SSH暴力破解排查与防御
SSH暴力破解排查与防御
1.统计日志中失败的登录次数
grep -o "Failed password" /var/log/secure|uniq -c[root@VM-4-15-centos etc]# grep -o "Failed password" /var/log/secure|uniq -c
54970 Failed password
2.输出登录失败的第一行和最后一行,确认时间范围:
grep "Failed password" /var/log/secure|head -1
grep "Failed password" /var/log/secure|tail -1[root@VM-4-15-centos etc]# grep "Failed password" /var/log/secure|tail -1
Dec 26 15:11:03 VM-4-15-centos sshd[30859]: Failed password for root from 124.148.168.201 port 48553 ssh2
[root@VM-4-15-centos etc]# grep "Failed password" /var/log/secure|head -1
Dec 16 12:37:34 VM-4-15-centos sshd[3429]: Failed password for root from 152.89.196.123 port 63710 ssh2
3. 定位有哪些IP在爆破
grep "Failed password" /var/log/secure|grep -E -o "(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)"|uniq -c | sort -nr 4.登录成功的日期、用户名、IP:
grep "Accepted " /var/log/secure | awk '{print $1,$2,$3,$9,$11}'5.统计登录成功的IP有哪些
grep "Accepted " /var/log/secure | awk '{print $11}' | sort | uniq -c | sort -nr | more6.网上抄了一份脚本,登录10次失败的ip加黑名单
--路径: /usr/local/bin/secure_ssh.sh
#! /bin/bash
cat /var/log/secure|awk '/Failed/{print $(NF-3)}'|sort|uniq -c|awk '{print $2"="$1;}' > /usr/local/bin/black.list
for i in `cat /usr/local/bin/black.list`
do
IP=`echo $i |awk -F= '{print $1}'`
NUM=`echo $i|awk -F= '{print $2}'`
if [ ${#NUM} -gt 1 ]; then
grep $IP /etc/hosts.deny > /dev/null
if [ $? -gt 0 ];then
echo "sshd:$IP:deny" >> /etc/hosts.deny
fi
fi
done
#--:将secure_ssh.sh脚本放入cron计划任务,每1分钟执行一次。
# crontab -e
*/1 * * * * sh /usr/local/bin/secure_ssh.sh
#--:记得把允许的IP填入 /etc/hosts.allow
sshd:192.168.6.240:allow
【推荐】国内首个AI IDE,深度理解中文开发场景,立即下载体验Trae
【推荐】编程新体验,更懂你的AI,立即体验豆包MarsCode编程助手
【推荐】抖音旗下AI助手豆包,你的智能百科全书,全免费不限次数
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步
· winform 绘制太阳,地球,月球 运作规律
· AI与.NET技术实操系列(五):向量存储与相似性搜索在 .NET 中的实现
· 超详细:普通电脑也行Windows部署deepseek R1训练数据并当服务器共享给他人
· 【硬核科普】Trae如何「偷看」你的代码?零基础破解AI编程运行原理
· 上周热点回顾(3.3-3.9)