|
经常有人会利用ssh来暴力破解服务器密码,然后给服务器挂马,查看服务器的安全记录, 打开/var/logs/secure文件,会发现很多利用ssh来暴力破解登录的记录,如下 1: Aug 29 16:27:23 fgb sshd[31098]: Failed password for root from 189.205.132.145 port 49920 ssh2 2: Aug 29 16:27:28 fgb sshd[31100]: Failed password for root from 189.205.132.145 port 55661 ssh2 3: Aug 29 16:27:33 fgb sshd[31103]: Failed password for root from 189.205.132.145 port 33579 ssh2 4: Aug 29 16:27:37 fgb sshd[31106]: Failed password for root from 189.205.132.145 port 39344 ssh2 5: Aug 29 16:27:42 fgb sshd[31115]: Failed password for root from 189.205.132.145 port 45117 ssh2 6: Aug 29 16:27:46 fgb sshd[31124]: Failed password for root from 189.205.132.145 port 50881 ssh2 7: Aug 29 16:27:52 fgb sshd[31126]: Failed password for root from 189.205.132.145 port 56359 ssh2 8: Aug 29 16:27:57 fgb sshd[31128]: Failed password for root from 189.205.132.145 port 35882 ssh2 9: Aug 29 16:28:02 fgb sshd[31130]: Failed password for root from 189.205.132.145 port 41888 ssh2 10: Aug 29 16:28:08 fgb sshd[31132]: Failed password for root from 189.205.132.145 port 47882 ssh2 11: Aug 29 16:28:12 fgb sshd[31134]: Failed password for root from 189.205.132.145 port 53121 ssh2 12: Aug 29 16:28:17 fgb sshd[31136]: Failed password for root from 189.205.132.145 port 59014 ssh2 13: Aug 29 16:28:21 fgb sshd[31139]: Failed password for root from 189.205.132.145 port 36742 ssh2 有人破解,我们肯定要进行防范,使用以下的这段代码: 1: #!/bin/sh 2: SCANIP=`grep “Failed” /var/log/secure | awk ‘{print $(NF-3)}’ |sort|uniq -c|awk ‘{print $1″=”$2;}’` 3: for i in $SCANIP 4: do 5: NUMBER=`echo $i|awk -F= ‘{print $1}’` 6: SCANIP=`echo $i|awk -F= ‘{print $2}’` 7: echo “$NUMBER($SCANIP)” 8: if [ $NUMBER -gt 10 ] && [ -z "`iptables -vnL INPUT|grep $SCANIP`" ] 9: then 10: /sbin/iptables -I INPUT -s $SCANIP -m state –state NEW,RELATED,ESTABLISHED -j DROP 11: echo “`date` $SCANIP($NUMBER)” >> /var/log/scanip.log 12: fi 13: done 这段代码作用是:扫描secure安全日志文件,发现超过10次非法链接的ip,将其列入iptable防火墙禁止列表,并保存在记录文件中。 (责任编辑:IT) |