首先查看安全日志文件 [root@localhost ~]# cat /var/log/secure|more
Jun 5 10:25:56 localhost sshd[10165]: Accepted password for root from 192.168.10.1 port 58525 ssh2
Jun 5 10:25:56 localhost sshd[10165]: pam_unix(sshd:session): session opened for user root by (uid=
0)
Jun 5 10:25:59 localhost sshd[10184]: Accepted password for root from 192.168.10.1 port 58528 ssh2
Jun 5 10:25:59 localhost sshd[10184]: pam_unix(sshd:session): session opened for user root by (uid=
0)
Jun 5 12:51:19 localhost sshd[10394]: Accepted password for root from 192.168.10.1 port 64063 ssh2
Jun 5 12:51:19 localhost sshd[10394]: pam_unix(sshd:session): session opened for user root by (uid=
0)
Jun 5 13:03:00 localhost sshd[10428]: pam_unix(sshd:auth): authentication failure; logname= uid=0 e
uid=0 tty=ssh ruser= rhost=192.168.10.1 user=root
Jun 5 13:03:00 localhost sshd[10428]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met
by user "root"
Jun 5 13:03:02 localhost sshd[10428]: Failed password for root from 192.168.10.1 port 64400 ssh2
Jun 5 13:03:06 localhost sshd[10428]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met
by user "root"
Jun 5 13:03:08 localhost sshd[10428]: Failed password for root from 192.168.10.1 port 64400 ssh2
Jun 5 13:03:14 localhost sshd[10428]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met
--More--
过滤其它ip,只看登录失败的ip地址 [root@localhost ~]# grep "Failed password" /var/log/secure
Jun 5 13:03:02 localhost sshd[10428]: Failed password for root from 192.168.10.1 port 64400 ssh2
Jun 5 13:03:08 localhost sshd[10428]: Failed password for root from 192.168.10.1 port 64400 ssh2
Jun 5 13:03:16 localhost sshd[10428]: Failed password for root from 192.168.10.1 port 64400 ssh2
Jun 5 13:03:27 localhost sshd[10431]: Failed password for root from 192.168.10.1 port 64438 ssh2
Jun 5 13:15:33 localhost sshd[10442]: Failed password for root from 192.168.10.10 port 49796 ssh2
Jun 5 13:15:38 localhost sshd[10442]: Failed password for root from 192.168.10.10 port 49796 ssh2
Jun 5 13:15:38 localhost sshd[10442]: Failed password for root from 192.168.10.10 port 49796 ssh2
Jun 5 13:15:46 localhost sshd[10444]: Failed password for root from 192.168.10.10 port 49798 ssh2
Jun 5 13:15:50 localhost sshd[10444]: Failed password for root from 192.168.10.10 port 49798 ssh2
Jun 5 13:15:53 localhost sshd[10444]: Failed password for root from 192.168.10.10 port 49798 ssh2
Jun 5 13:15:59 localhost sshd[10446]: Failed password for root from 192.168.10.10 port 49800 ssh2
Jun 5 13:16:00 localhost sshd[10446]: Failed password for root from 192.168.10.10 port 49800 ssh2
Jun 5 13:16:02 localhost sshd[10446]: Failed password for root from 192.168.10.10 port 49800 ssh2
[root@localhost ~]#
打印登录失败的ip [root@localhost ~]# grep "Failed password" /var/log/secure |awk '{print$(NF-3)}'
192.168.10.1
192.168.10.1
192.168.10.1
192.168.10.1
192.168.10.10
192.168.10.10
192.168.10.10
192.168.10.10
192.168.10.10
192.168.10.10
192.168.10.10
192.168.10.10
192.168.10.10
[root@localhost ~]#
进行排序,统计次数 [root@localhost ~]# grep "Failed password" /var/log/secure |awk '{print$(NF-3)}'|sort|uniq -c|sort -nr
9 192.168.10.10
4 192.168.10.1
[root@localhost ~]#
匹配恶意登录次数大于5次的ip [root@localhost ~]# grep "Failed password" /var/log/secure |awk '{print$(NF-3)}'|sort|uniq -c|sort -nr|awk '{if ($1>=5) print $2}'
192.168.10.10
[root@localhost ~]#
对匹配出来的做一个for循环,然后写入防火墙文件 [root@localhost ~]# for i in $(grep "Failed password" /var/log/secure|awk '{print $(NF-3)}'|sort|uniq -c|sort -nr|awk '{if($1>=5) print $2}');do sed -i "/lo/a -A INPUT -s $i -j DROP" /etc/sysconfig/iptables ;done