实现方法:
对/var/log/secure日志文件解析,统计每十分钟登录超过10次的ip地址,并使用iptables对该IP地址进行拦截,并记录到日志。实现脚本如下:
file:/usr/local/bin/blacklist.sh
#!/usr/bin/bash
source ~/.bash_profile
source /etc/profile #引入环境变量,否则crontab执行结果会不正确
list=$(cat /var/log/secure | grep failure | awk ‘{print $14}’ | cut -d = -f 2 | grep -v ssh | sort -r | uniq -c | sort -k 1 -nr | awk ‘{if($1>10) print $2}’)
a=0
for i in
l
i
s
t
;
d
o
b
=
list; do b=
list;dob=(iptables -L -n -v | grep
i
)
;
i
f
[
!
"
i); if [ ! "
i);if[!"b" ];then
a=1;
iptables -I INPUT -s
i
−
j
D
R
O
P
;
e
c
h
o
"
i -j DROP; echo "
i−jDROP;echo"(date)add ip: $i into blacklist">>/var/log/blacklist.log;
fi
done;
if [
a
=
=
0
]
;
t
h
e
n
e
c
h
o
"
a==0 ];then echo "
a==0];thenecho"(date) not anyint attack source!">>/var/log/blacklist.log;
fi
配置定时器:
crontab -e
*/10 * * * * bash /usr/local/bin/blacklist.sh