1.查看服务状态及配置文件
[root@stream9 ~]# systemctl status sshd # 查看状态
● sshd.service - OpenSSH server daemon
     Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; preset: enabled)
     Active: active (running) since Sun 2023-10-29 09:30:07 CST; 3min 2s ago
       Docs: man:sshd(8)
             man:sshd_config(5)
   Main PID: 601 (sshd)
      Tasks: 1 (limit: 11125)
     Memory: 6.1M
        CPU: 164ms
     CGroup: /system.slice/sshd.service
             └─601 "sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups"

Oct 29 09:30:06 stream9 systemd[1]: Starting OpenSSH server daemon...
Oct 29 09:30:07 stream9 sshd[601]: Server listening on 0.0.0.0 port 22.
Oct 29 09:30:07 stream9 systemd[1]: Started OpenSSH server daemon.
Oct 29 09:31:25 stream9 sshd[1209]: Accepted password for root from 10.10.10.1 port 54872 ssh2
Oct 29 09:31:26 stream9 sshd[1209]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)
[root@stream9 ~]# 
[root@stream9 ~]# systemctl cat sshd  # 查看配置文件
# /usr/lib/systemd/system/sshd.service
[Unit]
Description=OpenSSH server daemon               服务的简单描述
Documentation=man:sshd(8) man:sshd_config(5)    服务文档
Before:                                        代表本服务在xxx.service启动之前启动
After=network.target sshd-keygen.target         代表本服务在xxx.service启动之前启动
Wants=sshd-keygen.target                        这个服务启动了,它需要的服务也会被启动;它需要的服务被停止了,对本服务没有影响

[Service]
Type=notify                                     定义服务的启动方式,有下面的值可以选

# 取值	                                                含义
# Type=oneshot	         这一选项适用于只执行一项任务、随后立即退出的服务。可能需要同时设置 RemainAfterExit=yes 使得 systemd 在服务进程退出之后仍然认为服务处于激活状态。
# Type=notify	             与 Type=simple 相同,但约定服务会在就绪后向 systemd 发送一个信号。这一通知的实现由 libsystemd-daemon.so 提供。
# Type=dbus	             若以此方式启动,当指定的 BusName 出现在DBus系统总线上时,systemd认为服务就绪。
# Type=idle	             systemd会等待所有任务处理完成后,才开始执行 idle 类型的单元。其他行为与 Type=simple 类似。
# Type=forking	         systemd认为当该服务进程fork,且父进程退出后服务启动成功。对于常规的守护进程(daemon),除非你确定此启动方式无法满足需求,使用此类型启动即可。使用此启动类型应同时指定 PIDFile=,以便 systemd 能够跟踪服务的主进程
# Type=simple	(默认值)    systemd认为该服务将立即启动。服务进程不会 fork 。如果该服务要启动其他服务,不要使用此类型启动,除非该服务是socket 激活型。

EnvironmentFile=-/etc/sysconfig/sshd   文件路径
ExecStart=/usr/sbin/sshd -D $OPTIONS   启动服务的命令或者脚本
ExecReload=/bin/kill -HUP $MAINPID     指定服务停止时执行的命令或者脚本。
KillMode=process                       在ExecStart之后用户自定义执行的脚本。Type=oneshot允许指定多个希望顺序执行的用户自定义命令。
Restart=on-failure                     这个选项如果被允许,服务重启的时候进程会退出,会通过systemctl命令执行清除并重启的操作
RestartSec=42s

[Install]
WantedBy=multi-user.target             单元被允许运行需要的弱依赖性单元,Wantby从Want列表获得依赖信息。
2.定义一个服务,目的是
#!/bin/bash

LOG_FILE="/scripts/01_myMonitor.log"

function MyMonitor() {
    [ ! -f $LOG_FILE ] && touch $LOG_FILE
    while true; do
        awk '/Failed/{print $11}' /var/log/secure | uniq | while read ip; do sed -i "/$ip/d" $LOG_FILE; done
        awk '/Failed/{print $11}' /var/log/secure | uniq -c | awk '{print "注意:"$2" 暴力破解了你 "$1" 次"}' >>$LOG_FILE
        sleep 5
    done
}

