🔍 Log Analysis & Security Scripts
Các scripts trong phần này giúp bạn phân tích log hệ thống, giám sát bảo mật và phát hiện các hoạt động bất thường một cách tự động.
📊 1. Script Phân Tích Log Tự Động
Comprehensive Log Analyzer
#!/bin/bash
# log_analyzer.sh - Phân tích log hệ thống tự động
# Cấu hình
LOG_DIR="/var/log"
REPORT_DIR="/var/log/analysis"
ALERT_EMAIL="[email protected]"
DATE=$(date +"%Y%m%d")
REPORT_FILE="$REPORT_DIR/log_analysis_$DATE.txt"
ALERT_THRESHOLD=50 # Số lượng events bất thường để gửi cảnh báo
# Tạo thư mục report
mkdir -p "$REPORT_DIR"
# Hàm ghi log
log_message() {
echo "$(date '+%Y-%m-%d %H:%M:%S') - $1" | tee -a "$REPORT_FILE"
}
# Hàm gửi cảnh báo
send_alert() {
local subject="$1"
local message="$2"
echo "$message" | mail -s "[SECURITY ALERT] $subject" "$ALERT_EMAIL"
log_message "ALERT SENT: $subject"
}
# Hàm phân tích SSH logs
analyze_ssh_logs() {
log_message "=== SSH LOG ANALYSIS ==="
local ssh_log="/var/log/auth.log"
if [ ! -f "$ssh_log" ]; then
ssh_log="/var/log/secure" # CentOS/RHEL
fi
if [ -f "$ssh_log" ]; then
# Failed login attempts
local failed_logins=$(grep "Failed password" "$ssh_log" | grep "$(date +%b\ %d)" | wc -l)
log_message "Failed SSH logins today: $failed_logins"
if [ "$failed_logins" -gt "$ALERT_THRESHOLD" ]; then
local top_ips=$(grep "Failed password" "$ssh_log" | grep "$(date +%b\ %d)" | awk '{print $(NF-3)}' | sort | uniq -c | sort -nr | head -5)
send_alert "High SSH Failed Logins" "Failed SSH logins: $failed_logins\n\nTop attacking IPs:\n$top_ips"
fi
# Successful logins
local successful_logins=$(grep "Accepted password" "$ssh_log" | grep "$(date +%b\ %d)" | wc -l)
log_message "Successful SSH logins today: $successful_logins"
# Root login attempts
local root_attempts=$(grep "root" "$ssh_log" | grep "$(date +%b\ %d)" | wc -l)
if [ "$root_attempts" -gt 0 ]; then
log_message "WARNING: Root login attempts today: $root_attempts"
local root_details=$(grep "root" "$ssh_log" | grep "$(date +%b\ %d)" | tail -10)
send_alert "Root Login Attempts" "Root login attempts: $root_attempts\n\nDetails:\n$root_details"
fi
# Unusual login times (outside 6 AM - 10 PM)
local unusual_logins=$(grep "Accepted password" "$ssh_log" | grep "$(date +%b\ %d)" | awk '{print $3}' | awk -F: '{if($1<6 || $1>22) print}' | wc -l)
if [ "$unusual_logins" -gt 0 ]; then
log_message "WARNING: Unusual time logins: $unusual_logins"
fi
else
log_message "SSH log file not found"
fi
}
# Hàm phân tích Web server logs
analyze_web_logs() {
log_message "=== WEB SERVER LOG ANALYSIS ==="
local access_log="/var/log/nginx/access.log"
local error_log="/var/log/nginx/error.log"
# Kiểm tra Apache logs nếu Nginx không có
if [ ! -f "$access_log" ]; then
access_log="/var/log/apache2/access.log"
error_log="/var/log/apache2/error.log"
fi
if [ -f "$access_log" ]; then
# Top IPs
log_message "Top 10 IP addresses:"
awk '{print $1}' "$access_log" | sort | uniq -c | sort -nr | head -10 | tee -a "$REPORT_FILE"
# 404 errors
local error_404=$(grep " 404 " "$access_log" | wc -l)
log_message "404 errors today: $error_404"
if [ "$error_404" -gt 100 ]; then
local top_404=$(grep " 404 " "$access_log" | awk '{print $7}' | sort | uniq -c | sort -nr | head -10)
log_message "Top 404 URLs:\n$top_404"
fi
# Potential attacks
local sql_injection=$(grep -i "union\|select\|insert\|delete\|drop" "$access_log" | wc -l)
local xss_attempts=$(grep -i "script\|javascript\|alert" "$access_log" | wc -l)
local path_traversal=$(grep "\.\." "$access_log" | wc -l)
log_message "Potential SQL injection attempts: $sql_injection"
log_message "Potential XSS attempts: $xss_attempts"
log_message "Path traversal attempts: $path_traversal"
if [ "$sql_injection" -gt 10 ] || [ "$xss_attempts" -gt 10 ] || [ "$path_traversal" -gt 10 ]; then
