3344/dock
1
0
Fork 0
Code Issues Packages Projects Releases 1 Wiki Activity

Update 实时 history 监控

Browse Source
This commit is contained in:
xzx3344521
2025-10-21 22:47:48 +08:00
committed by GitHub
parent 302599cacb
commit b588994d23
1 changed files with 156 additions and 31 deletions
Download Patch File Download Diff File Expand all files Collapse all files

187
实时 history 监控
View File

@@ -1,20 +1,25 @@
#!/bin/bash #!/bin/bash
# 优化版实时命令监控脚本 # 优化版实时命令监控脚本 - 带IP地理位置查询
# 作者: 系统安全监控 # 版本: 2.1
# 版本: 2.0
set -e # 遇到错误立即退出 set -e
### 配置区域 - 可根据需要修改 ### ### 配置区域 ###
LOG_DIR="/root/command_monitor_logs" # 日志目录 LOG_DIR="/root/command_monitor_logs"
MAX_LOG_SIZE="100M" # 单个日志文件最大大小 MAX_LOG_SIZE="10M"
MAX_LOG_FILES=10 # 最大日志文件数量 MAX_LOG_FILES=10
MEMORY_LIMIT="512M" # 内存使用限制 MEMORY_LIMIT="512M"
CPU_LIMIT=90 # CPU使用率限制% CPU_LIMIT=90
CHECK_INTERVAL=300 # 系统检查间隔(秒) CHECK_INTERVAL=300
BACKUP_DAYS=7 # 日志保留天数 BACKUP_DAYS=7
CLEANUP_INTERVAL=3600 # 清理间隔(秒) CLEANUP_INTERVAL=3600
### IP地理位置配置 ###
IP_API_SERVICE="ipapi" # 可选: ipapi, ipapi.co, ipinfo.io, 本地
CACHE_IP_INFO=true # 缓存IP信息避免重复查询
IP_CACHE_FILE="/tmp/ip_geo_cache.txt"
CACHE_EXPIRE=3600 # 缓存过期时间(秒)
### 颜色定义 ### ### 颜色定义 ###
RED='\033[0;31m' RED='\033[0;31m'
@@ -29,6 +34,8 @@ NC='\033[0m'
SCRIPT_PID=$$ SCRIPT_PID=$$
MONITOR_PID="" MONITOR_PID=""
LAST_CLEANUP=0 LAST_CLEANUP=0
CURRENT_LOG=""
LATEST_LOG=""
# 获取时间戳 # 获取时间戳
timestamp() { timestamp() {
@@ -46,21 +53,114 @@ log_message() {
"WARN") color="$YELLOW" ;; "WARN") color="$YELLOW" ;;
"INFO") color="$BLUE" ;; "INFO") color="$BLUE" ;;
"SUCCESS") color="$GREEN" ;; "SUCCESS") color="$GREEN" ;;
"COMMAND") color="$CYAN" ;;
esac esac
echo -e "${color}[$(timestamp)] [$level] $message${NC}" | tee -a "$CURRENT_LOG" echo -e "${color}[$(timestamp)] [$level] $message${NC}" | tee -a "$CURRENT_LOG"
} }
# IP地理位置查询函数
get_ip_location() {
local ip="$1"
# 检查缓存
if [ "$CACHE_IP_INFO" = true ] && [ -f "$IP_CACHE_FILE" ]; then
local cached_info=$(grep "^$ip|" "$IP_CACHE_FILE" | head -1)
if [ -n "$cached_info" ]; then
local cache_time=$(echo "$cached_info" | cut -d'|' -f2)
local current_time=$(date +%s)
if [ $((current_time - cache_time)) -lt $CACHE_EXPIRE ]; then
echo "$cached_info" | cut -d'|' -f3-
return 0
fi
fi
fi
local location_info=""
# 使用多个API服务优先使用免费的
for api in $IP_API_SERVICE ipapi.co ipinfo.io; do
case $api in
ipapi)
location_info=$(curl -s -m 5 "http://ip-api.com/json/$ip" | \