MyMonitor

# 把该脚本放到 /scripts/MyMonitor.sh=
3.创建服务文件
[root@stream9 ~]# cat /scripts/MyMonitor.sh
#!/bin/bash

LOG_FILE="/scripts/01_myMonitor.log"

function MyMonitor() {
    [ ! -f $LOG_FILE ] && touch $LOG_FILE
    while true; do
        awk '/Failed/{print $11}' /var/log/secure | uniq | while read ip; do sed -i "/$ip/d" $LOG_FILE; done
        awk '/Failed/{print $11}' /var/log/secure | uniq -c | awk '{print "注意: "$2" 暴力破解了你 "$1" 次"}' >>$LOG_FILE
        sleep 5
    done
}

MyMonitor
[root@stream9 ~]#
[root@stream9 ~]# cat /usr/lib/systemd/system/MyMonitor.service
[Unit]
Description=监控谁暴力破解失败

[Service]
Type=simple
ExecStart=/scripts/MyMonitor.sh

[Install]
WantedBy=multi-user.target
[root@stream9 ~]#
[root@stream9 ~]# chmod +x /scripts/MyMonitor.sh


# 重新加载配置
[root@stream9 ~]# systemctl daemon-reload

# 启动你的服务
[root@stream9 ~]# systemctl start MyMonitor.service
[root@stream9 ~]# tail -f /scripts/01_myMonitor.log
注意:10.10.10.1 暴力破解了你 5 次
注意:10.10.10.183 暴力破解了你 8 次
注意:10.10.10.1 暴力破解了你 6 次
^C
[root@stream9 ~]#
[root@stream9 ~]#
# 查看状态
[root@stream9 ~]# systemctl status MyMonitor.service
● MyMonitor.service - 监控谁暴力破解失败
     Loaded: loaded (/usr/lib/systemd/system/MyMonitor.service; disabled; preset: disabled)
     Active: active (running) since Sun 2023-10-29 10:49:14 CST; 36s ago
   Main PID: 6569 (MyMonitor.sh)
      Tasks: 2 (limit: 11125)
     Memory: 608.0K
        CPU: 432ms
     CGroup: /system.slice/MyMonitor.service
             ├─6569 /bin/bash /scripts/MyMonitor.sh
             └─6656 sleep 5

Oct 29 10:49:14 stream9 systemd[1]: Started 监控谁暴力破解失败.
[root@stream9 ~]#

# 配置开机自启
[root@stream9 ~]# systemctl enable MyMonitor.service
Created symlink /etc/systemd/system/multi-user.target.wants/MyMonitor.service → /usr/lib/systemd/system/MyMonitor.service.
[root@stream9 ~]#
[root@stream9 ~]#

# 停止
[root@stream9 ~]# systemctl stop MyMonitor.service
[root@stream9 ~]#

# 查看
[root@stream9 ~]# systemctl status MyMonitor.service
○ MyMonitor.service - 监控谁暴力破解失败
     Loaded: loaded (/usr/lib/systemd/system/MyMonitor.service; enabled; preset: disabled)
     Active: inactive (dead) since Sun 2023-10-29 10:50:22 CST; 3s ago
   Duration: 1min 7.985s
    Process: 6569 ExecStart=/scripts/MyMonitor.sh (code=killed, signal=TERM)
   Main PID: 6569 (code=killed, signal=TERM)
        CPU: 732ms

Oct 29 10:49:14 stream9 systemd[1]: Started 监控谁暴力破解失败.
Oct 29 10:50:22 stream9 systemd[1]: Stopping 监控谁暴力破解失败...
Oct 29 10:50:22 stream9 systemd[1]: MyMonitor.service: Deactivated successfully.
Oct 29 10:50:22 stream9 systemd[1]: Stopped 监控谁暴力破解失败.

[root@stream9 ~]#
[root@stream9 ~]# ps -aux | grep  MyMonitor
root        6749  0.0  0.1   7176  3564 ?        Ss   10:51   0:00 /bin/bash /scripts/MyMonitor.sh
root        6922  0.0  0.1   6408  2172 pts/0    S+   10:52   0:00 grep --color=auto MyMonitor
[root@stream9 ~]#
[root@stream9 ~]#
[root@stream9 ~]# systemctl stop MyMonitor.service
[root@stream9 ~]#
[root@stream9 ~]#
[root@stream9 ~]# ps -aux | grep  MyMonitor
root        6977  0.0  0.1   6408  2172 pts/0    S+   10:53   0:00 grep --color=auto MyMonitor