一.代码作用:能够及时抓住不合法用户,并且发送报警
二.代码使用:
如果你相对curl命令伪装
1.go build bee.go
2.重命名bee为curl
3.将/usr/bin/curl拷贝到/usr/(自己使用直接/usr/curl使用,非法允许用户则错误的使用了curl产生报警)
4.cp bee /usr/bin/curl
5.非法用户使用会直接报警
三.代码
//蜜罐命令
package main
import (
"fmt"
"io/ioutil"
"net"
"net/http"
"os"
"runtime"
"strings"
"time"
)
//获取当前时间
func GetTime() string {
currentime := time.Now().Format("2006-01-02 15:04:05")
return currentime
}
//钉钉报警
const webHook = "https://oapi.dingtalk.com/robot/send?access_token=xxxxxxxxx"
//发送消息字段
type Info struct{
ClientIp string //来源ip
Cmd string //运行命令
User string //操作用户
PrivateIp string //本机内网ip
PublicIp string //本机公网ip
}
//结构体赋值
func NewInfo(ClientIp,Cmd,User,PrivateIp,PublicIp string) *Info{
return &Info{
ClientIp:ClientIp,
Cmd:Cmd,
User:User,
PrivateIp:PrivateIp,
PublicIp:PublicIp,
}
}
//获取公有ip2
func GetPubIp() (string, error) {
defer func() {
if err := recover(); err != nil {
fmt.Println("panic get ip")
}
}()
resp, err := http.Get("http://myip.ipip.net")
if err != nil {
os.Stderr.WriteString(err.Error())
//logger.Mylog("程序自身错误").Error("程序报错崩溃退出!!!")
os.Stderr.WriteString("\n")
//os.Exit(1)
return "ipnull", err
}
defer resp.Body.Close()
data, err := ioutil.ReadAll(resp.Body)
if err != nil {
fmt.Println("panic get ip")
}
stringdata := string(data)
ip1 := strings.Split(stringdata, " ")[1]
ip := strings.Split(ip1, ":")[0]
fmt.Println(ip)
return ip, nil
}
//获取本地ip
func GetLocalIP() (ip string, err error) {
addrs, err := net.InterfaceAddrs()
if err != nil {
return
}
for _, addr := range addrs {
ipAddr, ok := addr.(*net.IPNet)
if !ok {
continue
}
if ipAddr.IP.IsLoopback() {
continue
}
if !ipAddr.IP.IsGlobalUnicast() {
continue
}
return ipAddr.IP.String(), nil
}
return
}
//获取信息
func getInfo() *Info{
_, filename, _, _ := runtime.Caller(0)
nameSlice := strings.Split(filename,"/")
name := nameSlice[len(nameSlice)-1]
Cmd := strings.Split(name,".")[0]
ClientIp,_ := os.LookupEnv("SSH_CLIENT")
User,_ := os.LookupEnv("USER")
PrivateIp,_ := GetLocalIP()
PublicIp,_ := GetPubIp()
fmt.Println(Cmd,ClientIp,User,PrivateIp,PublicIp)
info := NewInfo(ClientIp,Cmd,User,PrivateIp,PublicIp)
return info
}
//钉钉报警
func SendDingMsg(msg string) {
defer func() {
if err := recover(); err != nil {
fmt.Println("err")
}
}()
content := `{"msgtype": "text",
"text": {"content": "` + msg + `"}
}`
//创建一个请求
req, err := http.NewRequest("POST", webHook, strings.NewReader(content))
if err != nil {
fmt.Println(err)
fmt.Println("钉钉报警请求异常")
}
client := &http.Client{}
//设置请求头
req.Header.Set("Content-Type", "application/json; charset=utf-8")
//发送请求
resp, err := client.Do(req)
if err != nil {
// handle error
fmt.Println(err)
fmt.Println("顶顶报发送异常!!!")
}
defer resp.Body.Close()
}
func main() {
info := getInfo()
msg := "项目: 危险用户登录 " + "来源ip: " + info.ClientIp + " 登录用户: " + info.User + " 在服务器: " + info.PublicIp + " " + info.PrivateIp + " 操作命令: " + info.Cmd + " 操作时间: " + GetTime()
//fmt.Println(msg)
SendDingMsg(msg)
}
s
四.非法用户使用时候报警如下:
项目: 危险用户登录 来源ip: xxxx 登录用户: root 在服务器: IP:publicip privateip 操作命令: bee 操作时间: 2021-07-08 18:39:33