Linux学习第十周


一、编写脚本selinux.sh,实现开启或禁用SELinux功能;

1、临时关闭;
目前 SELinux 支持三种模式,分别如下:
 enforcing :强制模式,代表 SELinux 运作中,且已经正确的开始限制 domain/type 了;
 permissive:宽容模式:代表 SELinux 运作中,不过仅会有警告讯息并不会实际限制domain/type 的存取。这种模式可以用来作为 SELinux 的 debug 之用;
 disabled :关闭,SELinux 并没有实际运作
[root@localhost ~]# cat selinux_temp.sh
#!/bin/bash
echo 'current selinux status!'
getenforce
PS3="enable-selinux or disable-selinux?"

select menu in enable_selinux disable_selinux quit
do
        if [ $menu == "enable_selinux" ] ; then
           setenforce 1;
           echo "selinux is up!"
           break;
        elif [ $menu == "disable_selinux" ] ; then
           setenforce 0;
           echo "selinux is down!"
           break;
        elif [ $menu == "quit" ] ; then
           exit
        fi
done

[root@localhost ~]# chmod +x selinux_temp.sh
测试:

1)编辑退出;

[root@localhost ~]# getenforce
Enforcing
[root@localhost ~]# ./selinux_temp.sh
current selinux status!
Enforcing
1) enable_selinux
2) disable_selinux
3) quit
enable-selinux or disable-selinux?3
[root@localhost ~]# getenforce
Enforcing

2)关闭selinux;

[root@localhost ~]# getenforce
Enforcing
[root@localhost ~]# ./selinux_temp.sh
current selinux status!
Enforcing
1) enable_selinux
2) disable_selinux
3) quit
enable-selinux or disable-selinux?2
selinux is down!
[root@localhost ~]# getenforce
Permissive

3)开启selinux;

[root@localhost ~]# getenforce
Permissive
[root@localhost ~]# ./selinux_temp.sh
current selinux status!
Permissive
1) enable_selinux
2) disable_selinux
3) quit
enable-selinux or disable-selinux?1
selinux is up!
[root@localhost ~]# getenforce
Enforcing
2、永久关闭(要重启才会生效);
[root@localhost ~]# cat selinux_perm.sh
#!/bin/bash
selinux_cnf="/etc/selinux/config"

case "$1" in
    on)
        sed -ir 's@^SELINUX=.*@SELINUX=enforcing@' $selinux_cnf
        ;;
    off)
        sed -ir 's@^SELINUX=.*@SELINUX=disabled@' $selinux_cnf
        ;;
    *)
        echo "Usage: $0 on|off"
        ;;
esac

[root@localhost ~]# chmod +x selinux_perm.sh
测试:

1)无关字符或空;

[root@localhost ~]# egrep '^SELINUX=' /etc/selinux/config
SELINUX=enforcing
[root@localhost ~]# ./selinux_perm.sh
Usage: ./selinux_perm.sh on|off
[root@localhost ~]# ./selinux_perm.sh dsfert
Usage: ./selinux_perm.sh on|off

2)关闭selinux;

[root@localhost ~]# egrep '^SELINUX=' /etc/selinux/config
SELINUX=enforcing
[root@localhost ~]# ./selinux_perm.sh off
[root@localhost ~]# egrep '^SELINUX=' /etc/selinux/config
SELINUX=disabled

3)开启selinux;

[root@localhost ~]# egrep '^SELINUX=' /etc/selinux/config
SELINUX=disabled
[root@localhost ~]# ./selinux_perm.sh on
[root@localhost ~]# egrep '^SELINUX=' /etc/selinux/config
SELINUX=enforcing

二、统计/etc/fstab文件中每个文件系统类型出现的次数;

[root@localhost ~]# egrep -i '^uuid|^\/dev' /etc/fstab
/dev/mapper/centos-root /                       xfs     defaults        0 0
UUID=61bfe580-8947-41c1-91c0-0e3422e7d468 /boot                   xfs     defaults        0 0
/dev/mapper/centos-swap swap                    swap    defaults        0 0
UUID=e598b458-c2ba-4bbe-a2b7-7791be1278fb /test ext4 acl 0 0
UUID=94464a8b-758d-474c-bf56-55b76c425b19 /users ext4 defaults 0 0
[root@localhost ~]# egrep -i '^uuid|^\/dev' /etc/fstab | awk '{print $3}'
xfs
xfs
swap
ext4
ext4
[root@localhost ~]# egrep -i '^uuid|^\/dev' /etc/fstab | awk '{print $3}' | uniq -c
      2 xfs
      1 swap
      2 ext4

三、提取出字符串Yd$C@M05MB%9&Bdh7dq+YVixp3vpw中的所有数字;

[root@localhost ~]# echo "Yd$C@M05MB%9&Bdh7dq+YVixp3vpw" | awk '{gsub(/[^0-9]/,"",$0);print $0}'
05973
[root@localhost ~]# echo "Yd$C@M05MB%9&Bdh7dq+YVixp3vpw" | awk '{gsub(/[^0-9]/,"");print $0}'
05973

### 将字符串打印出来,然后利用awk的自带函数gsub,对字符串进行处理,对匹配到的非数字部分替换为空,awk默认行为是打印$0,即最后只输出剩下的数字。

四、解决DOS攻击生产案例:根据web日志或者或者网络连接数,监控当某个IP 并发连接数或者短时内PV达到100,即调用防火墙命令封掉对应的IP,监控频 率每隔5分钟。防火墙命令为:iptables -A INPUT -s IP -j REJECT。

[root@localhost ~]# cat steal_ip.sh
#!/bin/bash

iplist=`netstat -ant |awk -F'[ :]+' '/ESTABLISHED/{print $6}' | sort | uniq -c | awk '{if($1>100) print $2}' `
    for ip in $iplist;
    do
        iptables -A INPUT -s $ip REJECT
        echo "$ip is dangerous ,was rejected!"
    done
[root@localhost ~]#chmod +x steal_ip.sh
[root@localhost ~]# crontab -l
*/5 * * * * /usr/bin/bash /steal_ip.sh
---

你可能感兴趣的:(Linux学习第十周)