恶意IP远程登录Linux服务器脚本

#!/bin/sh

#auto drop ssh failed IP address

#定义变量

SEC_FILE=/var/log/secure

#如下为截取secure文件恶意ip 远程登录22端口，大于等于4次就写入防火墙，禁止以后再登录服务器的22端口

IP_ADDR=`tail -n 1000 /var/log/secure |grep "Failed password"| egrep -o "([0-9]{1,3}\.){3}[0-9]{1,3}" | sort -nr | uniq -c |awk ' $1>=4 {print $2}'`

IPTABLE_CONF=/etc/sysconfig/iptables

echo

cat <<EOF

++++++++++++++welcome to use ssh login drop failed ip+++++++++++++++++

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

++++++++++++++++------------------------------------++++++++++++++++++

EOF

#打印动态滚动条，参照老男孩博客-数组分析文章

echo -n "请等待5秒后开始执行 "

for ((j=0;j<=4;j++)) ;do echo -n "----------";sleep 1 ;done

echo

for i in `echo $IP_ADDR`

do

    #查看iptables配置文件是否含有提取的IP信息

    cat $IPTABLE_CONF |grep $i >/dev/null

if

    [ $? -ne 0 ];then

    #判断iptables配置文件里面是否存在已拒绝的ip，如何不存在就不再添加相应条目

    sed -i "/lo/a -A INPUT -s $i -m state --state NEW -m tcp -p tcp --dport 22 -j DROP" $IPTABLE_CONF

else

    #如何存在的话，就打印提示信息即可

    echo  "This is $i is exist in iptables,please exit ......"

fi

done

#最后重启iptables生效

/etc/init.d/iptables restart