linux系统登录日志登录失败筛选，拉黑处理

系统登录日志

所在位置： /var/log/secure

登录成功日志

登录失败日志

过滤错误日志

grep  'Failed password' /var/log/secure

过滤出IPv4地址

grep 'Failed password' /var/log/secure | grep -P  "((2(5[0-5]|[0-4]\d))|[0-1]?\d{1,2})(\.((2(5[0-5]|[0-4]\d))|[0-1]?\d{1,2})){3}"

grep 'Failed password' /var/log/secure | grep -Po  "((2(5[0-5]|[0-4]\d))|[0-1]?\d{1,2})(\.((2(5[0-5]|[0-4]\d))|[0-1]?\d{1,2})){3}"

进行排序数字小的在前面

grep 'Failed password' /var/log/secure | grep -Po  "((2(5[0-5]|[0-4]\d))|[0-1]?\d{1,2})(\.((2(5[0-5]|[0-4]\d))|[0-1]?\d{1,2})){3}" | sort -n

登录失败的次数进行统计

grep 'Failed password' /var/log/secure | grep -Po  "((2(5[0-5]|[0-4]\d))|[0-1]?\d{1,2})(\.((2(5[0-5]|[0-4]\d))|[0-1]?\d{1,2})){3}" | sort -n | uniq -c

取出登录失败大于20的IP地址，演示使用的是大于2

grep 'Failed password' /var/log/secure | grep -Po  "((2(5[0-5]|[0-4]\d))|[0-1]?\d{1,2})(\.((2(5[0-5]|[0-4]\d))|[0-1]?\d{1,2})){3}" | sort -n | uniq -c | awk '$1>20{print $2}'

拉黑处理

grep 'Failed password' /var/log/secure | grep -Po  "((2(5[0-5]|[0-4]\d))|[0-1]?\d{1,2})(\.((2(5[0-5]|[0-4]\d))|[0-1]?\d{1,2})){3}" | sort -n | uniq -c | awk '$1>20{print $2}' | awk '{print "sshd:"$1":deny"}' >>/etc/hosts.deny

创建一个 shell.sh 上面的内容插入进入 给文件添加一个可执行权限，然后再添加一个定时任务，定时执行

*/1 * * * * /root/shell.sh
#每一分钟执行一次

优化：处理重复拉黑处理：
grep 'Failed password' /var/log/secure | awk '{print $11}'| sort -n | uniq -c | awk '$1>20{print $2}' | awk '{print "sshd:"$1":deny"}' >> /etc/hosts.deny

cat /etc/hosts.deny > lingshi 
cat lingshi >hosts.deny

其他参考

 lastb | awk '{print $3}' | sort | uniq -c | sort -nr | awk '$1>20{print $0}'| awk '{print "sshd:"$2":deny"}' >> /etc/hosts.deny