ssh访问控制，封杀ip，防止暴力破解

写一个计划任务脚本，每分钟检测一下，把连接本机ssh失败次数达10次的IP地址封掉。要求用awk做。

一、系统：centos6

二、方法：读取/var/log/secure，查找关键字Failed,例如

[root@centos6 .ssh]#tailf /var/log/secure

Sep  3 00:41:28 centos6 sshd[11963]: error: connect_to 74.125.204.113 port 443: failed.
 Sep  3 00:49:31 centos6 sshd[12021]: Failed password for root from 172.18.254.13 port 59012 ssh2
 Sep  3 00:49:31 centos6 sshd[12021]: Failed password for root from 172.18.254.13 port 59012 ssh2
 Sep  3 00:49:31 centos6 sshd[12022]: Connection closed by 172.18.254.13
 Sep  3 00:49:51 centos6 sshd[12023]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=www.google.com  user=root
 Sep  3 00:49:53 centos6 sshd[12023]: Failed password for root from 172.18.254.13 port 59014 ssh2
 Sep  3 00:50:02 centos6 sshd[12023]: Failed password for root from 172.18.254.13 port 59014 ssh2
 Sep  3 00:50:12 centos6 sshd[12023]: Accepted password for root from 172.18.254.13 port 59014 ssh2

三、步骤

1、可以先把某些常用的ip填入/etc/hosts.allow,这很重要，防止某些常用的ip由于输错了密码而登不上

[root@centos6 .ssh]#cat /etc/hosts.allow 
 #
 # hosts.allow    This file contains access rules which are used to
 #        allow or deny connections to network services that
 #        either use the tcp_wrappers library or that have been
 #        started through a tcp_wrappers-enabled xinetd.
 #
 #        See 'man 5 hosts_options' and 'man 5 hosts_access'
 #        for information on rule syntax.
 #        See 'man tcpd' for information on tcp_wrappers
 #
 sshd:172.18.254.13:allow
 sshd:172.18.252.54:allow

2、编写脚本/root/bin/secure_ssh.sh

[root@centos6 bin]#cat secure_ssh.sh 
 #!/bin/bash
 cat /var/log/secure|awk '/Failed/{print $(NF-3)}'|sort|uniq -c|awk '{print $2"="$1;}'>/root/black.txt
 define=10
 for i in `cat /root/black.txt`
 do
     ip=`echo $i|awk -F= '{print $1}'`
     num=`echo $i|awk -F= '{print $2}'`
     if [ $num -gt 10 ];then
         grep $ip /etc/hosts.deny > /dev/null
     if [ $? -gt 0 ];then
         echo "sshd:$ip:deny">> /etc/hosts.deny
     fi
     fi
     done

3、将secure_ssh.sh放入cron计划任务，每一分钟执行一次

[root@centos6 bin]#crontab -l
 */1 * * * * /root/bin/secure_ssh.sh         

注意：脚本的地址必须写绝对路径！！！

四、测试

1、开两个终端窗口，一个ssh连上服务器，另一个用错误的密码连接服务器几次。

[root@localhost .ssh]# ssh 172.18.250.42
 root@172.18.250.42's password: 
 Permission denied, please try again.
 root@172.18.250.42's password: 
 Permission denied, please try again.
 root@172.18.250.42's password: 
 Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).
 [root@localhost .ssh]# ssh 172.18.250.42

[root@localhost .ssh]# ssh 172.18.250.42
 root@172.18.250.42's password: 
 Permission denied, please try again.
 root@172.18.250.42's password: 
 Permission denied, please try again.
 root@172.18.250.42's password: 
 Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).

很快，服务器上黑名单文件里已经有记录了：

[root@centos6 bin]#cat /root/black.txt 
 172.18.252.54=6
 172.18.254.13=15

再看看服务器上的hosts.deny

[root@centos6 bin]#cat /etc/hosts.deny 
 #
 # hosts.deny    This file contains access rules which are used to
 #        deny connections to network services that either use
 #        the tcp_wrappers library or that have been
 #        started through a tcp_wrappers-enabled xinetd.
 #
 #        The rules in this file can also be set up in
 #        /etc/hosts.allow with a 'deny' option instead.
 #
 #        See 'man 5 hosts_options' and 'man 5 hosts_access'
 #        for information on rule syntax.
 #        See 'man tcpd' for information on tcp_wrappers
 #
 sshd:172.18.254.13:deny

IP 已经被加入到服务器的hosts.deny，再用正确连接服务器时，被拒绝：

[root@localhost .ssh]# ssh 172.18.250.42
 ssh_exchange_identification: read: Connection reset by peer

 

转载于:https://www.cnblogs.com/f-h-j-11-7/p/9651895.html