send_alert "Web Attack Detected" "SQL injection: $sql_injection\nXSS attempts: $xss_attempts\nPath traversal: $path_traversal"
fi
# Large requests (potential DoS)
local large_requests=$(awk '{if($10 > 1000000) print}' "$access_log" | wc -l)
if [ "$large_requests" -gt 0 ]; then
log_message "WARNING: Large requests detected: $large_requests"
fi
else
log_message "Web server access log not found"
fi
# Error log analysis
if [ -f "$error_log" ]; then
local today_errors=$(grep "$(date +%Y/%m/%d)" "$error_log" | wc -l)
log_message "Web server errors today: $today_errors"
if [ "$today_errors" -gt 50 ]; then
local error_summary=$(grep "$(date +%Y/%m/%d)" "$error_log" | tail -20)
send_alert "High Web Server Errors" "Errors today: $today_errors\n\nRecent errors:\n$error_summary"
fi
fi
}
# Hàm phân tích System logs
analyze_system_logs() {
log_message "=== SYSTEM LOG ANALYSIS ==="
# Syslog analysis
local syslog="/var/log/syslog"
if [ ! -f "$syslog" ]; then
syslog="/var/log/messages" # CentOS/RHEL
fi
if [ -f "$syslog" ]; then
# Error messages
local system_errors=$(grep -i "error\|fail\|critical" "$syslog" | grep "$(date +%b\ %d)" | wc -l)
log_message "System errors today: $system_errors"
if [ "$system_errors" -gt 20 ]; then
local error_details=$(grep -i "error\|fail\|critical" "$syslog" | grep "$(date +%b\ %d)" | tail -10)
send_alert "High System Errors" "System errors: $system_errors\n\nRecent errors:\n$error_details"
fi
# Kernel messages
local kernel_errors=$(grep "kernel:" "$syslog" | grep "$(date +%b\ %d)" | grep -i "error\|fail" | wc -l)
if [ "$kernel_errors" -gt 0 ]; then
log_message "WARNING: Kernel errors today: $kernel_errors"
local kernel_details=$(grep "kernel:" "$syslog" | grep "$(date +%b\ %d)" | grep -i "error\|fail" | tail -5)
log_message "Kernel error details:\n$kernel_details"
fi
# OOM (Out of Memory) events
local oom_events=$(grep "Out of memory" "$syslog" | grep "$(date +%b\ %d)" | wc -l)
if [ "$oom_events" -gt 0 ]; then
log_message "CRITICAL: OOM events today: $oom_events"
send_alert "Out of Memory Events" "OOM events detected: $oom_events"
fi
else
log_message "System log file not found"
fi
}
# Hàm phân tích Database logs
analyze_database_logs() {
log_message "=== DATABASE LOG ANALYSIS ==="
# MySQL logs
local mysql_error_log="/var/log/mysql/error.log"
if [ -f "$mysql_error_log" ]; then
local mysql_errors=$(grep "$(date +%Y-%m-%d)" "$mysql_error_log" | grep -i "error\|warning" | wc -l)
log_message "MySQL errors/warnings today: $mysql_errors"
if [ "$mysql_errors" -gt 10 ]; then
local mysql_details=$(grep "$(date +%Y-%m-%d)" "$mysql_error_log" | grep -i "error\|warning" | tail -10)
send_alert "MySQL Errors" "MySQL errors: $mysql_errors\n\nDetails:\n$mysql_details"
fi
# Connection issues
local connection_errors=$(grep "$(date +%Y-%m-%d)" "$mysql_error_log" | grep -i "connection\|timeout" | wc -l)
if [ "$connection_errors" -gt 5 ]; then
log_message "WARNING: MySQL connection issues: $connection_errors"
fi
fi
# PostgreSQL logs
local pg_log_dir="/var/log/postgresql"
if [ -d "$pg_log_dir" ]; then
local pg_log=$(find "$pg_log_dir" -name "*.log" -mtime -1 | head -1)
if [ -n "$pg_log" ]; then
local pg_errors=$(grep "$(date +%Y-%m-%d)" "$pg_log" | grep -i "error\|fatal" | wc -l)
log_message "PostgreSQL errors today: $pg_errors"
if [ "$pg_errors" -gt 10 ]; then
local pg_details=$(grep "$(date +%Y-%m-%d)" "$pg_log" | grep -i "error\|fatal" | tail -10)
send_alert "PostgreSQL Errors" "PostgreSQL errors: $pg_errors\n\nDetails:\n$pg_details"
fi
fi
fi
}
# Hàm tạo summary report
generate_summary() {
log_message "=== LOG ANALYSIS SUMMARY ==="
log_message "Analysis Date: $(date)"
log_message "Server: $(hostname)"
log_message "Report File: $REPORT_FILE"
# Disk usage của log directory
local log_size=$(du -sh "$LOG_DIR" 2>/dev/null | cut -f1)
