前言
之前写了个利用防火墙防ssh暴力破解脚本
传送门
但是利用iptables需要重启服务才能使黑名单ip生效
后面发现用/etc/hosts.deny文件可以不重启实现黑名单
代码
#!/bin/bash
logFile=/opt/cronTask/log/ssh_deny.log
# 白名单
whiteList=""
while true
do
# 过滤登陆失败大于5次的ip
ipList=$(grep "Failed password" /var/log/secure|awk '{print $(NF-3)}'|sort|uniq -c|sort -nr|awk '{if($1>=5) print $2}')
localTime=$(date +"%Y-%m-%d %H:%M:%S")
for ip in ${ipList[@]}
do
# 过滤重复ip
if [[ $(grep $ip /etc/hosts.deny) ]]
then
continue
fi
# 过滤白名单ip
if [[ $(echo $whiteList |grep $ip) ]]
then
continue
fi
echo ----------------------add ip:$ip------------------------ >> $logFile
echo "sshd:$ip" >> /etc/hosts.deny
done
RANGE=`expr $RANDOM % 30vim `
delay_time=$RANGE
sleep $delay_time
done
生成服务
vim /etc/systemd/system/ssh_deny.service
[Unit]
Description=ssh_deny daemon
After=syslog.target network.target
Wants=network.target
[Service]
Type=simple
ExecStart=/bin/bash /opt/crontask/ssh_deny.sh
Restart=always
RestartSec=1min
ExecStop=/usr/bin/killall ssh_deny.sh
[Install]
WantedBy=multi-user.target
systemctl enable ssh_deny.service
systemctl start ssh_deny.service
测试
手动将测试服务器ip加入/etc/hosts.deny
echo 'sshd:$ip' >> /etc/hosts.deny
ssh连接
# ssh root@ip
ssh_exchange_identification: read: Connection reset by peer