https://liangweidonggood.github.io/tags/%E7%94%A8%E6%88%B7%E7%AE%A1%E7%90%86/Recent content in 用户管理 on Liangweidong's blogHugo -- gohugo.iozh-cnFri, 15 Mar 2019 00:00:00 +0800https://liangweidonggood.github.io/p/linux-yong-hu-guan-li-yu-an-quan-jia-gu-2019/Fri, 15 Mar 2019 00:00:00 +0800https://liangweidonggood.github.io/p/linux-yong-hu-guan-li-yu-an-quan-jia-gu-2019/<img src="https://liangweidonggood.github.io/p/linux-yong-hu-guan-li-yu-an-quan-jia-gu-2019/image/cover.jpg" alt="Featured image of post Linux 用户管理与安全加固：账号管理、登录审计、chattr 防删与定时任务" /><h2 id="一为什么是-2019-年这一份">一、为什么是 2019 年这一份 </h2><p>2019 年这个时间点前后，Linux 服务器安全进入&quot;主动防御&quot;阶段：</p> <ul> <li><strong>sshd 密码爆破</strong>已经是常态，单一 IP 每分钟几千次尝试</li> <li><strong>挖矿病毒</strong>大规模爆发（2017-2019 持续增长），<code>chattr +i</code> 防删成为应急标配</li> <li><strong>Linux 用户管理</strong>的工具集基本稳定：useradd / usermod / userdel / passwd / last / lastlog</li> <li><strong>systemd</strong> 全面接管服务管理，crontab 仍有&quot;定时任务&quot;位置但已被 systemd timer 部分替代</li> </ul> <p>这一篇<strong>覆盖用户账号管理、登录审计、异常文件排查、chattr 防删与挖矿应急、cron 故障排查</strong>——一个系统管理员面对&quot;被入侵后该怎么排查&quot;的全套流程。</p> <blockquote> <p><strong>阅读建议</strong>：本文是&quot;应急手册&quot;性质——日常不需要看，但出事时<strong>第一份要翻的文档</strong>。</p> </blockquote> <h2 id="二用户账号管理">二、用户账号管理 </h2><h3 id="21-查用户信息">2.1 查用户信息 </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># 后面第二个冒号的值大于 1000 时，这个就是一个普通用户</span> </span></span><span class="line"><span class="cl">cat /etc/passwd <span class="p">|</span> cut -d: -f 1-3 </span></span><span class="line"><span class="cl"><span class="c1"># dell:x:1000</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 各用户最近登录</span> </span></span><span class="line"><span class="cl">lastlog </span></span><span class="line"><span class="cl"><span class="c1"># 用户名 端口 来自 最后登录时间</span> </span></span><span class="line"><span class="cl"><span class="c1"># root pts/0 &lt;IP&gt; 三 12月 13 08:36:29 +0800 2023</span> </span></span><span class="line"><span class="cl"><span class="c1"># dell pts/0 &lt;IP&gt; 二 12月 12 21:07:11 +0800 2023</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 更新指定用户密码</span> </span></span><span class="line"><span class="cl">passwd dell </span></span><span class="line"><span class="cl"><span class="c1"># 新的密码：</span> </span></span><span class="line"><span class="cl"><span class="c1"># 重新输入新的密码：</span> </span></span><span class="line"><span class="cl"><span class="c1"># passwd：已成功更新密码</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="22-删除用户">2.2 删除用户 </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># 仅删除用户（保留家目录）</span> </span></span><span class="line"><span class="cl">userdel username </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 删除用户并删除家目录</span> </span></span><span class="line"><span class="cl">userdel -r username </span></span></code></pre></td></tr></table> </div> </div><h3 id="23-切换用户不可用时">2.3 切换用户不可用时 </h3><p>如果某个用户 SSH 进去后 <code>su</code> 切不到，可能是 shell 被改成 <code>/sbin/nologin</code>：</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># 方法一</span> </span></span><span class="line"><span class="cl">usermod -s /bin/bash root </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 方法二：直接编辑 /etc/passwd</span> </span></span><span class="line"><span class="cl">vi /etc/passwd </span></span><span class="line"><span class="cl"><span class="c1"># 找到要修改的用户，将 /sbin/nologin 改成 /bin/bash</span> </span></span></code></pre></td></tr></table> </div> </div><h2 id="三登录审计被入侵后的第一件事">三、登录审计：被入侵后的第一件事 </h2><h3 id="31-查特权用户">3.1 查特权用户 </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># UID = 0 的都是 root 等价账号</span> </span></span><span class="line"><span class="cl">awk -F <span class="s2">&#34;:&#34;</span> <span class="s1">&#39;$3==0{print $1}&#39;</span> /etc/passwd </span></span></code></pre></td></tr></table> </div> </div><h3 id="32-查可远程登录的账号">3.2 查可远程登录的账号 </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># 密码字段是 $1（MD5）/ $5（SHA-256）/ $6（SHA-512）的都有密码</span> </span></span><span class="line"><span class="cl">awk <span class="s1">&#39;/\$1|\$6/{print $1}&#39;</span> /etc/shadow </span></span></code></pre></td></tr></table> </div> </div><h3 id="33-查当前登录用户">3.3 查当前登录用户 </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">w </span></span><span class="line"><span class="cl"><span class="c1"># 显示当前登录用户和他们正在执行的命令</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="34-查最近登录">3.4 查最近登录 </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">last </span></span><span class="line"><span class="cl"><span class="c1"># 显示所有用户的登录/注销信息 + 系统的启动/重启/关机事件</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="35-查登录成功的记录">3.5 查登录成功的记录 </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># 从 /var/log/secure 提取 Accepted 行</span> </span></span><span class="line"><span class="cl">grep <span class="s2">&#34;Accepted &#34;</span> /var/log/secure* <span class="p">|</span> awk <span class="s1">&#39;{print $1,$2,$3,$9,$11}&#39;</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="36-查爆破-ip">3.6 查爆破 IP </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># 查 sshd 拒绝的 IP</span> </span></span><span class="line"><span class="cl">grep refused /var/log/secure* <span class="p">|</span> awk <span class="o">{</span><span class="s1">&#39;print $9&#39;</span><span class="o">}</span> <span class="p">|</span> sort <span class="p">|</span> uniq -c <span class="p">|</span> sort -nr <span class="p">|</span> more </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 查 Failed password 的 IP</span> </span></span><span class="line"><span class="cl">grep <span class="s2">&#34;Failed password&#34;</span> /var/log/secure* <span class="p">|</span> grep -E -o <span class="s2">&#34;(([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3}))&#34;</span> <span class="p">|</span> uniq -c </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 查爆破 root 的 IP</span> </span></span><span class="line"><span class="cl">grep <span class="s2">&#34;Failed password for root&#34;</span> /var/log/secure <span class="p">|</span> awk <span class="s1">&#39;{print $11}&#39;</span> <span class="p">|</span> sort </span></span></code></pre></td></tr></table> </div> </div><h3 id="37-查爆破的用户名字典">3.7 查爆破的用户名字典 </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">grep <span class="s2">&#34;Failed password&#34;</span> /var/log/secure <span class="p">|</span> awk <span class="o">{</span><span class="s1">&#39;print $9&#39;</span><span class="o">}</span> <span class="p">|</span> sort <span class="p">|</span> uniq -c <span class="p">|</span> sort -nr </span></span></code></pre></td></tr></table> </div> </div><h2 id="四异常文件排查">四、异常文件排查 </h2><h3 id="41-查-cron-是否有恶意脚本">4.1 查 cron 是否有恶意脚本 </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># 检查所有 cron 文件</span> </span></span><span class="line"><span class="cl">/var/spool/cron/* </span></span><span class="line"><span class="cl">/etc/crontab </span></span><span class="line"><span class="cl">/etc/cron.d/* </span></span><span class="line"><span class="cl">/etc/cron.daily/* </span></span><span class="line"><span class="cl">/etc/cron.hourly/* </span></span><span class="line"><span class="cl">/etc/cron.monthly/* </span></span><span class="line"><span class="cl">/etc/cron.weekly/* </span></span><span class="line"><span class="cl">/etc/anacrontab </span></span><span class="line"><span class="cl">/var/spool/anacron/* </span></span></code></pre></td></tr></table> </div> </div><h3 id="42-查最近被修改的系统文件">4.2 查最近被修改的系统文件 </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">find /etc/ /usr/bin/ /usr/sbin/ /bin/ /usr/local/bin/ <span class="se">\ </span></span></span><span class="line"><span class="cl"> -type f -mtime -T <span class="p">|</span> xargs ls -la </span></span></code></pre></td></tr></table> </div> </div> <blockquote> <p><strong><code>-T</code> 是要替换的天数</strong>。比如 <code>-mtime -7</code> 是 7 天内被修改的文件。