|
马上注册,结交更多好友,享用更多功能,让你轻松玩转社区。
您需要 登录 才可以下载或查看,没有帐号?立即注册
x
如果您觉得本篇CentOSLinux教程讲得好,请记得点击右边漂浮的分享程序,把好文章分享给你的小伙伴们!早先刚上的FTP备份办事器,例行反省/var/log/secure日记时,发明很多sshd和vsftpd失利认证信息,很分明有人想用暴力破解工具夺取暗码,以是必要编写一个宁静剧本避免。
剧本需求以下:此SHELL剧本放在crontab企图义务里,每隔6小时(此工夫依据实践情形来界说)就往读取/var/log/secure剧本,掏出内里歹意推测IP,假如单元工夫内(一礼拜)的毗连数是高于一个阀值,比方100(此阀值也能够依据实践情形来界说),则将其加进/etc/hosts.deny黑名单里,假如低于此阀值,则忽视此IP。
/var/log/secure里认证失利信息以下:
Nov2810:18:08centos2sshd[7556]:Connectionclosedby222.216.30.109
Nov2810:18:08centos2sshd[7557]:pam_unix(sshd:auth):authenticationfailure;logname=uid=0euid=0tty=sshruser=rhost=222.216.30.109user=root
Nov2810:18:09centos2sshd[7559]:pam_unix(sshd:auth):authenticationfailure;logname=uid=0euid=0tty=sshruser=rhost=222.216.30.109user=root
Nov2810:18:10centos2sshd[7551]:Failedpasswordforrootfrom222.216.30.109port2391ssh2
Nov2810:18:10centos2sshd[7552]:Connectionclosedby222.216.30.109
Nov2810:18:10centos2sshd[7553]:Failedpasswordforrootfrom222.216.30.109port2397ssh2
Nov2810:18:10centos2sshd[7554]:Connectionclosedby222.216.30.109
Nov2810:18:11centos2sshd[7557]:Failedpasswordforrootfrom222.216.30.109port2401ssh2
Nov2810:18:11centos2sshd[7558]:Connectionclosedby222.216.30.109
Nov2810:18:11centos2sshd[7559]:Failedpasswordforrootfrom222.216.30.109port2403ssh2
Nov2810:18:11centos2sshd[7560]:Connectionclosedby222.216.30.109
Nov2810:37:01centos2vsftpd:pam_unix(vsftpd:auth):checkpass;userunknown
Nov2810:37:01centos2vsftpd:pam_unix(vsftpd:auth):authenticationfailure;logname=uid=0euid=0tty=ftpruser=hellorhost=centos1.cn7788.com
Nov2810:37:01centos2vsftpd:pam_succeed_if(vsftpd:auth):errorretrievinginformationaboutuserhello
Nov2810:37:19centos2vsftpd:pam_unix(vsftpd:auth):checkpass;userunknown
Nov2810:37:19centos2vsftpd:pam_unix(vsftpd:auth):authenticationfailure;logname=uid=0euid=0tty=ftpruser=yhcrhost=centos1.cn7788.com
Nov2810:37:19centos2vsftpd:pam_succeed_if(vsftpd:auth):errorretrievinginformationaboutuseryhc
Nov2810:37:36centos2vsftpd:pam_unix(vsftpd:auth):checkpass;userunknown
Nov2810:37:36centos2vsftpd:pam_unix(vsftpd:auth):authenticationfailure;logname=uid=0euid=0tty=ftpruser=yuhongchunrhost=centos1.cn7788.com
Nov2810:37:36centos2vsftpd:pam_succeed_if(vsftpd:auth):errorretrievinginformationaboutuseryuhongchun
Nov2810:42:44centos2vsftpd:pam_unix(vsftpd:auth):checkpass;userunknown
Nov2810:42:44centos2vsftpd:pam_unix(vsftpd:auth):authenticationfailure;logname=uid=0euid=0tty=ftpruser=yuhongchunrhost=114.112.169.70
