it to hide its contents.
It is available on most of Linux distributions including Debian GNU/Linux. To remove file called personalinfo.tar.gz :
$ shred -n 200 -z -u personalinfo.tar.gzWhere,
-n: Overwrite N (200) times instead of the default (25)
-z: Add a final overwrite with zeros to hide shreddin
-u: Truncate and remove file after overwriting
Read the man page of shred(1) for more information. Most of these utilities are not effective (read as useless) only if :
File system is log-structured or journaled filesystems, such as JFS, ReiserFS, XFS, Ext3 etc
Your filesystems is RAID-based, compressed filesystem etc
In addition, file system backups and remote mirrors may contain copies of the file that cannot be removed by these utilities.
See also:
Delete (remove) files with inode number – to remove special character filename
转载自:http://www.cyberciti.biz/tips/linux-how-to-delete-file-securely.html