1、解决DOS攻击生产案例:根据web日志或者或者网络连接数,监控当某个IP并发连接数或者短时内PV达到100,即调用防火墙命令封掉对应的IP,监控频率每隔5分钟。防火墙命令为:iptables -A INPUT -s IP -j REJECT
access_log文件在参考文档的Linux基础部分相关文件的logs目录里,网络连接数没法模拟,选择了web日志。
判断access_log文件的记录中,每5分钟内是否有IP访问次数超过100,超过则添加iptables规则拒绝;
命令执行:awk -f test.awk -F '[[ ]' -v tseconds=300 /root/access_log
如下存储为test.awk:
#!/usr/bin/awk -f
#t是设置的时间段,多长时间内涨到100次的IP算是攻击者
function basetime (t){
{
#将access_log文件中的第5列时间值处理一下,变成date -d命令能用的格式
sub(/:/," ",$5);gsub(/\//,"-",$5);
cmd=sprintf("%s\"%s\"%s","date -d ",$5," +%s");
}
{cmd|getline min;
#加上用户设置的t值(tseconds),就是这个范围的最大时间
max=min+t;
close(cmd)
return
}
}
#这个函数用于处理超过第一阶段max的时间,需要将这个新时间重新格式化,存储到min2和max2里,之后会赋值给min3和max3,用于和access_log文件中获取的$5字段的时间值进行比较
function timetrans (t,tr){
cmd2=sprintf("%s\"%s\"%s","date -d ",tr," +%s");
cmd2|getline min2;
max2=min2+t;
#strftime将"自1970年以来到min2的秒数"这个时间重新变为特定格式
min2=strftime("%d-%B-%Y %H:%M:%S",min2);
max2=strftime("%d-%B-%Y %H:%M:%S",max2);
#打开的管道和文件最好执行关闭,否则会影响之后的二次执行的值
close(cmd2);
return;
}
#NR是pattern,函数属于action
#BEGIN部分只会在读取文件前执行一次,因此将一些创建和计算的工作放在这里
BEGIN{
"cat /root/access_log | wc -l"|getline wc;
close("cat /root/access_log | wc -l")
#这个是创建一个文件,之后用于存储达到100计数器的那些IP
{if(system("ls /root/firewallblocklist.txt &> /dev/null") != 0){
system("touch /root/firewallblocklist.txt")}
else{system("echo -n > firewallblocklist.txt")}
}
}
#第一行时得到一个基准时间范围用于第一阶段的比较,如果之后日志中出现一个超过max3的时间,窗口就开始滑动;
#窗口的min会滑动到超过max3的新时间,窗口的max会滑动到"新时间+tseconds"的新值
NR==1{basetime(tseconds);
min3=strftime("%d-%B-%Y %H:%M:%S",min);
max3=strftime("%d-%B-%Y %H:%M:%S",max);
}
NR>=1 && NR <= wc{sub(/:/," ",$5);gsub(/\//,"-",$5);
#如果access_log里用户发起连接的时间在这个范围内,就将计数器+1
if ($5 >= min3 && $5 <= max3){
#计数器是以第一列IP为下标,统计其出现的次数
count[$1]+=1;
#到100就执行防火墙规则
if(count[$1] == 100){
print "ConnectionTimes between "min3" and "max3" >"$1" "count[$1] >> "firewallblocklist.txt";
close("firewallblocklist.txt")
if(system("iptables -C INPUT -s "$1" -j REJECT &> /dev/null") != 0){
system("iptables -A INPUT -s "$1" -j REJECT")}
else{next}
}
else{next}
}
else if($5 > max3){
#这部分到else if应该都可以删掉,毕竟是劳动成果就放着了,反正也匹配不到
if(count[$1] == 100){
print "ConnectionTimes between "min3" and "max3" >"$1" "count[$1] >> "firewallblocklist.txt";
close("firewallblocklist.txt")
if(system("iptables -C INPUT -s "$1" -j REJECT &> /dev/null") != 0){
system("iptables -A INPUT -s "$1" -j REJECT")
}
else{next}
}
else if (count[$1] != 100){
timetrans(tseconds,$5);
count[$1]=0;
max3=max2;
min3=min2;
}
}
}
END{
for(i in count){
print i,count[i]
}
}
1.1 执行后的结果
[root@centos8mini ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
REJECT all -- 172.16.101.197 anywhere reject-with icmp-port-unreachable
REJECT all -- 172.16.102.29 anywhere reject-with icmp-port-unreachable
REJECT all -- 172.20.111.243 anywhere reject-with icmp-port-unreachable
REJECT all -- 172.20.101.149 anywhere reject-with icmp-port-unreachable
REJECT all -- 172.16.101.125 anywhere reject-with icmp-port-unreachable
REJECT all -- 172.20.101.171 anywhere reject-with icmp-port-unreachable
REJECT all -- 172.18.118.159 anywhere reject-with icmp-port-unreachable
REJECT all -- 172.20.109.196 anywhere reject-with icmp-port-unreachable
REJECT all -- 172.16.102.48 anywhere reject-with icmp-port-unreachable
REJECT all -- 172.20.73.73 anywhere reject-with icmp-port-unreachable
REJECT all -- 172.20.107.134 anywhere reject-with icmp-port-unreachable
REJECT all -- 172.20.108.6 anywhere reject-with icmp-port-unreachable
REJECT all -- 172.20.101.165 anywhere reject-with icmp-port-unreachable
REJECT all -- 172.20.112.9 anywhere reject-with icmp-port-unreachable
REJECT all -- 172.20.111.94 anywhere reject-with icmp-port-unreachable
REJECT all -- 172.20.10.10 anywhere reject-with icmp-port-unreachable
REJECT all -- 172.18.118.160 anywhere reject-with icmp-port-unreachable
REJECT all -- 172.20.37.22 anywhere reject-with icmp-port-unreachable
