Linux安全加固及文本处理之awk实践

1、编写脚本selinux.sh，实现开启或禁用SELinux功能

[root@ansible_centos7 ~]# cat selinux.sh
#!/bin/bash
#
#************************************************************************
#Author:                qiuhom
#QQ:                    467697313
#mail:                  qiuhom467697313@qq.com
#Date:                  2019-12-11
#FileName：             selinux.sh
#URL:                   https://www.cnblogs.com/qiuhom-1874/
#Description：
#Copyright (C):        2019 All rights reserved
#************************************************************************
[ -f /etc/init.d/functions ] && . /etc/init.d/functions
[ $UID -ne 0 ] && echo "this script must root run it" && exit 1
[ $# -ne 1 ] && echo "Usage:bash $0 <off|on>" && exit 2
if [ "$1" = "on" ];then
    sed -i 's@^SELINUX=.*@SELINUX=enforcing@g' /etc/selinux/config
    [ $? -eq 0 ] && action "selinux config on " /bin/true
        /sbin/setenforce 1
elif [ "$1" = "off" ];then
    sed -i 's@^SELINUX=.*@SELINUX=disabled@g' /etc/selinux/config
    [ $? -eq 0 ] && action "selinux config off " /bin/true
        /sbin/setenforce 0
else
    echo "argv error , please input <on|off>"
    exit 3
fi
[root@ansible_centos7 ~]# 

　　验证

[root@ansible_centos7 ~]# sh selinux.sh
Usage:bash selinux.sh <off|on>
[root@ansible_centos7 ~]# sh selinux.sh aa
argv error , please input <on|off>
[root@ansible_centos7 ~]# getenforce
Permissive
[root@ansible_centos7 ~]# cat /etc/selinux/config 

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of three two values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected.
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted 

[root@ansible_centos7 ~]# sh selinux.sh on
selinux config on                                          [  OK  ]
[root@ansible_centos7 ~]# getenforce
Enforcing
[root@ansible_centos7 ~]# cat /etc/selinux/config 

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of three two values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected.
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted 

[root@ansible_centos7 ~]# sh selinux.sh off
selinux config off                                         [  OK  ]
[root@ansible_centos7 ~]# getenforce
Permissive
[root@ansible_centos7 ~]# cat /etc/selinux/config 

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of three two values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected.
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted 

[root@ansible_centos7 ~]#

　　说明：要想永久关闭selinux需要重启服务器，因为selinux是基于内核的一个模块，只有重启才能重新读取配置文件，临时关闭可以用setenforce 0来临时关闭，其实这种方法准确的说不是关闭selinux，是将selinux的状态切换成permissive状态，也就是说这种状态selinux只警告，并不实质上的管控linux上的资源。

2、统计/etc/fstab文件中每个文件系统类型出现的次数

[qiuhom@test ~]$ cat -A /etc/fstab|awk '!/^\$|#/{fstype[$3]++}END{print "fstype count";for(i in fstype){print i,fstype[i]}}'
fstype count
devpts 1
swap 1
sysfs 1
proc 1
tmpfs 1
iso9660 2
ext4 2
[qiuhom@test ~]$

　　说明：以上命令核心思想就是利用awk数组来记录文件系统出现的次数，每出现相同的文件系统类型就将其计数加1，最后把统计的结果循环打印出来

3、提取出字符串Yd$C@M05MB%9&Bdh7dq+YVixp3vpw中的所有数字

方法一：利用grep过滤

[root@ansible_centos7 ~]# echo 'Yd$C@M05MB%9&Bdh7dq+YVixp3vpw'|grep -o '[0-9]'
0
5
9
7
3
[root@ansible_centos7 ~]#

方法二：利用awk过滤

[root@ansible_centos7 ~]# echo 'Yd$C@M05MB%9&Bdh7dq+YVixp3vpw'|awk -F "" '{for(i=1;i<=NF;i++){if($i ~ /[0-9]/){print $i}}}'
0
5
9
7
3
[root@ansible_centos7 ~]#

　　说明：以上命令核心思想是循环字符串中的每一个字符，然后判断每个字符是否是数字，如果是数字就打印出来。其中-F是指定字段分割符，-F "" 表示字段分割符为空，即每一个字符都为一个字段

4、解决DOS攻击生产案例:根据web日志或者或者网络连接数，监控当某个IP 并发连接数或者短时内PV达到100，即调用防火墙命令封掉对应的IP，监控频 率每隔5分钟。防火墙命令为:iptables -A INPUT -s IP -j REJECT

第一步：写脚本过滤web访问日志，将访问日志中的ip统计出来，然后判断是否段时间连接达到100

[root@test ~]#cat dos.sh
#!/bin/bash
#
#************************************************************************
#Author:                qiuhom
#QQ:                    467697313
#mail:                  qiuhom467697313@qq.com
#Date:                  2019-12-12
#FileName：             dos.sh
#URL:                   https://www.cnblogs.com/qiuhom-1874/
#Description：
#Copyright (C):        2019 All rights reserved
#************************************************************************
ip=`cat /var/log/nginx/access.log|awk '{
        cip[$1]++
}
END{
   for(i in cip)
   {
   if(cip[i] >= 100){
      print i
   }
  }
 }'`

iplist=`echo $ip |tr -s " " ","`
iptables -A INPUT -s $iplist -j REJECT
[ ! -e /log/bak ] && mkdir -p /log/bak
cat /var/log/nginx/access.log >> /log/bak/nginx_access.log.bak
> /var/log/nginx/access.log
[root@test ~]#

　　说明：以上脚本的意思是去nginx的访问日志中统计客户端ip出现的次数，如果客户端的ip出现次数大于等于100 ，就将此ip记录到ip这个变量里，然后将变量ip用tr命令将空格替换成逗号，然后传给一个叫iplist的变量，然后把满足要求的ip统一添加到防火墙规则里进行禁用ip的访问。

第二步：制定计划任务每5分钟执行一次我们上面写的脚本

[root@test ~]#crontab -l
*/5 * * * * bash /root/dos.sh &> /dev/null