jq -r '[.country, .regionName, .city, .isp] | join(", ")' 2>/dev/null || echo "")
;;
ipapi.co)
location_info=$(curl -s -m 5 "https://ipapi.co/$ip/json/" | \
jq -r '[.country_name, .region, .city, .org] | join(", ")' 2>/dev/null || echo "")
;;
ipinfo.io)
location_info=$(curl -s -m 5 "https://ipinfo.io/$ip" | \
jq -r '[.country, .region, .city, .org] | join(", ")' 2>/dev/null || echo "")
;;
esac
if [ -n "$location_info" ] && [ "$location_info" != "null" ]; then
break
fi
done
# 如果API查询失败使用本地IP库或返回简单信息
if [ -z "$location_info" ] || [ "$location_info" = "null" ]; then
location_info="未知位置"
fi
# 缓存结果
if [ "$CACHE_IP_INFO" = true ]; then
echo "$ip|$(date +%s)|$location_info" >> "$IP_CACHE_FILE"
fi
echo "$location_info"
}
# 简化版地理位置查询(避免依赖外部工具)
get_simple_ip_location() {
local ip="$1"
# 检查常见IP段
if [[ "$ip" == "192.168."* ]] || [[ "$ip" == "10."* ]] || [[ "$ip" == "172."* ]]; then
echo "内网IP"
return
fi
if [[ "$ip" == "127.0.0.1" ]] || [[ "$ip" == "localhost" ]]; then
echo "本机"
return
fi
# 使用whois查询如果可用
if command -v whois &> /dev/null; then
local whois_info=$(timeout 5 whois "$ip" 2>/dev/null | grep -iE "country:|descr:" | head -2 | \
awk -F: '{print $2}' | sed 's/^ *//' | tr '\n' ',' | sed 's/,$//')
if [ -n "$whois_info" ]; then
echo "$whois_info"
return
fi
fi
# 使用ping方式获取粗略位置通过TTL判断
local ttl=$(timeout 3 ping -c 1 "$ip" 2>/dev/null | grep "ttl=" | sed 's/.*ttl=\([0-9]*\).*/\1/' || echo "")
if [ -n "$ttl" ]; then
if [ "$ttl" -le 64 ]; then
echo "Linux系统 - 可能较近"
elif [ "$ttl" -le 128 ]; then
echo "Windows系统 - 中等距离"
else
echo "远程主机 - 可能较远"
fi
else
echo "位置未知"
fi
}
# 获取客户端IP # 获取客户端IP
get_client_ip() { get_client_ip() {
local ip="unknown" local ip="unknown"
# 尝试多种方式获取IP
if [ -n "$SSH_CLIENT" ]; then if [ -n "$SSH_CLIENT" ]; then
ip=$(echo "$SSH_CLIENT" | awk '{print $1}') ip=$(echo "$SSH_CLIENT" | awk '{print $1}')
elif [ -n "$SSH_CONNECTION" ]; then elif [ -n "$SSH_CONNECTION" ]; then
ip=$(echo "$SSH_CONNECTION" | awk '{print $1}') ip=$(echo "$SSH_CONNECTION" | awk '{print $1}')
else else
# 获取当前连接的IP
ip=$(who -m | awk '{print $5}' | sed 's/[()]//g' | head -1) ip=$(who -m | awk '{print $5}' | sed 's/[()]//g' | head -1)
if [[ "$ip" == ":0" ]] || [[ "$ip" == ":1" ]]; then if [[ "$ip" == ":0" ]] || [[ "$ip" == ":1" ]]; then
ip="localhost" ip="localhost"
@@ -69,6 +169,25 @@ get_client_ip() {
echo "$ip" echo "$ip"
} }
