// 开始循环检测
//loopCheck();
// 在每分钟的第 30 秒执行目标函数
cron.schedule('35 8 * * *', () => {
console.log('目标函数在8:35执行!');
loopCheck_info();
// 在这里调用你想要定时执行的函数
});
cron.schedule('*/30 9-20 * * *', () => {
console.log('目标函数在每分钟的第 50分钟执行!');
loopCheck();
// 在这里调用你想要定时执行的函数
});
root@aea87fa6e6a2:/home/node# crontab -e
bash: crontab: command not found
root@aea87fa6e6a2:/home/node# exit
exit
[root@localhost ~]# crontab -e
crontab: no changes made to crontab
[root@localhost ~]# cat log.sh
#!/bin/bash
# 发送日志到API的函数
sendLogsToAPI() {
local logs=$1
local ip=$2
local datetime=$3
local resData='{
"msgtype": "text",
"text": {
"content": "'"${datetime}\n${ip}\n在30分钟内有用户登录:\n${logs}"'"
}
}'
curl -X POST \
-H "Content-Type: application/json" \
-d "$resData" \
"https://qyapi.weixin.qq.com/cgi-bin/webhook/send?key=17e3b586-20b3-4283-adf2-eca2ffa84130"
echo "提示成功!"
echo "$logs" >> /var/log/logins
}
# 获取当前的日期时间字符串
datetime=$(date +"%Y年%m月%d日 %H:%M")
echo "脚本启动时间:$datetime" >> /var/log/logins
# 获取本机出口网卡的IP地址
IP=$(/usr/sbin/ip route get 1 | grep -oE 'src \S+' | awk '{print $2}')
# 白名单列表
whitelist=("192.168.10.99" "192.168.1.101") # 示例白名单列表
# 提取最近30分钟的日志记录
recent_logs=$(tail /var/log/secure -n100 | awk -v end="$(date "+%b %_d %H:%M:%S" -d "-30 minutes")" -v start="$(date "+%b %_d %H:%M:%S")" '{current=$1" "$2" "$3; if (current >= end && current <= start) print}')
# 初始化变量
output=""
# 密码登录成功
password_success=$(echo "$recent_logs" | grep 'Accepted password' | grep -oE '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' | awk '{print $1}')
if [ -n "$password_success" ]; then
for ip in $password_success; do
# 检查是否在白名单内
is_whitelisted=false
for whitelisted_ip in "${whitelist[@]}"; do
if [[ "$ip" == "$whitelisted_ip" ]]; then
is_whitelisted=true
break
fi
done
# 如果在白名单内,记录到日志文件
if $is_whitelisted; then
echo "$datetime $ip 在白名单内,登录信息未发送到API" >> /var/log/logins
continue
fi
output+="密码登录成功: $ip"$'\n'
done
fi
# 密码登录失败
password_failure=$(echo "$recent_logs" | grep 'Failed password' | grep -oE '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' | awk '{print $1}')
if [ -n "$password_failure" ]; then
for ip in $password_failure; do
# 检查是否在白名单内
is_whitelisted=false
for whitelisted_ip in "${whitelist[@]}"; do
if [[ "$ip" == "$whitelisted_ip" ]]; then
is_whitelisted=true
break
fi
done
# 如果在白名单内,记录到日志文件
if $is_whitelisted; then
echo "$datetime $ip 在白名单内,登录信息未发送到API" >> /var/log/logins
continue
fi
output+="密码登录失败: $ip"$'\n'
done
fi
# 证书登录成功
certificate_success=$(echo "$recent_logs" | grep 'Accepted publickey' | grep -oE 'from [0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' | awk '{print $2}')
if [ -n "$certificate_success" ]; then
for ip in $certificate_success; do
# 检查是否在白名单内
is_whitelisted=false
for whitelisted_ip in "${whitelist[@]}"; do
if [[ "$ip" == "$whitelisted_ip" ]]; then
is_whitelisted=true
break
fi
done
# 如果在白名单内,记录到日志文件
if $is_whitelisted; then
echo "$datetime $ip 在白名单内,登录信息未发送到API" >> /var/log/logins
continue
fi
output+="证书登录成功: $ip"$'\n'
done
fi
# 证书登录失败
certificate_failure=$(echo "$recent_logs" | grep 'authentication failure' | grep -oE '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' | awk '{print $1}')
if [ -n "$certificate_failure" ]; then
for ip in $certificate_failure; do
# 检查是否在白名单内
is_whitelisted=false
for whitelisted_ip in "${whitelist[@]}"; do
if [[ "$ip" == "$whitelisted_ip" ]]; then
is_whitelisted=true
break
fi
done
# 如果在白名单内,记录到日志文件
if $is_whitelisted; then
echo "$datetime $ip 在白名单内,登录信息未发送到API" >> /var/log/logins
continue
fi
output+="证书登录失败: $ip"$'\n'
done
fi
# 本地认证成功
local_auth_success=$(echo "$recent_logs" | grep 'login: LOGIN' | grep -oE 'FROM [0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' | awk '{print $2}')
