写一个计划任务脚本,每分钟检测一下,把连接本机ssh失败次数达10次的IP地址封掉。要求用awk做。
一、系统:centos6
二、方法:读取/var/log/secure,查找关键字Failed,例如
[root@centos6 .ssh]#tailf /var/log/secure
Sep 3 00:41:28 centos6 sshd[11963]: error: connect_to 74.125.204.113 port 443: failed.
Sep 3 00:49:31 centos6 sshd[12021]: Failed password for root from 172.18.254.13 port 59012 ssh2
Sep 3 00:49:31 centos6 sshd[12021]: Failed password for root from 172.18.254.13 port 59012 ssh2
Sep 3 00:49:31 centos6 sshd[12022]: Connection closed by 172.18.254.13
Sep 3 00:49:51 centos6 sshd[12023]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=www.google.com user=root
Sep 3 00:49:53 centos6 sshd[12023]: Failed password for root from 172.18.254.13 port 59014 ssh2
Sep 3 00:50:02 centos6 sshd[12023]: Failed password for root from 172.18.254.13 port 59014 ssh2
Sep 3 00:50:12 centos6 sshd[12023]: Accepted password for root from 172.18.254.13 port 59014 ssh2
三、步骤
1、可以先把某些常用的ip填入/etc/hosts.allow,这很重要,防止某些常用的ip由于输错了密码而登不上
[root@centos6 .ssh]#cat /etc/hosts.allow
#
# hosts.allow This file contains access rules which are used to
# allow or deny connections to network services that
# either use the tcp_wrappers library or that have been
# started through a tcp_wrappers-enabled xinetd.
#
# See 'man 5 hosts_options' and 'man 5 hosts_access'
# for information on rule syntax.
# See 'man tcpd' for information on tcp_wrappers
#
sshd:172.18.254.13:allow
sshd:172.18.252.54:allow
2、编写脚本/root/bin/secure_ssh.sh
[root@centos6 bin]#cat secure_ssh.sh
#!/bin/bash
cat /var/log/secure|awk '/Failed/{print $(NF-3)}'|sort|uniq -c|awk '{print $2"="$1;}'>/root/black.txt
define=10
for i in `cat /root/black.txt`
do
ip=`echo $i|awk -F= '{print $1}'`
num=`echo $i|awk -F= '{print $2}'`
if [ $num -gt 10 ];then
grep $ip /etc/hosts.deny > /dev/null
if [ $? -gt 0 ];then
echo "sshd:$ip:deny">> /etc/hosts.deny
fi
fi
done
3、将secure_ssh.sh放入cron计划任务,每一分钟执行一次
[root@centos6 bin]#crontab -l
*/1 * * * * /root/bin/secure_ssh.sh
注意:脚本的地址必须写绝对路径!!!
四、测试
1、开两个终端窗口,一个ssh连上服务器,另一个用错误的密码连接服务器几次。
[root@localhost .ssh]# ssh 172.18.250.42
[email protected]'s password:
Permission denied, please try again.
[email protected]'s password:
Permission denied, please try again.
[email protected]'s password:
Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).
[root@localhost .ssh]# ssh 172.18.250.42
[root@localhost .ssh]# ssh 172.18.250.42
[email protected]'s password:
Permission denied, please try again.
[email protected]'s password:
Permission denied, please try again.
[email protected]'s password:
Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).
很快,服务器上黑名单文件里已经有记录了:
[root@centos6 bin]#cat /root/black.txt
172.18.252.54=6
172.18.254.13=15
再看看服务器上的hosts.deny
[root@centos6 bin]#cat /etc/hosts.deny
#
# hosts.deny This file contains access rules which are used to
# deny connections to network services that either use
# the tcp_wrappers library or that have been
# started through a tcp_wrappers-enabled xinetd.
#
# The rules in this file can also be set up in
# /etc/hosts.allow with a 'deny' option instead.
#
# See 'man 5 hosts_options' and 'man 5 hosts_access'
# for information on rule syntax.
# See 'man tcpd' for information on tcp_wrappers
#
sshd:172.18.254.13:deny
IP 已经被加入到服务器的hosts.deny,再用正确连接服务器时,被拒绝:
[root@localhost .ssh]# ssh 172.18.250.42
ssh_exchange_identification: read: Connection reset by peer