|
?
目前����,客戶只能在發(fā)現(xiàn)數(shù)據(jù)或者虛擬機被惡意侵入或者用戶的誤操作導致了數(shù)據(jù)的丟失之后,采取善后的手段���,但是并沒法做到提前的預警��。那么通過 PAM 模塊,就可以實現(xiàn)用戶登錄及獲取root 權(quán)限時��,通過郵件的方式進行通知����。以實現(xiàn)預先知道�����、預先警惕的目標��,同時降低受影響的范圍���。以下是通過 PAM 模塊實現(xiàn)的郵件通知用戶登錄的功能
?
1.創(chuàng)建腳本(/tmp/ssh/login_notify.sh)���,備注:該腳本可存放在服務器的任意位置,但是需要將后續(xù)的路徑指定好
[root@hlmcen75n1-gen-um waagent]# cat /tmp/ssh/login_notify.sh
#!/bin/bash
[ "$PAM_TYPE" = "open_session" ] || exit 0
{
echo "User: $PAM_USER"
echo "Ruser: $PAM_RUSER"
echo "Rhost: $PAM_RHOST"
echo "Service: $PAM_SERVICE"
echo "TTY: $PAM_TTY"
echo "Date: `date`"
echo "Server: `uname -a`"
} | mail -s "`hostname -s` $PAM_SERVICE login: $PAM_USER" user@yourdomain.com
?
2.給腳本(/tmp/ssh/login_notify.sh)添加可執(zhí)行權(quán)限
[root@hlmcen75n1-gen-um ~]# chmod x /tmp/ssh/login_notify.sh
?
3.編輯文件(/etc/pam.d/sshd)���,在文件最后追加一行(session optional pam_exec.so debug /bin/bash /tmp/ssh/login_notify.sh)
[root@hlmcen75n1-gen-um waagent]# cat /etc/pam.d/sshd
#%PAM-1.0
auth required pam_sepermit.so
auth substack password-auth
auth include postlogin
# Used with polkit to reauthorize users in remote sessions
-auth optional pam_reauthorize.so prepare
account required pam_nologin.so
account include password-auth
password include password-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open env_params
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session include password-auth
session include postlogin
# Used with polkit to reauthorize users in remote sessions
-session optional pam_reauthorize.so prepare
session optional pam_exec.so debug /bin/bash /tmp/ssh/login_notify.sh
?
4.至此�����,每一個用戶登錄都會發(fā)郵件通知給收件人��,內(nèi)容包括用戶名以及登錄的 IP 地址信息���。如果遇到陌生 IP�,那么就要注意�����。以此來判斷該虛擬機是否正在遭受攻擊�,郵件示例如下:
?
5.同理,你可以在把上述腳本應用到 /etc/pam.d/ 其他模塊中���,比如 sudo�����,login 等�����,來進行監(jiān)控
?
參考鏈接:https://docs./zh-cn/articles/azure-operations-guide/virtual-machines/linux/aog-virtual-machines-linux-security-reinforce
? 來源:http://www./content-3-204451.html
|