if [ -n "$local_auth_success" ]; then
for ip in $local_auth_success; do
# 检查是否在白名单内
is_whitelisted=false
for whitelisted_ip in "${whitelist[@]}"; do
if [[ "$ip" == "$whitelisted_ip" ]]; then
is_whitelisted=true
break
fi
done
# 如果在白名单内,记录到日志文件
if $is_whitelisted; then
echo "$datetime $ip 在白名单内,登录信息未发送到API" >> /var/log/logins
continue
fi
output+="本地认证成功: $ip"$'\n'
done
fi
# 本地认证失败
local_auth_failure=$(echo "$recent_logs" | grep 'login: FAILED' | grep -oE 'FROM [0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' | awk '{print $2}')
if [ -n "$local_auth_failure" ]; then
for ip in $local_auth_failure; do
# 检查是否在白名单内
is_whitelisted=false
for whitelisted_ip in "${whitelist[@]}"; do
if [[ "$ip" == "$whitelisted_ip" ]]; then
is_whitelisted=true
break
fi
done
# 如果在白名单内,记录到日志文件
if $is_whitelisted; then
echo "$datetime $ip 在白名单内,登录信息未发送到API" >> /var/log/logins
continue
fi
output+="本地认证失败: $ip"$'\n'
done
fi
# 本地登录成功
local_login_success=$(echo "$recent_logs" | grep 'login:' | grep -oE 'ON tty' | awk '{print $2}')
if [ -n "$local_login_success" ]; then
for ip in $local_login_success; do
# 检查是否在白名单内
is_whitelisted=false
for whitelisted_ip in "${whitelist[@]}"; do
if [[ "$ip" == "$whitelisted_ip" ]]; then
is_whitelisted=true
break
fi
done
# 如果在白名单内,记录到日志文件
if $is_whitelisted; then
echo "$datetime $ip 在白名单内,登录信息未发送到API" >> /var/log/logins
continue
fi
output+="本地登录成功: $ip"$'\n'
done
fi
# 本地登录失败
local_login_failure=$(echo "$recent_logs" | grep 'login: FAILED' | grep -oE 'FROM tty' | awk '{print $2}')
if [ -n "$local_login_failure" ]; then
for ip in $local_login_failure; do
# 检查是否在白名单内
is_whitelisted=false
for whitelisted_ip in "${whitelist[@]}"; do
if [[ "$ip" == "$whitelisted_ip" ]]; then
is_whitelisted=true
break
fi
done
# 如果在白名单内,记录到日志文件
if $is_whitelisted; then
echo "$datetime $ip 在白名单内,登录信息未发送到API" >> /var/log/logins
continue
fi
output+="本地登录失败: $ip"$'\n'
done
fi
# 打印结果
if [ -n "$output" ]; then
sleep $((RANDOM % 5 + 2)) # 随机延迟2到5秒
echo "$IP 获取到30分钟内的登录信息:"
echo "$output"
sendLogsToAPI "$output" "$IP" "$datetime"
fi
下面是正式版本:
#!/bin/bash
# 发送日志到API的函数
sendLogsToAPI() {
local logs=$1
local ip=$2
local datetime=$3
local resData='{
"msgtype": "text",
"text": {
"content": "'"${datetime}\n${ip}\n在30分钟内有用户登录:\n${logs}"'"
}
}'
curl -X POST \
-H "Content-Type: application/json" \
-d "$resData" \
"https://qyapi.weixin.qq.com/cgi-bin/webhook/send?key=8ff711ab-f80b-7adf0831a8bc"
echo "提示成功!"
echo "$logs" >> /var/log/logins
}
# 获取当前的日期时间字符串
datetime=$(date +"%Y年%m月%d日 %H:%M")
echo "脚本启动时间:$datetime" >> /var/log/logins
# 获取本机出口网卡的IP地址
IP=$(/usr/sbin/ip route get 1 | grep -oE 'src \S+' | awk '{print $2}')
# 白名单列表
whitelist=("192.168.0.9" "192.168.1.1") # 示例白名单列表
# 提取最近30分钟的日志记录
recent_logs=$(tail /var/log/secure -n100 | awk -v end="$(date "+%b %_d %H:%M:%S" -d "-30 minutes")" -v start="$(date "+%b %_d %H:%M:%S")" '{current=$1" "$2" "$3; if (current >= end && current <= start) print}')
# 初始化变量
output=""
# 密码登录成功
password_success=$(echo "$recent_logs" | grep 'Accepted password' | grep -oE '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' | awk '{print $1}')
if [ -n "$password_success" ]; then
for ip in $password_success; do
# 检查是否在白名单内
is_whitelisted=false
for whitelisted_ip in "${whitelist[@]}"; do
if [[ "$ip" == "$whitelisted_ip" ]]; then
is_whitelisted=true
break
fi
done
# 如果在白名单内,记录到日志文件
if $is_whitelisted; then
echo "$datetime $ip 在白名单内,登录信息未发送到API" >> /var/log/logins
continue
fi
output+="密码登录成功: $ip"$'\n'
done
fi
# 密码登录失败
password_failure=$(echo "$recent_logs" | grep 'Failed password' | grep -oE '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' | awk '{print $1}')
if [ -n "$password_failure" ]; then
