新近刚上的FTP备份服务器,例行检查/var/log/secure日志时,发现不少sshd和vsftpd失败认证信息,很明显有人想用暴力破解工具窃取密码,所以需要编写一个安全脚本防止。
脚本需求如下:此SHELL脚本放在crontab计划任务里,每隔6小时(此时间根据实际情况来定义)就去读取/var/log/secure脚本,取出里面恶意猜测IP,如果单位时间内(一星期)的连接数是高于一个阀值,例如100(此阀值也可以根据实际情况来定义),则将其加进/etc/hosts.deny黑名单里,如果低于此阀值,则无视此IP。
/var/log/secure里认证失败信息如下: Nov 28 10:18:08 centos2 sshd[7556]: Connection closed by 222.216.30.109 Nov 28 10:18:08 centos2 sshd[7557]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.216.30.109 user=root Nov 28 10:18:09 centos2 sshd[7559]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.216.30.109 user=root Nov 28 10:18:10 centos2 sshd[7551]: Failed password for root from 222.216.30.109 port 2391 ssh2 Nov 28 10:18:10 centos2 sshd[7552]: Connection closed by 222.216.30.109 Nov 28 10:18:10 centos2 sshd[7553]: Failed password for root from 222.216.30.109 port 2397 ssh2 Nov 28 10:18:10 centos2 sshd[7554]: Connection closed by 222.216.30.109 Nov 28 10:18:11 centos2 sshd[7557]: Failed password for root from 222.216.30.109