REJECT all -- 172.20.0.222 anywhere reject-with icmp-port-unreachable
REJECT all -- 172.20.112.14 anywhere reject-with icmp-port-unreachable
REJECT all -- 172.20.108.10 anywhere reject-with icmp-port-unreachable
REJECT all -- 172.18.118.127 anywhere reject-with icmp-port-unreachable
REJECT all -- 172.20.0.199 anywhere reject-with icmp-port-unreachable
REJECT all -- 172.20.116.230 anywhere reject-with icmp-port-unreachable
REJECT all -- 172.20.116.228 anywhere reject-with icmp-port-unreachable
REJECT all -- 172.20.101.110 anywhere reject-with icmp-port-unreachable
REJECT all -- 172.20.1.125 anywhere reject-with icmp-port-unreachable
REJECT all -- 172.20.109.91 anywhere reject-with icmp-port-unreachable
REJECT all -- 172.20.0.76 anywhere reject-with icmp-port-unreachable
REJECT all -- 172.20.116.225 anywhere reject-with icmp-port-unreachable
REJECT all -- 172.20.116.223 anywhere reject-with icmp-port-unreachable
REJECT all -- 172.18.119.149 anywhere reject-with icmp-port-unreachable
REJECT all -- 172.20.116.224 anywhere reject-with icmp-port-unreachable
REJECT all -- 172.18.119.151 anywhere reject-with icmp-port-unreachable
REJECT all -- 172.20.9.51 anywhere reject-with icmp-port-unreachable
REJECT all -- 172.18.119.153 anywhere reject-with icmp-port-unreachable
REJECT all -- 172.20.116.220 anywhere reject-with icmp-port-unreachable
REJECT all -- 172.20.116.215 anywhere reject-with icmp-port-unreachable
REJECT all -- 172.20.116.208 anywhere reject-with icmp-port-unreachable
REJECT all -- 172.20.0.227 anywhere reject-with icmp-port-unreachable
REJECT all -- 172.20.65.65 anywhere reject-with icmp-port-unreachable
REJECT all -- 172.20.116.195 anywhere reject-with icmp-port-unreachable
REJECT all -- 172.20.116.209 anywhere reject-with icmp-port-unreachable
REJECT all -- 172.20.116.191 anywhere reject-with icmp-port-unreachable
REJECT all -- 172.20.0.144 anywhere reject-with icmp-port-unreachable
REJECT all -- 172.20.116.205 anywhere reject-with icmp-port-unreachable
REJECT all -- 172.20.116.194 anywhere reject-with icmp-port-unreachable
REJECT all -- 172.20.0.200 anywhere reject-with icmp-port-unreachable
REJECT all -- 172.20.116.187 anywhere reject-with icmp-port-unreachable
REJECT all -- 172.20.116.189 anywhere reject-with icmp-port-unreachable
REJECT all -- 172.20.116.182 anywhere reject-with icmp-port-unreachable
REJECT all -- 172.20.116.183 anywhere reject-with icmp-port-unreachable
REJECT all -- 172.20.116.200 anywhere reject-with icmp-port-unreachable
REJECT all -- 172.20.116.179 anywhere reject-with icmp-port-unreachable
REJECT all -- 172.20.116.186 anywhere reject-with icmp-port-unreachable
REJECT all -- 172.20.116.184 anywhere reject-with icmp-port-unreachable
REJECT all -- 172.20.0.44 anywhere reject-with icmp-port-unreachable
REJECT all -- 172.20.116.174 anywhere reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@centos8mini ~]#
2、描述密钥交换的过程
2.1 使用非对称加密方式交换
Pa(对称Key):使用接收方的公钥将对称秘钥进行加密,接收方使用自己的私钥解密后得到对称Key
2.2 使用DH算法进行秘钥交换
- A和B 协商生成公开的整数g=23, 大素数p=17
- A和B各自生成隐私数据a和b的值,其中[a(6)|b(13)] < p(17)
- A和B各自执行ga%p=8和gb%p=10,将计算结果发给对方
- A和B将接收到的gb%p和ga%p的值,再次执行[(gb%p)a]%p = 9和[(ga%p)b]%p = 9
- 在A和B上,相当于都执行了gab%p,这样两端就能生成出相同的值,将这个值作为对称秘钥,也就完成了秘钥的交换
[root@centos8mini ~]# g=23
[root@centos8mini ~]# p=17
[root@centos8mini ~]# a=6
[root@centos8mini ~]# b=13
[root@centos8mini ~]# echo 23^6%17|bc
8
[root@centos8mini ~]# echo 23^13%17|bc
10
[root@centos8mini ~]# echo 8^13%17|bc
9
[root@centos8mini ~]# echo 10^6%17|bc
9
[root@centos8mini ~]#
3、https的通信过程
image.png
1、服务器端向权威机构申请证书;
2、客户端通过浏览器访问HTTPS网站时,服务器端会将证书发送给客户端,客户端会校验证书的有效性
- 包括权威CA颁发,有效期有效等
3、如果证书有效,客户端会在浏览器中生成随机的Key,并使用证书的公钥进行加密Ps(Key)
4、服务器使用自己的私钥解开后,就能得到Key的值;
5、服务器使用这个Key对后续的传输内容进行加密,客户端则直接使用Key解密数据
4、使用awk以冒号分隔获取/etc/passwd文件第一列
这道题怎么和第一道题难度差这么多
awk -F: '{print $1}' /etc/passwd