</p> </blockquote> <h3 id="43-查最近被替换的命令">4.3 查最近被替换的命令 </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># 按时间排序</span> </span></span><span class="line"><span class="cl">ls -alt /usr/bin /usr/sbin /bin /usr/local/bin </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 用 rpm 校验包内文件（CentOS/RHEL）</span> </span></span><span class="line"><span class="cl">rpm -Va &gt; rpm.log </span></span><span class="line"><span class="cl"><span class="c1"># 重点看 S、M、5、T 标记异常的</span> </span></span><span class="line"><span class="cl"><span class="c1"># S - 文件大小变化</span> </span></span><span class="line"><span class="cl"><span class="c1"># M - 模式变化（含权限）</span> </span></span><span class="line"><span class="cl"><span class="c1"># 5 - MD5 校验和变化</span> </span></span><span class="line"><span class="cl"><span class="c1"># T - 修改时间变化</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="44-查异常开机启动项">4.4 查异常开机启动项 </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">cat /etc/rc.local </span></span><span class="line"><span class="cl">chkconfig --list <span class="c1"># CentOS 6</span> </span></span><span class="line"><span class="cl">systemctl list-unit-files --type<span class="o">=</span>service <span class="c1"># CentOS 7+</span> </span></span></code></pre></td></tr></table> </div> </div><h2 id="五查杀病毒和-rootkit">五、查杀病毒和 rootkit </h2><table> <thead> <tr> <th>工具</th> <th>用途</th> <th>下载</th> </tr> </thead> <tbody> <tr> <td><code>chkrootkit</code></td> <td>查杀 rootkit</td> <td><a class="link" href="http://www.chkrootkit.org" target="_blank" rel="noopener" >http://www.chkrootkit.org</a></td> </tr> <tr> <td><code>rkhunter</code></td> <td>查杀 rootkit</td> <td><a class="link" href="http://rkhunter.sourceforge.net" target="_blank" rel="noopener" >http://rkhunter.sourceforge.net</a></td> </tr> <tr> <td><code>clamav</code></td> <td>查杀病毒</td> <td><a class="link" href="http://www.clamav.net/download.html" target="_blank" rel="noopener" >http://www.clamav.net/download.html</a></td> </tr> <tr> <td><code>cloudwalker</code></td> <td>查杀 webshell</td> <td><a class="link" href="http://github.com/chaitin/cloudwalker" target="_blank" rel="noopener" >http://github.com/chaitin/cloudwalker</a></td> </tr> </tbody> </table> <h2 id="六挖矿病毒应急chattr-i-防删与解除">六、挖矿病毒应急：<code>chattr +i</code> 防删与解除 </h2><h3 id="61-现象文件无法删除">6.1 现象：文件无法删除 </h3><p>挖矿病毒感染后常见现象：自己生成的 SSH 公钥、cron 文件、挖矿程序二进制都&quot;加锁&quot;了，<code>rm</code> 删不掉。</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># 找挖矿进程</span> </span></span><span class="line"><span class="cl">top </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 找到 exe 路径</span> </span></span><span class="line"><span class="cl">ls -l /proc/&lt;pid&gt; </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 查属性（有 i / a 之类的是被锁住了）</span> </span></span><span class="line"><span class="cl">lsattr 文件名 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 添加属性（之后 rm 删不掉）</span> </span></span><span class="line"><span class="cl">chattr -R +i ./test* </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 删除属性（运行完下面就能删了）</span> </span></span><span class="line"><span class="cl">chattr -R -i ./test* </span></span></code></pre></td></tr></table> </div> </div><h3 id="62-全局清理流程">6.2 全局清理流程 </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># 1. 杀进程</span> </span></span><span class="line"><span class="cl">ps aux <span class="p">|</span> grep -v grep <span class="p">|</span> grep 挖矿进程名 <span class="p">|</span> awk <span class="s1">&#39;{print $2}&#39;</span> <span class="p">|</span> xargs <span class="nb">kill</span> -9 </span></span><span class="line"><span class="cl"><span class="c1"># 或</span> </span></span><span class="line"><span class="cl">pkill -9 -f 挖矿特征 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 2. 删用户（带 -r 清空家目录）</span> </span></span><span class="line"><span class="cl">pkill -u 挖矿用户名 <span class="o">&amp;&amp;</span> userdel -f 挖矿用户名 </span></span><span class="line"><span class="cl">rm -rf /home/挖矿用户名 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 3. 查 SSH 登录的挖矿用户进程</span> </span></span><span class="line"><span class="cl">netstat -antp <span class="p">|</span> grep sshd </span></span><span class="line"><span class="cl"><span class="c1"># 拿到 PID</span> </span></span><span class="line"><span class="cl">ps -ef <span class="p">|</span> grep ssh <span class="p">|</span> grep -v grep <span class="p">|</span> awk <span class="s1">&#39;{print $2}&#39;</span> <span class="p">|</span> xargs <span class="nb">kill</span> -9 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 4. 