# 获取带地理位置的IP信息
get_ip_with_location() {
local ip="$1"
local location=""
# 先尝试完整查询
if command -v curl &> /dev/null && command -v jq &> /dev/null; then
location=$(get_ip_location "$ip")
else
location=$(get_simple_ip_location "$ip")
fi
if [ -n "$location" ] && [ "$location" != "未知位置" ]; then
echo "$ip [$location]"
else
echo "$ip"
fi
}
# 初始化日志系统 # 初始化日志系统
init_log_system() { init_log_system() {
mkdir -p "$LOG_DIR" mkdir -p "$LOG_DIR"
@@ -77,13 +196,19 @@ init_log_system() {
local log_date=$(date '+%Y%m%d_%H%M%S') local log_date=$(date '+%Y%m%d_%H%M%S')
CURRENT_LOG="$LOG_DIR/command_monitor_${client_ip}_${log_date}.log" CURRENT_LOG="$LOG_DIR/command_monitor_${client_ip}_${log_date}.log"
# 创建软链接指向最新日志
LATEST_LOG="$LOG_DIR/latest.log" LATEST_LOG="$LOG_DIR/latest.log"
ln -sf "$CURRENT_LOG" "$LATEST_LOG" ln -sf "$CURRENT_LOG" "$LATEST_LOG"
log_message "INFO" "监控脚本启动 - PID: $$" log_message "INFO" "监控脚本启动 - PID: $$"
log_message "INFO" "客户端IP: $(get_client_ip)" log_message "INFO" "客户端IP: $(get_client_ip)"
log_message "INFO" "日志文件: $CURRENT_LOG" log_message "INFO" "日志文件: $CURRENT_LOG"
# 显示IP地理位置
local client_ip_original=$(get_client_ip)
if [ "$client_ip_original" != "unknown" ] && [ "$client_ip_original" != "localhost" ]; then
local ip_location=$(get_ip_with_location "$client_ip_original")
log_message "INFO" "地理位置: $ip_location"
fi
} }
# 资源监控函数 # 资源监控函数
@@ -181,12 +306,10 @@ log_rotation() {
cleanup_on_exit() { cleanup_on_exit() {
log_message "INFO" "正在停止监控服务..." log_message "INFO" "正在停止监控服务..."
# 杀死所有子进程
if [ -n "$MONITOR_PID" ]; then if [ -n "$MONITOR_PID" ]; then
kill "$MONITOR_PID" 2>/dev/null || true kill "$MONITOR_PID" 2>/dev/null || true
fi fi
# 杀死资源监控进程
pkill -f "monitor_resources" 2>/dev/null || true pkill -f "monitor_resources" 2>/dev/null || true
log_message "SUCCESS" "监控服务已停止" log_message "SUCCESS" "监控服务已停止"
@@ -212,7 +335,6 @@ export HISTTIMEFORMAT='%F %T '
export HISTSIZE=10000 export HISTSIZE=10000
export HISTFILESIZE=20000 export HISTFILESIZE=20000
shopt -s histappend shopt -s histappend
# 记录所有命令,包括时间戳
export HISTCONTROL=ignoredups:erasedups export HISTCONTROL=ignoredups:erasedups
EOF EOF
@@ -221,7 +343,7 @@ EOF
log_message "INFO" "用户 $user 已配置实时记录" log_message "INFO" "用户 $user 已配置实时记录"
fi fi
fi fi
fi done
done done
} }
@@ -229,7 +351,6 @@ EOF
start_main_monitor() { start_main_monitor() {
log_message "INFO" "启动主监控进程..." log_message "INFO" "启动主监控进程..."