log_message "Log directory size: $log_size"
# Oldest and newest log files
local oldest_log=$(find "$LOG_DIR" -name "*.log" -type f -printf '%T@ %p\n' 2>/dev/null | sort -n | head -1 | cut -d' ' -f2-)
local newest_log=$(find "$LOG_DIR" -name "*.log" -type f -printf '%T@ %p\n' 2>/dev/null | sort -n | tail -1 | cut -d' ' -f2-)
if [ -n "$oldest_log" ]; then
log_message "Oldest log: $oldest_log"
fi
if [ -n "$newest_log" ]; then
log_message "Newest log: $newest_log"
fi
}
# Main execution
log_message "Starting log analysis"
generate_summary
analyze_ssh_logs
analyze_web_logs
analyze_system_logs
analyze_database_logs
log_message "Log analysis completed"
# Compress old reports
find "$REPORT_DIR" -name "log_analysis_*.txt" -mtime +7 -exec gzip {} \;
🛡️ 2. Script Giám Sát Bảo Mật
Security Monitoring & Intrusion Detection
#!/bin/bash
# security_monitor.sh - Giám sát bảo mật và phát hiện xâm nhập
# Cấu hình
SECURITY_LOG="/var/log/security_monitor.log"
ALERT_EMAIL="[email protected]"
WHITELIST_IPS="/etc/security/whitelist_ips.txt"
BLACKLIST_IPS="/etc/security/blacklist_ips.txt"
MAX_FAILED_ATTEMPTS=5
TIME_WINDOW=300 # 5 phút
# Tạo thư mục cấu hình
mkdir -p /etc/security
# Hàm ghi log bảo mật
security_log() {
echo "$(date '+%Y-%m-%d %H:%M:%S') [SECURITY] $1" | tee -a "$SECURITY_LOG"
}
# Hàm gửi cảnh báo bảo mật
security_alert() {
local level="$1"
local message="$2"
local subject="[SECURITY-$level] $(hostname) - $3"
echo "$message" | mail -s "$subject" "$ALERT_EMAIL"
security_log "ALERT-$level: $3"
}
# Hàm kiểm tra IP trong whitelist
is_whitelisted() {
local ip="$1"
if [ -f "$WHITELIST_IPS" ]; then
grep -q "^$ip$" "$WHITELIST_IPS"
return $?
fi
return 1
}
# Hàm thêm IP vào blacklist
add_to_blacklist() {
local ip="$1"
local reason="$2"
if ! is_whitelisted "$ip"; then
echo "$ip" >> "$BLACKLIST_IPS"
security_log "BLOCKED: $ip - $reason"
# Block IP using iptables (nếu có quyền)
if command -v iptables >/dev/null 2>&1; then
iptables -A INPUT -s "$ip" -j DROP 2>/dev/null
security_log "IPTABLES: Blocked $ip"
fi
security_alert "HIGH" "IP $ip has been blocked\nReason: $reason\nTime: $(date)" "IP Blocked"
fi
}
# Hàm phát hiện brute force attacks
detect_brute_force() {
security_log "Checking for brute force attacks"
local auth_log="/var/log/auth.log"
if [ ! -f "$auth_log" ]; then
auth_log="/var/log/secure"
fi
if [ -f "$auth_log" ]; then
# Tìm IPs có nhiều failed attempts trong time window
local suspicious_ips=$(awk -v time_window="$TIME_WINDOW" -v max_attempts="$MAX_FAILED_ATTEMPTS" '
/Failed password/ {
ip = $(NF-3)
timestamp = $1 " " $2 " " $3
cmd = "date -d \"" timestamp "\" +%s"
cmd | getline epoch
close(cmd)
current_time = systime()
if (current_time - epoch <= time_window) {
failed_attempts[ip]++
}
}
END {
for (ip in failed_attempts) {
if (failed_attempts[ip] >= max_attempts) {
print ip, failed_attempts[ip]
}
}
}' "$auth_log")
if [ -n "$suspicious_ips" ]; then
echo "$suspicious_ips" | while read ip attempts; do
if ! is_whitelisted "$ip"; then
add_to_blacklist "$ip" "Brute force attack: $attempts failed attempts"
fi
done
fi
fi
}
# Hàm kiểm tra file integrity
check_file_integrity() {
security_log "Checking critical file integrity"
local critical_files=(
"/etc/passwd"
"/etc/shadow"
"/etc/sudoers"
"/etc/ssh/sshd_config"
"/etc/hosts"
)
local checksums_file="/var/lib/security/file_checksums.txt"
mkdir -p "$(dirname "$checksums_file")"
for file in "${critical_files[@]}"; do
if [ -f "$file" ]; then
local current_checksum=$(sha256sum "$file" | cut -d' ' -f1)
local stored_checksum=""
if [ -f "$checksums_file" ]; then
stored_checksum=$(grep "$file" "$checksums_file" | cut -d' ' -f1)
fi
if [ -z "$stored_checksum" ]; then
# First time - store checksum
echo "$current_checksum $file" >> "$checksums_file"
security_log "BASELINE: Stored checksum for $file"