查可登录的 shell</span> </span></span><span class="line"><span class="cl">cat /etc/passwd <span class="p">|</span> grep -v nologin <span class="p">|</span> grep -v halt <span class="p">|</span> grep -v shutdown <span class="p">|</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"> awk -F<span class="s2">&#34;:&#34;</span> <span class="s1">&#39;{ print $1&#34;|&#34;$3&#34;|&#34;$4 }&#39;</span> <span class="p">|</span> more </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 5. 改 root 密码</span> </span></span><span class="line"><span class="cl">passwd root </span></span></code></pre></td></tr></table> </div> </div><h3 id="63-查-sshd-上的可疑连接">6.3 查 sshd 上的可疑连接 </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># 当前仍在线的</span> </span></span><span class="line"><span class="cl">last -a <span class="p">|</span> grep -i still </span></span><span class="line"><span class="cl"><span class="c1"># root pts/0 Thu Jul 18 05:40 still logged in &lt;IP&gt;</span> </span></span><span class="line"><span class="cl"><span class="c1"># reboot system boot Sat Jul 6 07:23 still running 5.15.0-113-generic</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 用 ss / netstat</span> </span></span><span class="line"><span class="cl">ss <span class="p">|</span> grep -i ssh </span></span><span class="line"><span class="cl"><span class="c1"># tcp ESTAB 0 64 &lt;本机&gt;:ssh &lt;攻击者IP&gt;:2316</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">netstat -tnpa <span class="p">|</span> grep <span class="s1">&#39;ESTABLISHED.*sshd&#39;</span> </span></span><span class="line"><span class="cl"><span class="c1"># tcp 0 0 &lt;本机&gt;:22 &lt;攻击者IP&gt;:2316 ESTABLISHED &lt;pid&gt;/sshd: root@</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="64-查进程工作目录">6.4 查进程工作目录 </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">ps -ef <span class="p">|</span> grep ssh </span></span><span class="line"><span class="cl">pwdx &lt;pid&gt; </span></span><span class="line"><span class="cl">ll /proc/&lt;pid&gt;/cwd </span></span></code></pre></td></tr></table> </div> </div><h2 id="七docker-stats-查容器资源占用">七、docker stats 查容器资源占用 </h2><p>挖矿病毒有时会跑在容器里：</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># 按内存排序</span> </span></span><span class="line"><span class="cl">docker stats --no-stream --format <span class="s2">&#34;table {{.Name}}\t{{.Container}}\t{{.MemUsage}}&#34;</span> <span class="p">|</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"> sort -k <span class="m">3</span> -h </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 按内存逆序</span> </span></span><span class="line"><span class="cl">docker stats --no-stream --format <span class="s2">&#34;table {{.Name}}\t{{.Container}}\t{{.CPUPerc}}\t{{.MemUsage}}&#34;</span> <span class="p">|</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"> sed <span class="s1">&#39;1d&#39;</span> <span class="p">|</span> sort -k <span class="m">4</span> -h -r </span></span></code></pre></td></tr></table> </div> </div><h2 id="八定时任务不生效的排查">八、定时任务不生效的排查 </h2><p>cron 任务&quot;配了不跑&quot;是常见故障，按以下顺序排查：</p> <h3 id="81-权限问题">8.1 权限问题 </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">chmod +x /home/docker/mysql/mysqlbak.sh </span></span></code></pre></td></tr></table> </div> </div><h3 id="82-时区问题">8.2 时区问题 </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span><span class="lnt">9 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># 看时区</span> </span></span><span class="line"><span class="cl">date </span></span><span class="line"><span class="cl">timedatectl </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 改时区</span> </span></span><span class="line"><span class="cl">timedatectl set-timezone Asia/Shanghai </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 同步时区文件</span> </span></span><span class="line"><span class="cl">cp /usr/share/zoneinfo/Asia/Shanghai /etc/localtime </span></span></code></pre></td></tr></table> </div> </div><h3 id="83-服务状态">8.3 服务状态 </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">systemctl status cron </span></span><span class="line"><span class="cl">systemctl status crond </span></span></code></pre></td></tr></table> </div> </div><h3 id="84-看日志">8.4 看日志 </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># /var/log/cron 不存在？