手把手教你封杀恶意登录服务器的ip

转载来源:https://blog.csdn.net/weixin_42313749/article/details/117593636?spm=1001.2014.3001.5502

如何快速将恶意IP 加入防火墙黑名单

在这里插入图片描述

前言

经常我们的服务器在深夜,往往会遭到Nmap 扫描,然后有很多ip 试探登录连接我们的服务器,那么我们该如何面对这种情况呢?

需求描述

分析Linux系统/var/log/secure安全日志文件,将黑客或者恶意登陆次数大于20次的IP地址加入Iptables防火墙黑名单;

实验步骤

  • 首先查看安全日志文件

    [root@localhost ~]# cat  /var/log/secure|more
    Jun  5 10:25:56 localhost sshd[10165]: Accepted password for root from 192.168.10.1 port 58525 ssh2
    Jun  5 10:25:56 localhost sshd[10165]: pam_unix(sshd:session): session opened for user root by (uid=
    0)
    Jun  5 10:25:59 localhost sshd[10184]: Accepted password for root from 192.168.10.1 port 58528 ssh2
    Jun  5 10:25:59 localhost sshd[10184]: pam_unix(sshd:session): session opened for user root by (uid=
    0)
    Jun  5 12:51:19 localhost sshd[10394]: Accepted password for root from 192.168.10.1 port 64063 ssh2
    Jun  5 12:51:19 localhost sshd[10394]: pam_unix(sshd:session): session opened for user root by (uid=
    0)
    Jun  5 13:03:00 localhost sshd[10428]: pam_unix(sshd:auth): authentication failure; logname= uid=0 e
    uid=0 tty=ssh ruser= rhost=192.168.10.1  user=root
    Jun  5 13:03:00 localhost sshd[10428]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met 
    by user "root"
    Jun  5 13:03:02 localhost sshd[10428]: Failed password for root from 192.168.10.1 port 64400 ssh2
    Jun  5 13:03:06 localhost sshd[10428]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met 
    by user "root"
    Jun  5 13:03:08 localhost sshd[10428]: Failed password for root from 192.168.10.1 port 64400 ssh2
    Jun  5 13:03:14 localhost sshd[10428]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met 
    --More--
    
       
       
    • 过滤其它ip,只看登录失败的ip地址

      [root@localhost ~]# grep "Failed password" /var/log/secure
      Jun  5 13:03:02 localhost sshd[10428]: Failed password for root from 192.168.10.1 port 64400 ssh2
      Jun  5 13:03:08 localhost sshd[10428]: Failed password for root from 192.168.10.1 port 64400 ssh2
      Jun  5 13:03:16 localhost sshd[10428]: Failed password for root from 192.168.10.1 port 64400 ssh2
      Jun  5 13:03:27 localhost sshd[10431]: Failed password for root from 192.168.10.1 port 64438 ssh2
      Jun  5 13:15:33 localhost sshd[10442]: Failed password for root from 192.168.10.10 port 49796 ssh2
      Jun  5 13:15:38 localhost sshd[10442]: Failed password for root from 192.168.10.10 port 49796 ssh2
      Jun  5 13:15:38 localhost sshd[10442]: Failed password for root from 192.168.10.10 port 49796 ssh2
      Jun  5 13:15:46 localhost sshd[10444]: Failed password for root from 192.168.10.10 port 49798 ssh2
      Jun  5 13:15:50 localhost sshd[10444]: Failed password for root from 192.168.10.10 port 49798 ssh2
      Jun  5 13:15:53 localhost sshd[10444]: Failed password for root from 192.168.10.10 port 49798 ssh2
      Jun  5 13:15:59 localhost sshd[10446]: Failed password for root from 192.168.10.10 port 49800 ssh2
      Jun  5 13:16:00 localhost sshd[10446]: Failed password for root from 192.168.10.10 port 49800 ssh2
      Jun  5 13:16:02 localhost sshd[10446]: Failed password for root from 192.168.10.10 port 49800 ssh2
      [root@localhost ~]# 
      
         
         

      • 打印登录失败的ip

        [root@localhost ~]# grep "Failed password" /var/log/secure |awk '{print$(NF-3)}'
        192.168.10.1
        192.168.10.1
        192.168.10.1
        192.168.10.1
        192.168.10.10
        192.168.10.10
        192.168.10.10
        192.168.10.10
        192.168.10.10
        192.168.10.10
        192.168.10.10
        192.168.10.10
        192.168.10.10
        [root@localhost ~]# 
        
           
           
        • 进行排序,统计次数

          [root@localhost ~]# grep "Failed password" /var/log/secure |awk '{print$(NF-3)}'|sort|uniq -c|sort -nr
                9 192.168.10.10
                4 192.168.10.1
          [root@localhost ~]# 
          
             
             
          • 匹配恶意登录次数大于5次的ip

            [root@localhost ~]# grep "Failed password" /var/log/secure |awk '{print$(NF-3)}'|sort|uniq -c|sort -nr|awk '{if ($1>=5) print $2}'
            192.168.10.10
            [root@localhost ~]# 
            
               
               
            • 对匹配出来的做一个for循环,然后写入防火墙文件

              [root@localhost ~]# for i in $(grep "Failed password" /var/log/secure|awk '{print $(NF-3)}'|sort|uniq -c|sort -nr|awk '{if($1>=5) print $2}');do sed -i "/lo/a -A INPUT -s $i -j DROP" /etc/sysconfig/iptables ;done
              
                 
                 

              总结

              运维安全在实际生产环境中有着很重要的地位,我们面对黑客疯狂扫描试探的时候,我就需要见流量封杀IP。如何快速封杀IP角色需要我们掌握数量掌握linux命令。特别是awk,sed。在我们脚本中很常用。一定要掌握好。

              创作不易,点个赞,留个爱心吧

              在这里插入图片描述

              评论 2
              添加红包

              请填写红包祝福语或标题

              红包个数最小为10个

              红包金额最低5元

              当前余额3.43前往充值 >
              需支付:10.00
              成就一亿技术人!
              领取后你会自动成为博主和红包主的粉丝 规则
              hope_wisdom
              发出的红包
              实付
              使用余额支付
              点击重新获取
              扫码支付
              钱包余额 0

              抵扣说明:

              1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
              2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

              余额充值