The shell script automatically blocks malicious attempts to attack IP

Others 2022-05-26 14:10:28 views: 0

(This article is only for personal viewing. If you have any questions, please do not spray! I think it can be used for reference.)

 

 

First of all, let me talk about the principle of configuring this shell script, why should I configure this script.

 

In Linux, although the system comes with an iptables firewall, this can only mean that the server is relatively secure, but it cannot be said that the server is very secure. When the server is configured with a firewall, but someone maliciously scans our ports and attacks. If we allow all access to the external network on port 22, if we do not do VPN, for example, I am in Shanghai, the server is in Beijing, if we want to be remote, but now the IP has changed, and our server port 22 has been opened, all the country's Everyone can access our server. If we scan frequently, it will break the server and steal our password sooner or later. Of course, we can set the password to be very complex, with uppercase and lowercase characters, special characters, and 32 digits, which cannot be broken by others without 3-5 years of scanning. But the settings are complicated, and he is still scanning and trying to attack every day.

 

If we open port 22 to all users, then we can view it in the /var/log/secure file, which is full of malicious IPs, so how can we deny these IPs and directly pull him in the next attack Black, what about closing it? Or if this IP tries to log in 3 times and 4 times, I will reject him and permanently block his IP? At this time, we can use the following script to achieve this.

 

Here I directly use two servers to test this shell script, of course, the same is true in a real environment

as follows:

Server A: 192.168.33.10

Server B: 192.168.33.14

 

After the installation is complete, we ssh server A on server B
ssh -l root 192.168.33.10
yes after carriage return
You will be prompted to enter your password. Of course, you must have entered the wrong password on purpose, and then try to log in several times.

Then we check on server A
tail -fn 100 /var/log/secure
We can see a lot of Failed password for root from or something,
As shown below:

 

 

A lot of things, right, we can take these IPs directly
tail -n 100 /var/log/secure |grep "Failed password"| awk '{print $11}'
As shown below:

 

 

 

Of course, if there are many IPs, we can directly use the command to count the number of times an IP attempts to log in
tail -n 100 /var/log/secure |grep "Failed password"| awk '{print $11}'|sort|uniq -c |sort -nr
As shown in the figure below:

 

 

If an IP login is wrong 7 times, then this kind of person must not know the password
After we know this IP, we can add it directly to the firewall
vim /etc/sysconfig/iptables
-A INPUT -s 192.168.33.14 -j DROP : Be sure to pay attention to the writing of the rules
After restarting the firewall, we are trying to log in to ssh on server B
ssh -l root 192.168.33.10   
Now I can't even enter the password, because we blocked him and logged in ass!
This is just a simple manual restriction. If there are hundreds of such IPs, then we can't do it manually. Next, we will use this automatic script.

 

#!/bin/bash
#auto drop ssh failed IP address
#by authors kanghui 2016-6-14
#define variables
SEC_FILE=/var/log/secure
#The following is to intercept the IP remote login port 22 of the malicious attack of the secure file. After more than or equal to 4 times, write it to the firewall, block it directly, and then log in to the server's port 22 after prohibition, egrep -o "([0-9 {1,3\.}]){3}[0-9]{1,3}" means to configure IP, [0-9] means any number, {1,3} means matching 1- 3 times
IP_ADDR=`tail -n 100 /var/log/secure |grep "Failed password"| egrep -o "([0-9{1,3\.}]){3}[0-9]{1,3}" | sort -nr | uniq -c | awk ' $1>=4 {print $2}'`
IPTABLE_CONF=/etc/sysconfig/iptables
for i in `echo $IP_ADDR`
do
#Check whether the iptables configuration file contains the extracted IP information
        cat $IPTABLES_CONF |grep $i >/dev/null
if
        [$? -ne 0]; then
#Determine whether there is a rejected ip in the iptables configuration file. If it does not exist, no corresponding entry will be added. The sed a parameter means the line added after the configuration. For example, there is a -A INPUT -i lo in your firewall rules -j ACCEPT, what he means is to add it after this rule.
        sed -i "lo/a -A INPUT -s $i -m state --state NEW -m tcp -p tcp --dport 22 -j DROP" $IPTABLES_CONF
else
#If it exists, then display a prompt message
        echo "This is $i is exist in iptables,please exit ....."
be
done
#final restart
/etc/init.d/iptables restart

 Or as shown below

 

 Finally, we can add this script to crontab, I won't write it here

Guess you like

Origin http://10.200.1.11:23101/article/api/json?id=326942898&siteId=291194637
Recommended
Linus is the most active in "eating dog food"!
Ranking
Share good programmer web front-end array and sorting, de-duplication and random roll call
Compilation error caused by cv_bridge and python version problems error: return-statement with no value, in function returning'void*' [-fpe
魔众帮助中心系统 v3.1.0 首页切换器,界面优化
Die beim Millimeterwellenradar-Integrationstest aufgetretene Grube (Multiprozessbindung an einen UDP-Port verursacht Probleme)
How to suppress the "requires transitive directive for an automatic module" warning properly?
LeetCode-1743. Restore the Array From Adjacent Pairs-Analysis and Code (Java)
Summer 2019 Summer soft essay 7 workers
Python中Assert断言的使用语法和例子
LeetCode one question per day (2021-2-3 sliding window median)
Fairchild, the ancestor of semiconductors, the legend of the first trillion-dollar start-up
Daily
More
2024-05-20(5)
2024-05-19(0)
2024-05-18(31)
2024-05-17(6)
2024-05-16(23)
2024-05-15(5)
2024-05-14(9)
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)

Code World

© 2018 codetd.com