打开 rsyslog 记录</span> </span></span><span class="line"><span class="cl">vim /etc/rsyslog.d/50-default.conf </span></span><span class="line"><span class="cl">cron.* /var/log/cron.log </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 重启 rsyslog</span> </span></span><span class="line"><span class="cl">systemctl restart rsyslog </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 看 cron 日志</span> </span></span><span class="line"><span class="cl">less -10 /var/log/cron.log </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 重载</span> </span></span><span class="line"><span class="cl">service cron reload </span></span></code></pre></td></tr></table> </div> </div><h3 id="85-ubuntu-的-authlog-噪声">8.5 Ubuntu 的 auth.log 噪声 </h3><p>Ubuntu 经常有大量 <code>CRON</code> 噪音日志刷屏：</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># 打开 /etc/pam.d/common-session-noninteractive</span> </span></span><span class="line"><span class="cl"><span class="c1"># 找到这一行</span> </span></span><span class="line"><span class="cl"><span class="c1"># session required pam_unix.so</span> </span></span><span class="line"><span class="cl"><span class="c1"># 在上面加一行</span> </span></span><span class="line"><span class="cl">session <span class="o">[</span><span class="nv">success</span><span class="o">=</span><span class="m">1</span> <span class="nv">default</span><span class="o">=</span>ignore<span class="o">]</span> pam_succeed_if.so service in cron quiet use_uid </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 重启 cron</span> </span></span><span class="line"><span class="cl">/etc/init.d/cron restart </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 清空日志</span> </span></span><span class="line"><span class="cl">cat /dev/null &gt; /var/log/auth.log </span></span></code></pre></td></tr></table> </div> </div><h2 id="九用户清理离职交接">九、用户清理（离职交接） </h2><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># 1. 列出当前所有可登录账号</span> </span></span><span class="line"><span class="cl">cat /etc/passwd <span class="p">|</span> grep -v nologin <span class="p">|</span> grep -v <span class="nb">false</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 2. 杀该用户的所有进程</span> </span></span><span class="line"><span class="cl">pkill -u username </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 3. 删用户 + 清空家目录</span> </span></span><span class="line"><span class="cl">userdel -r username </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 4. 验证</span> </span></span><span class="line"><span class="cl">id username </span></span><span class="line"><span class="cl">ls -la /home/username </span></span></code></pre></td></tr></table> </div> </div><h2 id="十安全基线检查清单">十、安全基线检查清单 </h2><table> <thead> <tr> <th>检查项</th> <th>命令</th> </tr> </thead> <tbody> <tr> <td>特权用户</td> <td><code>awk -F&quot;:&quot; '$3==0{print $1}' /etc/passwd</code></td> </tr> <tr> <td>空密码账号</td> <td><code>awk -F: '($2 == &quot;&quot;) {print $1}' /etc/shadow</code></td> </tr> <tr> <td>最近 7 天被改的文件</td> <td><code>find /etc /usr -mtime -7 -ls</code></td> </tr> <tr> <td>异常 cron</td> <td><code>ls -la /etc/cron.