linux下shell脚本防ssh暴力破解
时间:2014-11-18 18:51来源:linux.it.net.cn 作者:IT
功能:查询一分钟前secure文件,统计访问失败的IP和次数,并把在1分钟内失败5次的IP列入危险susperctip,1分钟内失败10次直接丢给防火墙拦截,并记录在blockip,关于关键词可以根据需求加强下
-
#!/bin/bash
-
## Filtering script
-
## Create Time: 2012-10-12.17
-
#
-
-
test -d /data/logs/secure
-
if [ $? -ne 0 ]; then
-
mkdir -p /data/logs/secure
-
fi
-
-
LOGFILE=/var/log/secure
-
LOGFILE2=/data/logs/secure/secure.txt
-
IPLIST=/data/logs/secure/iplist.txt
-
BLACKIP=/data/logs/secure/blockip.txt
-
SUSPECTIP=/data/logs/secure/susperctip.txt
-
TIME=`date +%_d" "%H:%M -d -1min`
-
WORD="Failed password"
-
WORD1="Failed password for root"
-
WORD2="Failed password for invalid user"
-
-
grep "$TIME" $LOGFILE |grep "$WORD" |grep "ssh2" > $LOGFILE2
-
grep "$WORD1" $LOGFILE2 |grep -v "$WORD2" |awk '{print $11}' > $IPLIST
-
grep "$WORD2" $LOGFILE2 |grep -v "$WORD1" |awk '{print $13}' >> $IPLIST
-
-
scanner=`cat $IPLIST |sort |uniq -c |awk '{print $1"="$2}'`
-
for i in $scanner
-
do
-
declare -i NUM
-
NUM=`echo $i |awk -F= '{print $1}'`
-
IP=`echo $i |awk -F= '{print $2}'`
-
if [ $NUM -ge 10 ] && [ -z "`iptables -vnL INPUT |grep $IP`" ]; then
-
iptables -I INPUT -s $IP -m state --state NEW,RELATED,ESTABLISHED -j DROP
-
echo -e "\033[31m\033[1m`date +%Y-%m-%d" "%H:%M`\033[0m" >> $BLACKIP
-
echo "$NUM" = "$IP" >> $BLACKIP
-
elif [ $NUM -ge 5 ]; then
-
echo -e "\033[31m\033[1m`date +%Y-%m-%d" "%H:%M`\033[0m" >> $SUSPECTIP
-
echo "$NUM" = "$IP" >> $SUSPECTIP
-
fi
-
done
测试效果:明显看出服务器老被别人瞎搞...
-
[root@localhost secure]# ll
-
total 8
-
-rw-r--r--. 1 root root 1181 Nov 9 10:25 blockip.txt
-
-rw-r--r--. 1 root root 0 Nov 9 11:57 iplist.txt
-
-rw-r--r--. 1 root root 0 Nov 9 11:57 secure.txt
-
-rw-r--r--. 1 root root 1015 Nov 7 15:57 susperctip.txt
-
[root@localhost secure]# cat susperctip.txt
-
2012-10-16 19:36
-
5 = 112.216.140.51
-
2012-10-17 21:09
-
5 = 212.143.16.77
-
2012-10-17 21:10
-
9 = 212.143.16.77
-
2012-10-18 08:54
-
8 = 202.94.70.20
-
2012-10-19 23:37
-
[root@localhost secure]# cat blockip.txt
-
2012-10-17 20:00
-
26 = 111.74.82.33
-
2012-10-17 20:48
-
15 = 115.236.101.244
-
2012-10-17 21:11
-
11 = 212.143.16.77
-
2012-10-18 08:55
-
17 = 202.94.70.20
-
2012-10-19 14:51
-
15 = 64.185.226.120
(责任编辑:IT) |
------分隔线----------------------------