linux应急响应常用命令

端口查看
netstat -anplt | more

?

查看进程:
ps -ef
ps aux
ps aux | grep pid


定时任务查看
crontab

?


查看文件
cat file全显示
head -5 file //显示前5行
tail -5 file //显示后5行

?

?
?
?

t00ls大佬分享的技巧
1、定位有多少IP在爆破主机的root帐号:
grep "Failed password for root" /var/log/secure | awk '{print $11}' | sort | uniq -c | sort -nr | more

?

定位有哪些IP在爆破: 
grep "Failed password" /var/log/secure|grep -E -o "(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)"|uniq -c 

?


爆破用户名字典是什么?
grep "Failed password" /var/log/secure|perl -e 'while($_=<>){ /for(.*?) from/; print "$1\n";}'|uniq -c|sort -nr 

?


2、登录成功的IP有哪些:
grep "Accepted " /var/log/secure | awk '{print $11}' | sort | uniq -c | sort -nr | more 

?


登录成功的日期、用户名、IP:
grep "Accepted " /var/log/secure | awk '{print $1,$2,$3,$9,$11}' 

文章来源:https://www.jianshu.com/p/b1962c7a3c0d

猜你喜欢

转载自www.cnblogs.com/wodekaifalog/p/11546443.html