* /var/spool/cron/</code></td> </tr> <tr> <td>SSH 端口暴露</td> <td>`ss -tnlp</td> </tr> <tr> <td>防火墙</td> <td><code>iptables -L -n</code></td> </tr> <tr> <td>登录失败次数</td> <td>`lastb</td> </tr> <tr> <td>公开密钥</td> <td><code>find / -name &quot;authorized_keys&quot; -ls 2&gt;/dev/null</code></td> </tr> </tbody> </table> <h2 id="十一前置知识--下一步">十一、前置知识 / 下一步 </h2><ul> <li>想看 iptables / ufw 防火墙配置 → 翻独立文章</li> <li>想看 fail2ban 防爆破 → 翻独立文章</li> <li>想看 GVM 漏洞扫描 → 翻本系列《Linux 安全：挖矿病毒与漏洞扫描》</li> <li>想看日志集中分析（ELK / Loki）→ 翻独立文章</li> <li>想看 SELinux / AppArmor → 翻独立文章</li> </ul> <h2 id="十二参考资源">十二、参考资源 </h2><ul> <li><code>man useradd</code> / <code>man usermod</code> / <code>man userdel</code> / <code>man passwd</code></li> <li><code>man last</code> / <code>man lastlog</code> / <code>man w</code></li> <li><code>man chattr</code> / <code>man lsattr</code></li> <li><code>man cron</code> / <code>man crontab</code> / <code>man at</code></li> <li>Linux 服务器安全基线（等保 2.0）：<a class="link" href="https://www.djbh.net/" target="_blank" rel="noopener" >https://www.djbh.net/</a> 等</li> <li>ATT&amp;CK for Linux：<a class="link" href="https://attack.mitre.org/matrices/enterprise/linux/" target="_blank" rel="noopener" >https://attack.mitre.org/matrices/enterprise/linux/</a></li> </ul> <hr> <h2 id="2024-视角用户管理与安全加固的现代姿势">2024 视角：用户管理与安全加固的&quot;现代姿势&quot; </h2><p>2019 那篇是单台服务器安全加固的速查。<strong>2024 在云原生 + 等保 2.0 + 零信任</strong>背景下，思路有几处大变化。</p> <h3 id="一systemd-替代-crontab定时任务领域">一、systemd 替代 crontab（&ldquo;定时任务&quot;领域） </h3><ul> <li>2019 那篇大段讲 cron 故障排查。<strong>2024 主流做法</strong>是 <strong>systemd timer</strong>（journal 日志统一管理 + 资源隔离）：</li> <li><strong>迁移案例</strong>：</li> </ul> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-ini" data-lang="ini"><span class="line"><span class="cl"><span class="c1"># /etc/systemd/system/backup.service</span> </span></span><span class="line"><span class="cl"><span class="k">[Unit]</span> </span></span><span class="line"><span class="cl"><span class="na">Description</span><span class="o">=</span><span class="s">数据库备份</span> </span></span><span class="line"><span class="cl"><span class="na">Wants</span><span class="o">=</span><span class="s">backup.timer</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">[Service]</span> </span></span><span class="line"><span class="cl"><span class="na">Type</span><span class="o">=</span><span class="s">oneshot</span> </span></span><span class="line"><span class="cl"><span class="na">User</span><span class="o">=</span><span class="s">backup</span> </span></span><span class="line"><span class="cl"><span class="na">ExecStart</span><span class="o">=</span><span class="s">/home/backup/db-backup.sh</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># /etc/systemd/system/backup.timer</span> </span></span><span class="line"><span class="cl"><span class="k">[Unit]</span> </span></span><span class="line"><span class="cl"><span class="na">Description</span><span class="o">=</span><span class="s">每天 03:00 跑备份</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">[Timer]</span> </span></span><span class="line"><span class="cl"><span class="na">OnCalendar</span><span class="o">=</span><span class="s">*-*-* 03:00:00</span> </span></span><span class="line"><span class="cl"><span class="na">Persistent</span><span class="o">=</span><span class="s">true</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">[Install]</span> </span></span><span class="line"><span class="cl"><span class="na">WantedBy</span><span class="o">=</span><span class="s">timers.target</span> </span></span></code></pre></td></tr></table> </div> </div><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">systemctl daemon-reload </span></span><span class="line"><span class="cl">systemctl <span class="nb">enable</span> --now backup.timer </span></span><span class="line"><span class="cl">systemctl list-timers </span></span></code></pre></td></tr></table> </div> </div><h3 id="二varlogsecure-改名--journald">二、<code>/var/log/secure</code> 改名 → journald </h3><ul> <li>2019 那篇所有&quot;看 <code>secure</code> / <code>wtmp</code> / <code>btmp</code>&ldquo;的命令，<strong>在 RHEL 8/9、Ubuntu 22.04+</strong> 都用 journald 替代：</li> </ul> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># SSH 登录成功</span> </span></span><span class="line"><span class="cl">journalctl -u sshd -g <span class="s2">&#34;Accepted publickey&#34;</span> --since <span class="s2">&#34;1 day ago&#34;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># SSH 登录失败</span> </span></span><span class="line"><span class="cl">journalctl -u sshd -g <span class="s2">&#34;Failed password&#34;</span> --since <span class="s2">&#34;1 hour ago&#34;</span> -o json <span class="p">|</span> jq -r <span class="s1">&#39;.