利用/etc/hosts.deny防ssh暴力破解

前言

之前写了个利用防火墙防ssh暴力破解脚本
传送门
但是利用iptables需要重启服务才能使黑名单ip生效
后面发现用/etc/hosts.deny文件可以不重启实现黑名单

代码

#!/bin/bash
logFile=/opt/cronTask/log/ssh_deny.log
# 白名单
whiteList=""

while true
do
    # 过滤登陆失败大于5次的ip
    ipList=$(grep "Failed password" /var/log/secure|awk '{print $(NF-3)}'|sort|uniq -c|sort -nr|awk '{if($1>=5) print $2}')
    localTime=$(date +"%Y-%m-%d %H:%M:%S")

    for ip in ${ipList[@]}
    do
        # 过滤重复ip
        if [[ $(grep $ip /etc/hosts.deny) ]]
        then
            continue
        fi

        # 过滤白名单ip
        if [[ $(echo $whiteList |grep $ip) ]]
        then
            continue
        fi
        
        echo ----------------------add ip:$ip------------------------ >> $logFile
        echo "sshd:$ip" >> /etc/hosts.deny
    done
    
    RANGE=`expr $RANDOM % 30vim `
    delay_time=$RANGE
    sleep $delay_time
done

生成服务

vim /etc/systemd/system/ssh_deny.service

[Unit]
Description=ssh_deny daemon
After=syslog.target  network.target
Wants=network.target

[Service]
Type=simple
ExecStart=/bin/bash /opt/crontask/ssh_deny.sh
Restart=always
RestartSec=1min
ExecStop=/usr/bin/killall ssh_deny.sh

[Install]
WantedBy=multi-user.target

systemctl enable ssh_deny.service
systemctl start ssh_deny.service

测试

手动将测试服务器ip加入/etc/hosts.deny

echo 'sshd:$ip' >> /etc/hosts.deny

ssh连接

# ssh root@ip
ssh_exchange_identification: read: Connection reset by peer