elif [ "$current_checksum" != "$stored_checksum" ]; then
# File changed!
security_alert "CRITICAL" "Critical file modified: $file\nOld checksum: $stored_checksum\nNew checksum: $current_checksum\nTime: $(date)" "File Integrity Violation"
# Update checksum
sed -i "s|.*$file|$current_checksum $file|" "$checksums_file"
fi
fi
done
}
# Hàm kiểm tra processes bất thường
check_suspicious_processes() {
security_log "Checking for suspicious processes"
# Processes chạy với quyền root
local suspicious_root_procs=$(ps aux | awk '$1=="root" && $11!~/^\[/ && $11!~/^\/usr\/bin/ && $11!~/^\/bin/ && $11!~/^\/sbin/ && $11!~/^\/usr\/sbin/ {print $2, $11}' | grep -v "PID COMMAND")
if [ -n "$suspicious_root_procs" ]; then
security_log "WARNING: Suspicious root processes detected"
echo "$suspicious_root_procs" | while read pid command; do
security_log "SUSPICIOUS: PID $pid - $command"
done
fi
# Processes listening trên ports bất thường
local unusual_listeners=$(netstat -tlnp 2>/dev/null | awk '$1=="tcp" && ($4~/:(2[2-9][0-9][0-9]|[3-9][0-9][0-9][0-9]|[1-9][0-9][0-9][0-9][0-9]+):/) {print $4, $7}')
if [ -n "$unusual_listeners" ]; then
security_log "WARNING: Unusual port listeners detected"
echo "$unusual_listeners" | while read port process; do
security_log "UNUSUAL: Port $port - $process"
done
fi
# Processes với tên nghi ngờ
local suspicious_names=$(ps aux | grep -E '(nc|netcat|ncat|socat|wget|curl)' | grep -v grep | awk '{print $2, $11}')
if [ -n "$suspicious_names" ]; then
security_log "INFO: Network tools detected (may be legitimate)"
echo "$suspicious_names" | while read pid command; do
security_log "NETWORK_TOOL: PID $pid - $command"
done
fi
}
# Hàm kiểm tra network connections
check_network_connections() {
security_log "Checking network connections"
# Connections đến IPs nước ngoài (không ph�ải private IPs)
local foreign_connections=$(netstat -tn 2>/dev/null | awk '$1=="tcp" && $6=="ESTABLISHED" {print $5}' | cut -d: -f1 | grep -v -E '^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.|127\.|::1|localhost)' | sort | uniq -c | sort -nr)
if [ -n "$foreign_connections" ]; then
security_log "INFO: Foreign connections detected"
echo "$foreign_connections" | head -10 | while read count ip; do
if [ "$count" -gt 10 ]; then
security_log "WARNING: High connection count to $ip: $count connections"
else
security_log "FOREIGN: $count connections to $ip"
fi
done
fi
# Kiểm tra connections đến ports bất thường
local unusual_outbound=$(netstat -tn 2>/dev/null | awk '$1=="tcp" && $6=="ESTABLISHED" {print $5}' | cut -d: -f2 | sort | uniq -c | sort -nr | awk '$2>1024 && $2<65535 && $1>5')
if [ -n "$unusual_outbound" ]; then
security_log "WARNING: High outbound connections to unusual ports"
echo "$unusual_outbound" | while read count port; do
security_log "UNUSUAL_PORT: $count connections to port $port"
done
fi
}
# Hàm kiểm tra user activities
check_user_activities() {
security_log "Checking user activities"
# Users đăng nhập hiện tại
local current_users=$(who | wc -l)
security_log "Current logged in users: $current_users"
if [ "$current_users" -gt 5 ]; then
security_log "WARNING: High number of concurrent users: $current_users"
who | while read user tty date time ip; do
security_log "LOGGED_IN: $user from $ip on $tty"
done
fi
