# 获取前 1 分钟内的 secure 记录,统计 ssh 认证失败的 IP 和其 失败次数, 并用Iptables阻止之
SCANNER=$(awk 'BEGIN{ tm=strftime("%b %e %H:%M",systime()-60);} $0 ~ tm && /Failed password/ && /ssh2/ {print $(NF-3)}' /var/log/auth.log |sort|uniq -c |awk '{print $1"="$2;}')
awk '/Failed/{print $(NF-3)}' /var/log/auth.log|sort|uniq -c|sort -rn|awk '{if ($1>$num){print $2}}'
num=10
for i in `awk '/Failed/{print $(NF-3)}' /var/log/auth.log|sort|uniq -c|sort -rn|awk '{if ($1>$num){print $2}}'`
do
iptables -I INPUT -p tcp -s $i --dport 2222 -j DROP
done
/var/log/auth.log|awk '/Failed/{print $(NF-3)}'|sort|uniq -c|awk '{print $2"="$1;}'
#! /bin/bash
cat /var/log/auth.log|awk '/Failed/{print $(NF-3)}'|sort|uniq -c|awk '{print $2"="$1;}' > /usr/local/bin/black.list
for i in `cat /usr/local/bin/black.list`
do
IP=`echo $i |awk -F= '{print $1}'`
NUM=`echo $i|awk -F= '{print $2}'`
if [ ${#NUM} -gt 1 ]; then
grep $IP /etc/hosts.deny > /dev/null
if [ $? -gt 0 ];then
echo "sshd:$IP:deny" >> /etc/hosts.deny
fi
fi
done
没有评论:
发表评论