__REALTIME_TIMESTAMP as $t | .MESSAGE&#39;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 实时跟踪</span> </span></span><span class="line"><span class="cl">journalctl -u sshd -f </span></span></code></pre></td></tr></table> </div> </div><ul> <li><code>/var/log/btmp</code> 这种二进制日志（<code>lastb</code> 用）保留，但<strong>默认写到 journal</strong>，需要 <code>journalctl --list-boots</code> + <code>last -f /var/log/wtmp</code>。</li> </ul> <h3 id="三密码爆破的现代对抗fail2ban--crowdsec">三、密码爆破的&quot;现代对抗&rdquo;：fail2ban → CrowdSec </h3><ul> <li>2019 那篇给的 fail2ban 仍是有效工具。</li> <li><strong>2024 主流</strong>：<strong>CrowdSec</strong>（Go 写的现代版 fail2ban）——<strong>社区共享 IP 黑名单</strong>：</li> </ul> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># 装</span> </span></span><span class="line"><span class="cl">curl -s https://packagecloud.io/install/repositories/crowdsec/crowdsec/script.deb.sh <span class="p">|</span> sudo bash </span></span><span class="line"><span class="cl">sudo apt install crowdsec </span></span><span class="line"><span class="cl">sudo apt install crowdsec-firewall-bouncer-iptables </span></span><span class="line"><span class="cl"><span class="c1"># 自动接管 SSH/Nginx/Apache 防护</span> </span></span></code></pre></td></tr></table> </div> </div><ul> <li><strong>优势</strong>：通过 bouncer 把攻击 IP 报到中心服务器，<strong>整个社区的人都在用同一个黑名单</strong>。</li> <li><strong>fail2ban 还在用</strong>，但 2024 越来越多部署同时跑 <code>fail2ban</code>（老牌稳）+ <code>CrowdSec</code>（社区黑名单）。</li> </ul> <h3 id="四挖矿病毒对抗-2024-升级版">四、挖矿病毒对抗 2024 升级版 </h3><p>2019 那篇给的&quot;挖矿进程 → <code>chattr +i</code> 防删 → pkill&quot;流程在 2024 仍管用，但挖矿病毒<strong>已经升级</strong>：</p> <ul> <li><strong>rootkit 隐藏</strong>：用 <code>LD_PRELOAD</code> 替换系统调用，让 <code>top</code> / <code>ps</code> 看不到。</li> <li><strong>容器逃逸</strong>：挖矿病毒跑在容器里，<strong>宿主机 <code>top</code> 看不到</strong>。</li> <li><strong>K8s 挖矿</strong>：用 RBAC 权限漏洞（<strong>提权到 cluster-admin</strong>），挖整个集群。</li> </ul> <p><strong>2024 升级的排查</strong>：</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># 1. 查被劫持的动态库</span> </span></span><span class="line"><span class="cl">cat /etc/ld.so.preload </span></span><span class="line"><span class="cl">ls -la /etc/ld.so.preload </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 2. 用 busybox / static 工具替代被劫持的 top/ps</span> </span></span><span class="line"><span class="cl"><span class="c1"># busybox top</span> </span></span><span class="line"><span class="cl"><span class="c1"># busybox ps</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 3. chkrootkit / rkhunter 仍管用</span> </span></span><span class="line"><span class="cl">apt install rkhunter </span></span><span class="line"><span class="cl">rkhunter --check </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 4. 用 eBPF 工具（2020 那篇已提）查隐藏进程</span> </span></span><span class="line"><span class="cl">bpftrace -e <span class="s1">&#39;tracepoint:sched:sched_process_exec { printf(&#34;%s\n&#34;, comm); }&#39;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 5. K8s 场景：用 Falco（容器运行时安全）</span> </span></span><span class="line"><span class="cl">helm install falco falcosecurity/falco </span></span></code></pre></td></tr></table> </div> </div><h3 id="五登录审计的现代告警sudo-审计--pam-增强">五、登录审计的&quot;现代告警&rdquo;：Sudo 审计 + PAM 增强 </h3><ul> <li>2019 那篇主要看 <code>last</code> / <code>wtmp</code>。<strong>2024 强化</strong>：</li> <li><strong>Sudo 审计</strong>（<code>/var/log/audit/audit.log</code> 或 journald）：</li> </ul> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># 查谁 sudo 了</span> </span></span><span class="line"><span class="cl">journalctl <span class="nv">_AUDIT_TYPE_NAME</span><span class="o">=</span><span class="m">1100</span> -g <span class="s2">&#34;EXECVE&#34;</span> --since today </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 或直接 auditd</span> </span></span><span class="line"><span class="cl">ausearch -m USER_CMD -ts today </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 实时跟踪 sudo</span> </span></span><span