# 声明关联数组来跟踪每个用户的文件状态
declare -A file_sizes declare -A file_sizes
declare -A last_commands declare -A last_commands
@@ -260,11 +381,9 @@ start_main_monitor() {
local last_size=${file_sizes["$user"]} local last_size=${file_sizes["$user"]}
if [ "$current_size" -gt "$last_size" ]; then if [ "$current_size" -gt "$last_size" ]; then
# 读取新内容
local new_content=$(tail -c +$((last_size + 1)) "$history_file" 2>/dev/null | tr -d '\0') local new_content=$(tail -c +$((last_size + 1)) "$history_file" 2>/dev/null | tr -d '\0')
if [ -n "$new_content" ]; then if [ -n "$new_content" ]; then
# 逐行处理新命令
while IFS= read -r line; do while IFS= read -r line; do
line=$(echo "$line" | sed 's/^[ \t]*//;s/[ \t]*$//') line=$(echo "$line" | sed 's/^[ \t]*//;s/[ \t]*$//')
@@ -273,7 +392,10 @@ start_main_monitor() {
[ "$line" != "${last_commands["$user"]}" ] && \ [ "$line" != "${last_commands["$user"]}" ] && \
[[ ! "$line" =~ ^(ls|cd|pwd|ll|la|history|exit|clear)$ ]]; then [[ ! "$line" =~ ^(ls|cd|pwd|ll|la|history|exit|clear)$ ]]; then
log_message "COMMAND" "用户: $user | 命令: $line | 来源: $(get_client_ip)" local client_ip=$(get_client_ip)
local ip_with_location=$(get_ip_with_location "$client_ip")
log_message "COMMAND" "用户: $user | 命令: $line | 来源: $ip_with_location"
last_commands["$user"]="$line" last_commands["$user"]="$line"
fi fi
done <<< "$new_content" done <<< "$new_content"
@@ -292,11 +414,9 @@ start_main_monitor() {
start_background_monitor() { start_background_monitor() {
log_message "INFO" "启动后台监控服务..." log_message "INFO" "启动后台监控服务..."
# 启动资源监控
monitor_resources & monitor_resources &
local resource_pid=$! local resource_pid=$!
# 启动主监控
start_main_monitor & start_main_monitor &
MONITOR_PID=$! MONITOR_PID=$!
@@ -305,13 +425,12 @@ start_background_monitor() {
log_message "INFO" "资源监控PID: $resource_pid" log_message "INFO" "资源监控PID: $resource_pid"
log_message "INFO" "查看实时日志: tail -f $LATEST_LOG" log_message "INFO" "查看实时日志: tail -f $LATEST_LOG"
# 等待子进程
wait $MONITOR_PID wait $MONITOR_PID
} }
# 显示使用说明 # 显示使用说明
show_usage() { show_usage() {
echo -e "${GREEN}实时命令监控系统 v2.0${NC}" echo -e "${GREEN}实时命令监控系统 v2.1${NC}"
echo "用法: $0 [选项]" echo "用法: $0 [选项]"
echo echo
echo "选项:" echo "选项:"
@@ -341,7 +460,6 @@ check_monitor_status() {
echo "日志目录: $LOG_DIR" echo "日志目录: $LOG_DIR"
echo "最新日志: $LATEST_LOG" echo "最新日志: $LATEST_LOG"
# 显示最近的活动
if [ -f "$LATEST_LOG" ]; then if [ -f "$LATEST_LOG" ]; then
echo echo
echo -e "${YELLOW}最近10条记录:${NC}" echo -e "${YELLOW}最近10条记录:${NC}"
@@ -362,7 +480,6 @@ stop_monitor() {
kill $pids 2>/dev/null || true kill $pids 2>/dev/null || true
sleep 2 sleep 2
# 检查是否停止成功
if pgrep -f "command_monitor" >/dev/null; then if pgrep -f "command_monitor" >/dev/null; then
echo -e "${RED}强制停止监控进程...${NC}" echo -e "${RED}强制停止监控进程...${NC}"
kill -9 $pids 2>/dev/null || true kill -9 $pids 2>/dev/null || true
@@ -373,7 +490,15 @@ stop_monitor() {
### 主程序 ### ### 主程序 ###
main() { main() {
# 参数处理 # 检查依赖
if ! command -v curl &> /dev/null; then
echo -e "${YELLOW}警告: 未找到 curl地理位置查询功能受限${NC}"
fi
if ! command -v jq &> /dev/null; then
echo -e "${YELLOW}警告: 未找到 jq使用简化版地理位置查询${NC}"
fi
case "${1:-}" in case "${1:-}" in
-d|--daemon) -d|--daemon)
init_log_system init_log_system