#!/bin/bash
LIMIT=10
LOGFILE="/var/log/block_ssh.log"
TIME=$(date '+%b %e %H')
BLOCK_IP=$(grep "$TIME" /var/log/secure|grep Failed|awk '{print $(NF-3)}'|sort|uniq -c|awk '$1>'$LIMIT'{print $1":"$2}')
for i in $BLOCK_IP
do
IP=$(echo $i|awk -F: '{print $2}')
TIMES=$(echo $i|awk -F: '{print $1}')
iptables-save|grep INPUT|grep DROP|grep $IP>/dev/null
if [ $? -gt 0 ];then
iptables -D INPUT -s $IP -j DROP
iptables -A INPUT -s $IP -j DROP
NOW=$(date '+%Y-%m-%d %H:%M')
echo -e "$NOW : $TIMES times $IP">>${LOGFILE}
fi
done
FREBSD 系统下,脚本如下:
#!/bin/sh
SCANIP=`grep "Failed" /var/log/auth.log | awk '{print $(NF-3)}' | sort | uniq -c | awk '{print $1"="$2;}'`
for i in $SCANIP
do
NUMBER=`echo $i | awk -F= '{print $1}'`
SCANIP=`echo $i | awk -F= '{print $2}'`
echo "$NUMBER($SCANIP)"
if [ $NUMBER -gt 10 ] && [ -z "`/sbin/ipfw show | grep $SCANIP`" ]
then
/sbin/ipfw add 1 deny ip from $SCANIP to me 22
echo "`date` $SCANIP($NUMBER)" >> /var/log/scanip.log
fi
done
Vsftpd服务可以参考命令:
awk '/'"FAIL LOGIN: Client"'/ {print $12}' /var/log/vsftpd.log | uniq -c | sort -k1n | awk -F'["]' '{print $1$2}' | awk '{if ($1 >=20) print $2}'
下面用C语言实现上面的代码:
#include <sys/types.h>
#include <unistd.h>
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <sys/stat.h>
#include <time.h>
#include <stdarg.h>
#define SSH_LOG_PATH "/var/log/block_ssh.log"
#define SSH_SECURE_FILE "/var/log/secure"
#define SSH_MAX_LOG_FILE_SIZE (10*1024*1024)
#define SSH_LIMIT 10
#define SSH_BUF_SIZE 1024
#define SSH_BLOCK_IP "grep \"%s\" %s | grep \"Failed\" | awk \'{print $(NF-3)}\' | sort | uniq -c | awk \'$1 > %d {print $1\":\"$2}\'"
#define SSH_IPTABLES_SAVE "iptables-save | grep INPUT |grep DROP | grep \"%s\" >/dev/null 2>&1"
#define SSH_IPTABLES_D "iptables -D INPUT -s \"%s\" -j DROP"
#define SSH_IPTABLES_A "iptables -A INPUT -s \"%s\" -j DROP"
static FILE * ssh_logHander = NULL;
int init_ssh_log()
{
ssh_logHander = fopen(SSH_LOG_PATH,"a");
if(!ssh_logHander){
return -1;
}
return 0;
}
void ssh_log(char *p_fmt,...)
{
char date[SSH_BUF_SIZE] = {'\0'};
time_t now;
struct tm ptm;
char tmp[SSH_BUF_SIZE] = {'\0'};
struct stat buf;
va_list ap;
if(!ssh_logHander){
return;
}
time(&now);
if(localtime_r(&now,&ptm)){
strftime(date,sizeof(date),"%F %T",&ptm);
fprintf(ssh_logHander,"[ %s ]",date);
va_start(ap,p_fmt);
vfprintf(ssh_logHander,p_fmt,ap);
va_end(ap);
fflush(ssh_logHander);
}
if(stat(tmp,&buf) == 0){
if(buf.st_size > SSH_MAX_LOG_FILE_SIZE){
fclose(ssh_logHander);
ssh_logHander = fopen(SSH_LOG_PATH,"w+");
}
}
}
int check_systrm_result(char *cmd)
{
int result = -1;
if(!cmd){
return result;
}
result = system(cmd);
if((result != -1) && WIFEXITED(result) && (WEXITSTATUS(result) == 0)){
return 0;
}
return -1;
}
int main()
{
FILE *p_stream;
FILE *p_log;
char time_buf[1024] = {'\0'};
char block_ipbuf[1024] = {'\0'};
char cmd_line[1024] = {'\0'};
char *p_times,*p_ip;
init_ssh_log();
p_stream = popen("date \'+%b %e %H\'","r");
fgets(time_buf,SSH_BUF_SIZE - 1,p_stream);
printf("time_buf is %s\n",time_buf);
pclose(p_stream);
sprintf(block_ipbuf,SSH_BLOCK_IP,time_buf,SSH_SECURE_FILE,SSH_LIMIT);
printf("block_ipbuf is %s\n",block_ipbuf);
p_stream = popen(block_ipbuf,"r");
while(fgets(cmd_line,SSH_BUF_SIZE,p_stream) != NULL){
printf("cmd_line is %s\n",cmd_line);
p_times = cmd_line;
p_ip = strchr(p_times,':');
if(p_ip == NULL){
memset(cmd_line,0,SSH_BUF_SIZE);
continue;
}
*p_ip++ = '\0';
p_ip[strlen(p_ip)-1] = '\0';
printf("p_times :%d,p_ip is %s \n",atoi(p_times),p_ip);
memset(block_ipbuf,0,SSH_BUF_SIZE);
sprintf(block_ipbuf,SSH_IPTABLES_SAVE,p_ip);
printf("block_ipbuf is %s\n",block_ipbuf);
if(check_systrm_result(block_ipbuf)){
memset(block_ipbuf,0,SSH_BUF_SIZE);
sprintf(block_ipbuf,SSH_IPTABLES_D,p_ip);
printf("block_ipbuf is %s\n",block_ipbuf);
check_systrm_result(block_ipbuf);
memset(block_ipbuf,0,SSH_BUF_SIZE);
sprintf(block_ipbuf,SSH_IPTABLES_A,p_ip);
printf("block_ipbuf is %s\n",block_ipbuf);
check_systrm_result(block_ipbuf);
ssh_log(" : %d times ip %s unauthorized access\n",atoi(p_times),p_ip);
}
memset(cmd_line,0,SSH_BUF_SIZE);
}
pclose(p_stream);
}
http://www.92csz.com/11/1094.html