写一个计划任务脚本,每分钟检测一下,把连接本机ssh失败次数达10次的IP地址封掉。要求用awk做。
一、系统:centos6
二、方法:读取/var/log/secure,查找关键字Failed,例如
[root@centos6 .ssh]#tailf /var/log/secure Sep 3 00:41:28 centos6 sshd[11963]: error: connect_to 74.125.204.113 port 443: failed. Sep 3 00:49:31 centos6 sshd[12021]: Failed password for root from 172.18.254.13 port 59012 ssh2 Sep 3 00:49:31 centos6 sshd[12021]: Failed password for root from 172.18.254.13 port 59012 ssh2 Sep 3 00:49:31 centos6 sshd[12022]: Connection closed by 172.18.254.13 Sep 3 00:49:51 centos6 sshd[12023]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=www.google.com user=root Sep 3 00:49:53 centos6 sshd[12023]: Failed password for root from 172.18.254.13 port 59014 ssh2 Sep 3 00:50:02 centos6 sshd[12023]: Failed password for root from 172.18.254.13 port 59014 ssh2 Sep 3 00:50:12 centos6 sshd[12023]: Accepted password for root from 172.18.254.13 port 59014 ssh2
三、步骤
1、可以先把某些常用的ip填入/etc/hosts.allow,这很重要,防止某些常用的ip由于输错了密码而登不上
[root@centos6 .ssh]#cat /etc/hosts.allow # # hosts.allow This file contains access rules which are used to # allow or deny connections to network services that # either use the tcp_wrappers library or that have been # started through a tcp_wrappers-enabled xinetd. # # See 'man 5 hosts_options' and 'man 5 hosts_access' # for information on rule syntax. # See 'man tcpd' for information on tcp_wrappers # sshd:172.18.254.13:allow sshd:172.18.252.54:allow
2、编写脚本/root/bin/secure_ssh.sh
[root@centos6 bin]#cat secure_ssh.sh #!/bin/bash cat /var/log/secure|awk '/Failed/{print $(NF-3)}'|sort|uniq -c|awk '{print $2"="$1;}'>/root/black.txt define=10 for i in `cat /root/black.txt` do ip=`echo $i|awk -F= '{print $1}'` num=`echo $i|awk -F= '{print $2}'` if [ $num -gt 10 ];then grep $ip /etc/hosts.deny > /dev/null if [ $? -gt 0 ];then echo "sshd:$ip:deny">> /etc/hosts.deny fi fi done
3、将secure_ssh.sh放入cron计划任务,每一分钟执行一次
[root@centos6 bin]#crontab -l */1 * * * * /root/bin/secure_ssh.sh
注意:脚本的地址必须写绝对路径!!!
四、测试
1、开两个终端窗口,一个ssh连上服务器,另一个用错误的密码连接服务器几次。
[root@localhost .ssh]# ssh 172.18.250.42 root@172.18.250.42's password: Permission denied, please try again. root@172.18.250.42's password: Permission denied, please try again. root@172.18.250.42's password: Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password). [root@localhost .ssh]# ssh 172.18.250.42 [root@localhost .ssh]# ssh 172.18.250.42 root@172.18.250.42's password: Permission denied, please try again. root@172.18.250.42's password: Permission denied, please try again. root@172.18.250.42's password: Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).
很快,服务器上黑名单文件里已经有记录了:
[root@centos6 bin]#cat /root/black.txt 172.18.252.54=6 172.18.254.13=15
再看看服务器上的hosts.deny
[root@centos6 bin]#cat /etc/hosts.deny # # hosts.deny This file contains access rules which are used to # deny connections to network services that either use # the tcp_wrappers library or that have been # started through a tcp_wrappers-enabled xinetd. # # The rules in this file can also be set up in # /etc/hosts.allow with a 'deny' option instead. # # See 'man 5 hosts_options' and 'man 5 hosts_access' # for information on rule syntax. # See 'man tcpd' for information on tcp_wrappers # sshd:172.18.254.13:deny
IP 已经被加入到服务器的hosts.deny,再用正确连接服务器时,被拒绝:
[root@localhost .ssh]# ssh 172.18.250.42 ssh_exchange_identification: read: Connection reset by peer