Linux添加IP黑名单

防攻击可以增加IP白名单/etc/hosts.allow和黑名单/etc/hosts.deny

修改/etc/hosts.allow文件
# hosts.allow This file describes the names of the hosts which are
# allowed to use the local INET services, as decided
# by the ‘/usr/sbin/tcpd’ server.
#
sshd:210.13.218.*:allow
sshd:222.77.15.*:allow
以上写法表示允许210和222两个ip段连接sshd服务

当然如果管理员集中在一个IP那么这样写是比较省事的
all:218.24.129.110        //表示接受110这个ip的所有请求！

/etc/hosts.deny文件，此文件是拒绝服务列表，文件内容如下：
#
# hosts.deny This file describes the names of the hosts which are
# *not* allowed to use the local INET services, as decided
# by the ‘/usr/sbin/tcpd’ server.
#
# The portmap line is redundant, but it is left to remind you that
# the new secure portmap uses hosts.deny and hosts.allow. In particular
# you should know that NFS uses portmap!
sshd:all:deny
注意看：sshd:all:deny表示拒绝了所有sshd远程连接。:deny可以省略。

所以：当hosts.allow和 host.deny相冲突时，以hosts.allow设置为准。

脚本自动添加：

vim /root/secure_ssh.sh

cat /var/log/secure | awk '/Failed/{print $(NF-3)}' | sort | uniq -c | awk '{print $2" = "$1;}'>black.txt
DEFINE="10"
for i in `cat  /root/black.txt`
do
    IP=`echo | awk '{split("'${i}'", array, "=");print array[1]}'`
    NUM=`echo | awk '{split("'${i}'", array, "=");print array[2]}'`
    if [ $NUM -gt $DEFINE ];then
     grep $IP /etc/hosts.deny > /dev/null
      if [ $? -gt 0 ];then
          echo "sshd:$IP:deny" >> /etc/hosts.deny
      fi
    fi
done

每次执行时他会自动去扫描/var/log/secure日志文件，并把登陆失败次数大于10次的IP自动写入到/etc/hosts.deny文件中去。

拒绝某个IP还可以这样写：all:ip