Linux SSH 登录失败多少次禁止该IP访问 防止暴力破解
Linux 系统SSH 登录失败的内容会记录到/var/log/secure文件,通过查找关键字 Failed,可以定位到这些异常的IP地址,比如:# cat /var/log/secure|grep 36.250.229.118Jan 10 16:54:25 iZbp15upsrdbnwnq3zksepZ sshd: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.152.101.235user=rootJan 10 16:54:25 iZbp15upsrdbnwnq3zksepZ sshd: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"Jan 10 16:54:27 iZbp15upsrdbnwnq3zksepZ sshd: Failed password for root from 103.152.101.235 port 59352 ssh2Jan 10 16:54:27 iZbp15upsrdbnwnq3zksepZ sshd: Connection closed by 103.152.101.235 port 59352 Jan 10 16:54:29 iZbp15upsrdbnwnq3zksepZ sshd: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.152.101.235user=rootJan 10 16:54:29 iZbp15upsrdbnwnq3zksepZ sshd: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"Jan 10 16:54:31 iZbp15upsrdbnwnq3zksepZ sshd: Failed password for root from 103.152.101.235 port 60970 ssh2Jan 10 16:54:31 iZbp15upsrdbnwnq3zksepZ sshd: Connection closed by 103.152.101.235 port 60970 Jan 10 16:54:33 iZbp15upsrdbnwnq3zksepZ sshd: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.152.101.235user=rootJan 10 16:54:33 iZbp15upsrdbnwnq3zksepZ sshd: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"Jan 10 16:54:35 iZbp15upsrdbnwnq3zksepZ sshd: Failed password for root from 103.152.101.235 port 34445 ssh2Jan 10 16:54:35 iZbp15upsrdbnwnq3zksepZ sshd: Connection closed by 103.152.101.235 port 34445 Jan 10 16:54:37 iZbp15upsrdbnwnq3zksepZ sshd: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.152.101.235user=rootJan 10 16:54:37 iZbp15upsrdbnwnq3zksepZ sshd: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"Jan 10 16:54:39 iZbp15upsrdbnwnq3zksepZ sshd: Failed password for root from 103.152.101.235 port 36166 ssh2Jan 10 16:54:39 iZbp15upsrdbnwnq3zksepZ sshd: Connection closed by 103.152.101.235 port 36166 Jan 10 16:54:41 iZbp15upsrdbnwnq3zksepZ sshd: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.152.101.235user=rootJan 10 16:54:41 iZbp15upsrdbnwnq3zksepZ sshd: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"Jan 10 16:54:43 iZbp15upsrdbnwnq3zksepZ sshd: Failed password for root from 103.152.101.235 port 37866 ssh2Jan 10 16:54:43 iZbp15upsrdbnwnq3zksepZ sshd: Connection closed by 103.152.101.235 port 37866 Jan 10 16:54:45 iZbp15upsrdbnwnq3zksepZ sshd: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.152.101.235user=rootJan 10 16:54:45 iZbp15upsrdbnwnq3zksepZ sshd: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"Jan 10 16:54:47 iZbp15upsrdbnwnq3zksepZ sshd: Failed password for root from 103.152.101.235 port 39832 ssh2Jan 10 16:54:47 iZbp15upsrdbnwnq3zksepZ sshd: Connection closed by 103.152.101.235 port 39832 Jan 10 16:54:49 iZbp15upsrdbnwnq3zksepZ sshd: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.152.101.235user=rootJan 10 16:54:49 iZbp15upsrdbnwnq3zksepZ sshd: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"Jan 10 16:54:51 iZbp15upsrdbnwnq3zksepZ sshd: Failed password for root from 103.152.101.235 port 41558 ssh2Jan 10 16:54:52 iZbp15upsrdbnwnq3zksepZ sshd: Connection closed by 103.152.101.235 port 41558
比如这里,明显这个IP地址在进行SSH 扫描,不断的更换端口和用户进行暴力测试。
在Linux里面有两个相关的文件:
/etc/hosts.allow: 允许哪些IP访问主机
cat /etc/hosts.allowsshd:19.16.18.1:allowsshd:19.16.18.2:allow
/etc/hosts.deny 禁止哪些IP访问主机:
cat /etc/hosts.denysshd:13.7.3.6:denysshd:92.4.0.4:denysshd:94.10.4.2:denysshd:94.4.1.6:denysshd:11.64.11.5:deny
因此,我们只需要从/var/log/secure文件中提取IP地址,如果次数达到10次则将该IP写到 /etc/hosts.deny中,禁止这些IP访问主机。
脚本如下secure_ssh.sh:
#! /bin/bashcat /var/log/secure|awk '/Failed/{print $(NF-3)}'|sort|uniq -c|awk '{print $2"="$1;}' > /boss/config/black.listfor i in `cat/boss/config/black.list`doIP=`echo $i |awk -F= '{print $1}'`NUM=`echo $i|awk -F= '{print $2}'`echo $IP=$NUMif [ $NUM -gt 10 ]; then grep $IP /etc/hosts.deny > /dev/null if [ $? -gt 0 ];then echo "sshd:$IP:deny" >> /etc/hosts.deny fifidone
将secure_ssh.sh脚本放入cron计划任务,每1小时执行一次。
# crontab -e0 */1 * * *sh /usr/local/bin/secure_ssh.sh
页:
[1]