# Kiểm tra sudo usage
local sudo_usage=$(grep "sudo:" /var/log/auth.log 2>/dev/null | grep "$(date +%b\ %d)" | wc -l)
if [ "$sudo_usage" -gt 20 ]; then
security_log "WARNING: High sudo usage today: $sudo_usage commands"
fi
# Kiểm tra user account changes
local account_changes=$(grep -E "(useradd|userdel|usermod|passwd)" /var/log/auth.log 2>/dev/null | grep "$(date +%b\ %d)" | wc -l)
if [ "$account_changes" -gt 0 ]; then
security_alert "MEDIUM" "User account changes detected: $account_changes\nDate: $(date)" "Account Changes"
fi
}
# Hàm tạo security report
generate_security_report() {
local report_file="/var/log/security_report_$(date +%Y%m%d).txt"
{
echo "=== SECURITY MONITORING REPORT ==="
echo "Date: $(date)"
echo "Server: $(hostname)"
echo ""
echo "=== BLACKLISTED IPS ==="
if [ -f "$BLACKLIST_IPS" ]; then
cat "$BLACKLIST_IPS"
else
echo "No blacklisted IPs"
fi
echo ""
echo "=== RECENT SECURITY EVENTS ==="
tail -50 "$SECURITY_LOG"
} > "$report_file"
security_log "Security report generated: $report_file"
}
# Main execution
security_log "Starting security monitoring"
detect_brute_force
check_file_integrity
check_suspicious_processes
check_network_connections
check_user_activities
generate_security_report
security_log "Security monitoring completed"
🚨 3. Script Phát Hiện Xâm Nhập
Advanced Intrusion Detection
#!/bin/bash
# intrusion_detection.sh - Hệ thống phát hiện xâm nhập nâng cao
# Cấu hình
IDS_LOG="/var/log/ids.log"
ALERT_EMAIL="[email protected]"
QUARANTINE_DIR="/var/quarantine"
SIGNATURE_DB="/etc/ids/signatures.txt"
WHITELIST_PROCESSES="/etc/ids/whitelist_processes.txt"
ALERT_THRESHOLD_HIGH=10
ALERT_THRESHOLD_CRITICAL=5
# Tạo thư mục cần thiết
mkdir -p "$(dirname "$IDS_LOG")"
mkdir -p "$QUARANTINE_DIR"
mkdir -p "$(dirname "$SIGNATURE_DB")"
# Hàm ghi log IDS
ids_log() {
local level="$1"
local message="$2"
echo "$(date '+%Y-%m-%d %H:%M:%S') [$level] $message" | tee -a "$IDS_LOG"
}
# Hàm gửi cảnh báo IDS
ids_alert() {
local severity="$1"
local title="$2"
local details="$3"
local subject="[IDS-$severity] $(hostname) - $title"
echo "$details" | mail -s "$subject" "$ALERT_EMAIL"
ids_log "ALERT-$severity" "$title"
}
# Hàm tạo signature database
create_signature_db() {
if [ ! -f "$SIGNATURE_DB" ]; then
cat > "$SIGNATURE_DB" << 'EOF'
# Malware signatures (name:hex_pattern:description)
backdoor_php:3c3f706870206576616c28245f504f53545b:PHP backdoor eval
webshell_jsp:72756e74696d652e65786563:JSP webshell runtime exec
sql_injection:756e696f6e2073656c656374:SQL injection union select
xss_script:3c7363726970743e616c657274:XSS script alert
reverse_shell:2f62696e2f7368202d69:Reverse shell /bin/sh
netcat_backdoor:6e632d6c76703a:Netcat reverse shell
base64_shell:6563686f20:Base64 encoded shell
EOF
ids_log "INFO" "Created signature database"
fi
# Tạo process whitelist
if [ ! -f "$WHITELIST_PROCESSES" ]; then
cat > "$WHITELIST_PROCESSES" << 'EOF'
# Whitelisted processes (one per line)
/usr/sbin/sshd
/usr/bin/wget
/usr/bin/curl
/usr/bin/nc
EOF
ids_log "INFO" "Created process whitelist"
fi
}
# Hàm tạo whitelist processes
create_whitelist() {
if [ ! -f "$WHITELIST_PROCESSES" ]; then
cat > "$WHITELIST_PROCESSES" << 'EOF'
/usr/bin/ssh
/usr/sbin/sshd
/bin/bash
/bin/sh
/usr/bin/python3
/usr/bin/perl
/usr/bin/wget
/usr/bin/curl
/usr/bin/nc
EOF
ids_log "INFO" "Created process whitelist"
