#/bin/bash
#auto drop ssh failed ip address
#author by efoni 2018.7
SEC_FILE=/var/log/secure
#如下为截取secure文件恶意ip远程登录22端口,大于等于4次就写入防火墙deny,禁止以后在登录22端口,egrep -o "[0-9]{1,3}.){3}[0-9]{1,3}"是匹配ip的正则表达式
IP_ADDR=tail -n 1000 $SEC_FILE|grep "Failed password"|egrep -o "[0-9]{1,3}.){3}[0-9]{1,3}"|sort -nr |uniq -c|awk '$1>=4 {print $2}'
IPTABLE_CONF=/etc/sysconfig/iptables
echo
cat <<EOF
++++++++++++++++++++++++++++++++welcome to use ssh login drop failed ip++++++++++++++++++++++++++++++++
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
EOF
for i in echo $IP_ADDR
do
#查看iptables配置文件是否已经含有提取的IP信息
cat $IPTABLE_CONF|grep $i >/dev/null
fi
[ $? -ne 0 ];then
#判断iptables配置文件是否已存在要拒绝的ip,不存在则加入
sed -i "/lo/a -A INPUT -s $i -m state --state NEW -m tcp --dport 22 -j DROP" $IPTABLE_CONF
else
echo "This $i is exist in iptables,please exit."
fi
done
#最后重启iptables 生效