#!/bin/bash
LIMIT=30 #这边可以自定义限制次数
LOGFILE="/var/log/block_ssh.log" #日志路径
TIME=$(date '+%b %e %H') #example: Apr 11 11
BLOCK_IP=$(grep "$TIME" /var/log/secure|grep Failed|awk '{print $(NF-3)}'|sort|uniq -c|awk '$1>"$LIMIT"{print $1":"$2}') #将1小时内ssh认证失败超过30次的ip抓出来
#测试
#BLOCK_IP=`cat /root/ip_list`
for i in $BLOCK_IP
do
IP=$(echo $i|awk -F: '{print $2}')
cat /etc/hosts.deny | grep $IP>/dev/null #先判断下是否已经被屏蔽
if [ $? -gt 0 ];then
echo "sshd:$IP" >> /etc/hosts.deny #屏蔽ip添加到hosts.deny
NOW=$(date '+%Y-%m-%d %H:%M')
echo -e "$NOW : $IP">>${LOGFILE}
fi
done