fi
}
# Hàm quét malware signatures
scan_malware_signatures() {
ids_log "INFO" "Starting malware signature scan"
local scan_dirs=("/tmp" "/var/tmp" "/dev/shm" "/home" "/var/www")
local detections=0
while IFS=':' read -r name pattern description; do
# Bỏ qua comments và dòng trống
[[ "$name" =~ ^#.*$ ]] || [[ -z "$name" ]] && continue
for dir in "${scan_dirs[@]}"; do
if [ -d "$dir" ]; then
local matches=$(find "$dir" -type f -exec grep -l "$(echo "$pattern" | xxd -r -p)" {} \; 2>/dev/null)
if [ -n "$matches" ]; then
echo "$matches" | while read -r file; do
ids_log "CRITICAL" "Malware signature detected: $name in $file"
ids_alert "CRITICAL" "Malware Detected" "Signature: $name\nDescription: $description\nFile: $file\nTime: $(date)"
# Quarantine file
local quarantine_file="$QUARANTINE_DIR/$(basename "$file")_$(date +%s)"
cp "$file" "$quarantine_file" 2>/dev/null
chmod 000 "$quarantine_file" 2>/dev/null
ids_log "INFO" "File quarantined: $quarantine_file"
detections=$((detections + 1))
done
fi
fi
done
done < "$SIGNATURE_DB"
ids_log "INFO" "Malware scan completed. Detections: $detections"
}
# Hàm phát hiện rootkit
detect_rootkits() {
ids_log "INFO" "Starting rootkit detection"
# Kiểm tra hidden processes
local ps_count=$(ps aux | wc -l)
local proc_count=$(ls /proc | grep -E '^[0-9]+$' | wc -l)
local diff=$((proc_count - ps_count))
if [ "$diff" -gt 5 ]; then
ids_log "WARNING" "Potential hidden processes detected (diff: $diff)"
ids_alert "HIGH" "Hidden Processes" "Process count mismatch detected\nps count: $ps_count\n/proc count: $proc_count\nDifference: $diff"
fi
# Kiểm tra system call hooks
if [ -f "/proc/kallsyms" ]; then
local hooked_calls=$(grep -E "(sys_call_table|system_call)" /proc/kallsyms | wc -l)
if [ "$hooked_calls" -eq 0 ]; then
ids_log "WARNING" "System call table not visible - possible rootkit"
fi
fi
# Kiểm tra kernel modules bất thường
local suspicious_modules=$(lsmod | grep -vE '^(Module|[a-zA-Z0-9_]+\s+[0-9]+\s+[0-9]+)' | wc -l)
if [ "$suspicious_modules" -gt 0 ]; then
ids_log "WARNING" "Suspicious kernel modules detected"
lsmod | grep -vE '^(Module|[a-zA-Z0-9_]+\s+[0-9]+\s+[0-9]+)' | while read module; do
ids_log "SUSPICIOUS" "Kernel module: $module"
done
fi
}
# Hàm phát hiện network anomalies
detect_network_anomalies() {
ids_log "INFO" "Detecting network anomalies"
# Kiểm tra port scanning
local recent_connections=$(netstat -tn 2>/dev/null | grep -c "SYN_RECV")
if [ "$recent_connections" -gt 50 ]; then
ids_log "WARNING" "Potential port scan detected (SYN_RECV: $recent_connections)"
ids_alert "HIGH" "Port Scan Detected" "High number of SYN_RECV connections: $recent_connections"
fi
# Kiểm tra unusual network traffic
local high_traffic_ips=$(netstat -tn 2>/dev/null | awk '$6=="ESTABLISHED" {print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr | awk '$1>20')
if [ -n "$high_traffic_ips" ]; then
ids_log "INFO" "High traffic IPs detected"
echo "$high_traffic_ips" | while read count ip; do
if [ "$count" -gt 100 ]; then
ids_log "WARNING" "Very high traffic from $ip: $count connections"
ids_alert "MEDIUM" "High Traffic" "IP $ip has $count active connections"
fi
done
fi
# Kiểm tra DNS tunneling
local dns_queries=$(netstat -un 2>/dev/null | grep ":53" | wc -l)
if [ "$dns_queries" -gt 100 ]; then