for ip in $password_failure; do
# 检查是否在白名单内
is_whitelisted=false
for whitelisted_ip in "${whitelist[@]}"; do
if [[ "$ip" == "$whitelisted_ip" ]]; then
is_whitelisted=true
break
fi
done
# 如果在白名单内,记录到日志文件
if $is_whitelisted; then
echo "$datetime $ip 在白名单内,登录信息未发送到API" >> /var/log/logins
continue
fi
output+="密码登录失败: $ip"$'\n'
done
fi
# 证书登录成功
certificate_success=$(echo "$recent_logs" | grep 'Accepted publickey' | grep -oE 'from [0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' | awk '{print $2}')
if [ -n "$certificate_success" ]; then
for ip in $certificate_success; do
# 检查是否在白名单内
is_whitelisted=false
for whitelisted_ip in "${whitelist[@]}"; do
if [[ "$ip" == "$whitelisted_ip" ]]; then
is_whitelisted=true
break
fi
done
# 如果在白名单内,记录到日志文件
if $is_whitelisted; then
echo "$datetime $ip 在白名单内,登录信息未发送到API" >> /var/log/logins
continue
fi
output+="证书登录成功: $ip"$'\n'
done
fi
# 证书登录失败
certificate_failure=$(echo "$recent_logs" | grep 'authentication failure' | grep -oE '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' | awk '{print $1}')
if [ -n "$certificate_failure" ]; then
for ip in $certificate_failure; do
# 检查是否在白名单内
is_whitelisted=false
for whitelisted_ip in "${whitelist[@]}"; do
if [[ "$ip" == "$whitelisted_ip" ]]; then
is_whitelisted=true
break
fi
done
# 如果在白名单内,记录到日志文件
if $is_whitelisted; then
echo "$datetime $ip 在白名单内,登录信息未发送到API" >> /var/log/logins
continue
fi
output+="证书登录失败: $ip"$'\n'
done
fi
# 本地认证成功
local_auth_success=$(echo "$recent_logs" | grep 'login: LOGIN' | grep -oE 'FROM [0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' | awk '{print $2}')
if [ -n "$local_auth_success" ]; then
for ip in $local_auth_success; do
# 检查是否在白名单内
is_whitelisted=false
for whitelisted_ip in "${whitelist[@]}"; do
if [[ "$ip" == "$whitelisted_ip" ]]; then
is_whitelisted=true
break
fi
done
# 如果在白名单内,记录到日志文件
if $is_whitelisted; then
echo "$datetime $ip 在白名单内,登录信息未发送到API" >> /var/log/logins
continue
fi
output+="本地认证成功: $ip"$'\n'
done
fi
# 本地认证失败
local_auth_failure=$(echo "$recent_logs" | grep 'login: FAILED' | grep -oE 'FROM [0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' | awk '{print $2}')
if [ -n "$local_auth_failure" ]; then
for ip in $local_auth_failure; do
# 检查是否在白名单内
is_whitelisted=false
for whitelisted_ip in "${whitelist[@]}"; do
if [[ "$ip" == "$whitelisted_ip" ]]; then
is_whitelisted=true
break
fi
done
# 如果在白名单内,记录到日志文件
if $is_whitelisted; then
echo "$datetime $ip 在白名单内,登录信息未发送到API" >> /var/log/logins
continue
fi
output+="本地认证失败: $ip"$'\n'
done
fi
# 本地登录成功
local_login_success=$(echo "$recent_logs" | grep 'login:' | grep -oE 'ON tty' | awk '{print $2}')
if [ -n "$local_login_success" ]; then
for ip in $local_login_success; do
# 检查是否在白名单内
is_whitelisted=false
for whitelisted_ip in "${whitelist[@]}"; do
if [[ "$ip" == "$whitelisted_ip" ]]; then
is_whitelisted=true
break
fi
done
# 如果在白名单内,记录到日志文件
if $is_whitelisted; then
echo "$datetime $ip 在白名单内,登录信息未发送到API" >> /var/log/logins
continue
fi
output+="本地登录成功: $ip"$'\n'
done
fi
# 本地登录失败
local_login_failure=$(echo "$recent_logs" | grep 'login: FAILED' | grep -oE 'FROM tty' | awk '{print $2}')
if [ -n "$local_login_failure" ]; then
for ip in $local_login_failure; do
# 检查是否在白名单内
is_whitelisted=false
for whitelisted_ip in "${whitelist[@]}"; do
if [[ "$ip" == "$whitelisted_ip" ]]; then
is_whitelisted=true
break
fi
done
# 如果在白名单内,记录到日志文件
if $is_whitelisted; then
echo "$datetime $ip 在白名单内,登录信息未发送到API" >> /var/log/logins
continue
fi
output+="本地登录失败: $ip"$'\n'
done
fi
# 打印结果
if [ -n "$output" ]; then
sleep $((RANDOM % 5 + 2)) # 随机延迟2到5秒
echo "$IP 获取到30分钟内的登录信息:"
echo "$output"
sendLogsToAPI "$output" "$IP" "$datetime"
fi
浙公网安备 33010602011771号