Feb 5 20:42:43 instance-m63fnpbp login: pam_unix(remote:auth): check pass; user unknown
Feb 5 20:42:43 instance-m63fnpbp login: pam_unix(remote:auth): authentication failure; logname= uid=0 euid=0 tty=pts/2 ruser= rhost=177-139-13-74.dsl.telesp.net.brFAILED LOGIN SESSION FROM 177-139-13-74.dsl.telesp.net.br FOR (unknown), User not known to the underlying authentication module
为了防止ip二次恶意登录,特意写了个脚本,脚本如下,(新手,欢迎大家批评指正!)
#!/bin/bash
max_limt=0
black_file=black.txt//得到的黑名单ip,包含恶意登录次数
if [ ! -f $black_file ];
then
touch $black_file
fi
cat /var/log/secure|grep 'Failed'|awk '{print $(NF-3)}'|sort|uniq -c>$black_file
awk '{print $(NF-0)}' $black_file>final_file.txt //只包含ip的文件,个人爱好,可用awk直接从黑名单中提取
for i in `cat final_file.txt`
do
is_exist=$(grep "$i" /etc/hosts.deny|wc -l)//
if [ "$is_exist" -eq "$max_limt" ];
then
echo "sshd:$i">>/etc/hosts.deny
echo "vsftpd:$i">>/etc/hosts.deny
fi
done
最后将其加入了crontab中,由于服务器恶意登录频繁,所以一小时检查一次,可根据个人情况实际选择。
59 * * * * /root/xxxx.sh