ids_log "WARNING" "Potential DNS tunneling (queries: $dns_queries)"
fi
}
# Hàm phát hiện privilege escalation
detect_privilege_escalation() {
ids_log "INFO" "Checking for privilege escalation"
# Kiểm tra SUID/SGID files mới
local suid_files="/tmp/suid_files_$(date +%Y%m%d).txt"
local suid_baseline="/var/lib/ids/suid_baseline.txt"
find / -type f \( -perm -4000 -o -perm -2000 \) 2>/dev/null > "$suid_files"
if [ -f "$suid_baseline" ]; then
local new_suid=$(comm -13 "$suid_baseline" "$suid_files")
if [ -n "$new_suid" ]; then
ids_log "CRITICAL" "New SUID/SGID files detected"
echo "$new_suid" | while read file; do
ids_log "CRITICAL" "New SUID/SGID: $file"
ids_alert "CRITICAL" "New SUID/SGID File" "New privileged file detected: $file\nTime: $(date)"
done
fi
else
cp "$suid_files" "$suid_baseline"
ids_log "INFO" "Created SUID/SGID baseline"
fi
# Kiểm tra sudo abuse
local sudo_failures=$(grep "sudo:.*authentication failure" /var/log/auth.log 2>/dev/null | grep "$(date +%b\ %d)" | wc -l)
if [ "$sudo_failures" -gt 10 ]; then
ids_log "WARNING" "High sudo authentication failures: $sudo_failures"
ids_alert "MEDIUM" "Sudo Abuse" "High number of sudo failures: $sudo_failures"
fi
}
# Hàm kiểm tra file integrity nâng cao
advanced_file_integrity() {
ids_log "INFO" "Advanced file integrity checking"
local critical_dirs=("/bin" "/sbin" "/usr/bin" "/usr/sbin" "/etc")
local integrity_db="/var/lib/ids/file_integrity.db"
mkdir -p "$(dirname "$integrity_db")"
for dir in "${critical_dirs[@]}"; do
if [ -d "$dir" ]; then
find "$dir" -type f -exec sha256sum {} \; 2>/dev/null | sort > "/tmp/current_${dir//\//_}.txt"
local baseline="/var/lib/ids/baseline_${dir//\//_}.txt"
if [ -f "$baseline" ]; then
local changes=$(diff "$baseline" "/tmp/current_${dir//\//_}.txt" | grep "^>" | wc -l)
if [ "$changes" -gt 0 ]; then
ids_log "WARNING" "File changes detected in $dir: $changes files"
diff "$baseline" "/tmp/current_${dir//\//_}.txt" | grep "^>" | while read line; do
local file=$(echo "$line" | cut -d' ' -f3-)
ids_log "CHANGED" "File modified: $file"
done
if [ "$changes" -gt 5 ]; then
ids_alert "HIGH" "Mass File Changes" "$changes files changed in $dir\nTime: $(date)"
fi
fi
# Update baseline
cp "/tmp/current_${dir//\//_}.txt" "$baseline"
else
cp "/tmp/current_${dir//\//_}.txt" "$baseline"
ids_log "INFO" "Created baseline for $dir"
fi
fi
done
}
# Hàm tạo IDS report
generate_ids_report() {
local report_file="/var/log/ids_report_$(date +%Y%m%d_%H%M%S).txt"
{
echo "=== INTRUSION DETECTION SYSTEM REPORT ==="
echo "Date: $(date)"
echo "Server: $(hostname)"
echo "Scan Duration: $(date -d "$start_time" '+%Y-%m-%d %H:%M:%S') - $(date '+%Y-%m-%d %H:%M:%S')"
echo ""
echo "=== SUMMARY ==="
local critical_alerts=$(grep "CRITICAL" "$IDS_LOG" | grep "$(date +%Y-%m-%d)" | wc -l)
local high_alerts=$(grep "WARNING" "$IDS_LOG" | grep "$(date +%Y-%m-%d)" | wc -l)
local info_events=$(grep "INFO" "$IDS_LOG" | grep "$(date +%Y-%m-%d)" | wc -l)
echo "Critical Alerts: $critical_alerts"
echo "High Alerts: $high_alerts"
echo "Info Events: $info_events"
echo ""
echo "=== RECENT CRITICAL EVENTS ==="
grep "CRITICAL" "$IDS_LOG" | grep "$(date +%Y-%m-%d)" | tail -20
echo ""
echo "=== QUARANTINED FILES ==="
ls -la "$QUARANTINE_DIR" 2>/dev/null || echo "No quarantined files"
} > "$report_file"