class="line"><span class="cl">auditctl -w /usr/bin/sudo -p x -k sudo_audit </span></span></code></pre></td></tr></table> </div> </div><ul> <li><strong>PAM 强制 MFA</strong>（多因素认证）：</li> </ul> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">apt install libpam-google-authenticator </span></span><span class="line"><span class="cl">google-authenticator <span class="c1"># 给用户配置 TOTP</span> </span></span></code></pre></td></tr></table> </div> </div><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># /etc/pam.d/sshd 加一行</span> </span></span><span class="line"><span class="cl">auth required pam_google_authenticator.so </span></span></code></pre></td></tr></table> </div> </div><h3 id="六ssh-安全基线-2024-升级版">六、SSH 安全基线 2024 升级版 </h3><p>2019 那篇提到 <code>PasswordAuthentication no</code> / <code>PermitRootLogin no</code>，<strong>2024 主流加固</strong>：</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># /etc/ssh/sshd_config.d/00-hardening.conf</span> </span></span><span class="line"><span class="cl">Protocol <span class="m">2</span> </span></span><span class="line"><span class="cl">PermitRootLogin no </span></span><span class="line"><span class="cl">PasswordAuthentication no </span></span><span class="line"><span class="cl">PubkeyAuthentication yes </span></span><span class="line"><span class="cl">ChallengeResponseAuthentication no </span></span><span class="line"><span class="cl">KbdInteractiveAuthentication no </span></span><span class="line"><span class="cl">UsePAM yes </span></span><span class="line"><span class="cl">X11Forwarding no </span></span><span class="line"><span class="cl">PrintMotd no </span></span><span class="line"><span class="cl">AcceptEnv LANG LC_* </span></span><span class="line"><span class="cl">MaxAuthTries <span class="m">3</span> </span></span><span class="line"><span class="cl">MaxSessions <span class="m">3</span> </span></span><span class="line"><span class="cl">ClientAliveInterval <span class="m">300</span> </span></span><span class="line"><span class="cl">ClientAliveCountMax <span class="m">0</span> </span></span><span class="line"><span class="cl">LoginGraceTime <span class="m">30</span> </span></span><span class="line"><span class="cl">AllowUsers deployer admin </span></span><span class="line"><span class="cl">AllowGroups ssh-users </span></span><span class="line"><span class="cl"><span class="c1"># 强制只接受 ed25519</span> </span></span><span class="line"><span class="cl">HostKey /etc/ssh/ssh_host_ed25519_key </span></span><span class="line"><span class="cl"><span class="c1"># 禁 DSA / RSA-SHA1</span> </span></span><span class="line"><span class="cl">HostKeyAlgorithms ssh-ed25519,rsa-sha2-512,rsa-sha2-256 </span></span><span class="line"><span class="cl">PubkeyAcceptedAlgorithms ssh-ed25519,rsa-sha2-512,rsa-sha2-256 </span></span></code></pre></td></tr></table> </div> </div><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">systemctl restart sshd </span></span><span class="line"><span class="cl">sshd -T <span class="p">|</span> grep -E <span class="s2">&#34;hostkey|pubkey|password&#34;</span> <span class="c1"># 验证</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="七容器时代的安全基线">七、容器时代的安全基线 </h3><ul> <li>2019 那篇的所有工具针对<strong>单台物理机 / 虚拟机</strong>。</li> <li>2024 大量生产环境是 <strong>Docker / K8s</strong>——<code>chattr +i</code> 在容器里<strong>不生效</strong>（容器没有真正的 root 权限到 host fs）。</li> <li><strong>容器化场景的安全工具</strong>： <ul> <li><strong>Trivy / Grype</strong>（镜像漏洞扫描）</li> <li><strong>Falco</strong>（运行时入侵检测）</li> <li><strong>OPA / Kyverno</strong>（策略引擎，限制容器能做什么）</li> <li><strong>Cosign</strong>（镜像签名，验证镜像来源）</li> </ul> </li> </ul> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Trivy 扫描镜像</span> </span></span><span class="line"><span class="cl">trivy image nginx:1.25 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Falco 检测异常</span> </span></span><span class="line"><span class="cl">kubectl apply -f https://raw.githubusercontent.com/falcosecurity/falco/master/deploy/k8s-with-helm/falco.yaml </span></span></code></pre></td></tr></table> </div> </div>