Nov2810:42:44centos2vsftpd:pam_succeed_if(vsftpd:auth):errorretrievinginformationaboutuseryuhongchun
Nov2810:42:56centos2vsftpd:pam_unix(vsftpd:auth):checkpass;userunknown
Nov2810:42:56centos2vsftpd:pam_unix(vsftpd:auth):authenticationfailure;logname=uid=0euid=0tty=ftpruser=andrewyurhost=114.112.169.70
Nov2810:42:56centos2vsftpd:pam_succeed_if(vsftpd:auth):errorretrievinginformationaboutuserandrewyu
我们察看下/var/log/secure文件轮询特性,以下所示:
[root@centos2log]#ls-lsartsecure.*
512-rw-------1rootroot51637911-0401:31secure.4
660-rw-------1rootroot66819211-1100:05secure.3
304-rw-------1rootroot30658911-1710:33secure.2
484-rw-------1rootroot48862011-2502:33secure.1
基础上,/var/log/secure文件是以礼拜为轮询周期的,假如对宁静请求严厉的伴侣还能够本着“一个不放过”的准绳来抓取下面的旧secure的歹意IP,然后扔进/etc/hosts.deny文件里。上面我们就们就要想举措高效的来抓取这些歹意IP,假如参考原始版本的SHELL剧本写法,,我们这里要抓取secure日记中的侦测vsftpd及sshd办事的IP地点,我们能够用以下下令,下令以下所示:
cat/var/log/secure|awk/Failed/{print$(NF-3)}|sort|uniq-c|awk{print$2"="$1;}
很分明,如许是取不到vsftpd失利的IP值的,sshd日记失利信息跟vsftpd日记失利信息纷歧样,我写了几种awk夹杂sed的***,测试了效力,感到用awk剧本速率是最快的,人人也能够写几种,用time下令测试下;最初精简了下代码,完成了全部剧本,剧本内容以下所示:
#!/bin/bash
awk{for(i=1;i<=NF;i++){if($i~/rhost/)printsubstr($i,7)}}/var/log/secure|sort|uniq-c>/root/black.txt
DEFINE="100"
cat/root/black.txt|whilereadLINE
do
NUM=`echo$LINE|awk{print$1}`
host=`echo$LINE|awk{print$2}`
if[$NUM-gt$DEFINE];
then
grep$host/etc/hosts.deny>/dev/null
if[$?-gt0];
then
echo"sshd:$host">>/etc/hosts.deny
echo"vsftpd:$host">>/etc/hosts.deny
fi
fi
done
剧本运转一段工夫后,我们能够察看此剧本触及到的一些文件,如/root/black.txt,了局以下所示:
[root@centos2~]#cat/root/black.txt
2113.17.144.156
4114.112.51.208
4114.112.69.170
169118-163-227-50.hinet-ip.hinet.net
8119.188.7.200
8122.70.130.11
61124.248.32.246
12183.203.14.121
3189.26.255.11
56199.204.237.60
3199.30.53.220
5201.236.80.4
6220.172.191.31
30222.216.30.109
60222.253.159.111
58223.4.180.23
16658.221.42.178
161.132.4.85
15261.142.106.34
2261.167.33.222
785.126.166.83
166www.b-nets.com
/etc/hosts.deny剧本内容以下:
sshd:124.248.32.246
vsftpd:124.248.32.246
sshd:199.204.237.60
vsftpd:199.204.237.60
sshd:222.253.159.111
vsftpd:222.253.159.111
sshd:223.4.180.23
vsftpd:223.4.180.23
sshd:58.221.42.178
vsftpd:58.221.42.178
sshd:61.142.106.34
vsftpd:61.142.106.34
sshd:118-163-227-50.hinet-ip.hinet.net
vsftpd:118-163-227-50.hinet-ip.hinet.net
sshd:www.b-nets.com
vsftpd:www.b-nets.com
最初,我们将此shell剧本放进crontab里,每距离六小时就运转一次,下令以下:
**/6***root/bin/bash/root/hostsdeny.sh>>/dev/null2>&1
因为/var/log/secure日记是以礼拜为轮询的,此剧本实行频次可自行设定,假如感到办事器被频仍侦测,实行频次距离可设置短些,反之,可设置长些。
如果您觉得本篇CentOSLinux教程讲得好,请记得点击右边漂浮的分享程序,把好文章分享给你的小伙伴们! |
|