ids_log "INFO" "IDS report generated: $report_file"
}
# Main execution
start_time=$(date)
ids_log "INFO" "Starting IDS scan"
create_signature_db
create_whitelist
scan_malware_signatures
detect_rootkits
detect_network_anomalies
detect_privilege_escalation
advanced_file_integrity
generate_ids_report
ids_log "INFO" "IDS scan completed"
⚙️ 4. Cấu Hình Tự Động Hóa
Cron Jobs cho Security Monitoring
# Mở crontab editor
crontab -e
# Thêm các dòng sau:
# Log analysis mỗi giờ
0 * * * * /path/to/log_analyzer.sh
# Security monitoring mỗi 30 phút
*/30 * * * * /path/to/security_monitor.sh
# IDS scan mỗi 4 giờ
0 */4 * * * /path/to/intrusion_detection.sh
# Daily security report lúc 7:00 AM
0 7 * * * /path/to/generate_security_report.sh
# Weekly deep scan vào Chủ nhật lúc 3:00 AM
0 3 * * 0 /path/to/deep_security_scan.sh
Systemd Services
# /etc/systemd/system/security-monitor.service
[Unit]
Description=Security Monitoring Service
After=network.target
[Service]
Type=simple
User=security
Group=security
ExecStart=/opt/security/security_monitor.sh
Restart=always
RestartSec=30
[Install]
WantedBy=multi-user.target
📧 5. Cấu Hình Alert System
Email Alert Configuration
# /etc/security/alert_config.sh
ALERT_EMAIL="[email protected]"
SMTP_SERVER="smtp.company.com"
SMTP_PORT="587"
SMTP_USER="[email protected]"
SMTP_PASS="your_password"
# Slack webhook (optional)
SLACK_WEBHOOK="https://hooks.slack.com/services/YOUR/SLACK/WEBHOOK"
# Alert levels
CRITICAL_THRESHOLD=5
HIGH_THRESHOLD=10
MEDIUM_THRESHOLD=20
Advanced Alert Script
#!/bin/bash
# alert_manager.sh - Quản lý cảnh báo nâng cao
source /etc/security/alert_config.sh
send_email_alert() {
local subject="$1"
local message="$2"
echo "$message" | mail -s "$subject" "$ALERT_EMAIL"
}
send_slack_alert() {
local message="$1"
if [ -n "$SLACK_WEBHOOK" ]; then
curl -X POST -H 'Content-type: application/json' \
--data "{\"text\":\"$message\"}" \
"$SLACK_WEBHOOK"
fi
}
send_sms_alert() {
# Implement SMS alerting if needed
echo "SMS alert: $1"
}
# Usage: alert_manager.sh LEVEL TITLE MESSAGE
case "$1" in
"CRITICAL")
send_email_alert "[CRITICAL] $2" "$3"
send_slack_alert "🚨 CRITICAL: $2 - $3"
send_sms_alert "CRITICAL: $2"
;;
"HIGH")
send_email_alert "[HIGH] $2" "$3"
send_slack_alert "⚠️ HIGH: $2 - $3"
;;
"MEDIUM")
send_email_alert "[MEDIUM] $2" "$3"
;;
*)
send_email_alert "[INFO] $2" "$3"
;;
esac
🔧 6. Troubleshooting
Các lỗi thường gặp:
-
Permission denied khi đọc log files:
sudo usermod -a -G adm security_user
sudo chmod 644 /var/log/auth.log -
Mail command không hoạt động:
sudo apt-get install mailutils postfix
sudo systemctl enable postfix
sudo systemctl start postfix -
False positives trong IDS:
# Thêm vào whitelist
echo "/path/to/legitimate/file" >> /etc/ids/whitelist_files.txt -
Log files quá lớn:
# Cấu hình log rotation
sudo nano /etc/logrotate.d/security
Performance Optimization
# Giảm tần suất scan cho hệ thống có tải cao
SCAN_INTERVAL=3600 # 1 giờ thay vì 30 phút
# Giới hạn số file scan
MAX_FILES_SCAN=10000
# Sử dụng nice để giảm priority
nice -n 19 /path/to/security_script.sh
Lưu ý quan trọng:
- Test tất cả scripts trên môi trường dev
- Cấu hình whitelist cẩn thận để tránh false positives
- Monitor performance impact của security scripts
- Backup cấu hình security thường xuyên
- Review và update signatures định kỳ