自動擋掉嘗試用ssh入侵Linux的攻擊者IP @ 尼斐克的企鵝空間 :: 隨意窩 Xuite日誌
    1. 沒有新回應!
  • 200711100328自動擋掉嘗試用ssh入侵Linux的攻擊者IP
    自動擋掉嘗試用ssh入侵Linux的攻擊者IP
    #!/bin/bash
    # Name: banip.sh
    # Author: Andowson Chang (andowson [at] gmail [dot] com)
    # Version: 0.1
    # Last Modified: 2007-01-21

    # 修改這邊的參數
    EXTERNAL_INTERFACE="ppp0" # you must edit this
    BANNEDHOSTFILE="/tmp/bannedhosts.txt" #edit this as required
    HISTORYHOSTSFILE="/tmp/history.txt" #edit this as required
    IPTABLES="/sbin/iptables"
    GREP_PARAM="^[[:digit:]]*\.[[:digit:]]*\.[[:digit:]]*\.[[:digit:]]*"

    # 找出攻擊的主機IP
    grep "Failed password for invalid user" /var/log/secure | cut -d" " -f13 | sort | uniq | cut -d":" -f4 > /tmp/attack.log
    grep "Failed password for invalid user" /var/log/secure | cut -d" " -f14 | sort | uniq | cut -d":" -f4 >> /tmp/attack.log
    # 刪除一些不是IP的字,目前發現的有from和port,也可以包含測試用的來源IP
    sed -e '/from/d' -e '/port/d' -e '/192.168.1/d' /tmp/attack.log > /tmp/attack.txt

    # 加入新增的主機
    touch $HISTORYHOSTSFILE
    sort /tmp/attack.txt | uniq > /tmp/ip1
    sort $HISTORYHOSTSFILE | uniq > /tmp/ip2
    comm -23 /tmp/ip[1-2] > $BANNEDHOSTFILE   # 新增站台資料
    rm -rf /tmp/ip[1-2]
    rm -rf /tmp/attack.*

    # 將攻擊的主機IP加到iptables擋掉
    for i in $( grep $GREP_PARAM $BANNEDHOSTFILE )
    do
    echo "Deny access to host: $i"
    $IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -s $i -j DROP
    $IPTABLES -A OUTPUT -o $EXTERNAL_INTERFACE -d $i -j DROP
    done

    # 將處理過的IP清單加到歷史檔去
    cat $BANNEDHOSTFILE >> $HISTORYHOSTSFILE
    sort $HISTORYHOSTSFILE | uniq > /tmp/history.tmp
    mv -f /tmp/history.tmp $HISTORYHOSTSFILE
    rm -rf $BANNEDHOSTFILE


    下面是我自己修改過的版本
    Linux系統安全 - 阻擋ssh錯誤嘗試

    EXTERNAL_INTERFACE="eth0" # you must edit this
    BANNEDHOSTFILE="/tmp/bannedhosts.txt" #edit this as required
    HISTORYHOSTSFILE="/tmp/history.txt" #edit this as required
    IPTABLES="/sbin/iptables"
    GREP_PARAM="^[[:digit:]]*\.[[:digit:]]*\.[[:digit:]]*\.[[:digit:]]*"

    # 找出攻擊的主機IP
    grep "Failed password for invalid user" /var/log/secure | cut -d" " -f13 | sort
    | uniq | cut -d":" -f4 > /tmp/attack.log
    grep "Failed password for invalid user" /var/log/secure | cut -d" " -f14 | sort
    | uniq | cut -d":" -f4 >> /tmp/attack.log
    # 刪除一些不是IP的字,目前發現的有from和port,也可以包含測試用的來源IP
    sed -e '/from/d' -e '/port/d' -e '/192.168.1/d' /tmp/attack.log > /tmp/attack.tx
    t

    # 加入新增的主機
    touch $HISTORYHOSTSFILE
    sort /tmp/attack.txt | uniq > /tmp/ip1
    sort $HISTORYHOSTSFILE | uniq > /tmp/ip2
    comm -23 /tmp/ip[1-2] > $BANNEDHOSTFILE # 新增站台資料
    rm -rf /tmp/ip[1-2]
    rm -rf /tmp/attack.*

    # 將攻擊的主機IP加到hosts.deny擋掉
    for i in $( grep $GREP_PARAM $BANNEDHOSTFILE )
    do
    echo "Deny access to host: $i"
    echo "sshd: $i" >> /etc/hosts.deny
    done

    # 將處理過的IP清單加到歷史檔去
    cat $BANNEDHOSTFILE >> $HISTORYHOSTSFILE
    sort $HISTORYHOSTSFILE | uniq > /tmp/history.tmp
    mv -f /tmp/history.tmp $HISTORYHOSTSFILE
    rm -rf $BANNEDHOSTFILE
    有感而發 - 安全性|日誌首頁|學生用伺服器建置流程(Fedo...上一篇有感而發 - 安全性下一篇學生用伺服器建置流程(Fedora Core 5 版)
    回應