某个肉鸡奋斗了几天几夜猜我的密码
查看ssh的log并把相关IP放入iptable中来封杀
#屏蔽单个IP
iptables -I INPUT -s 221.3.131.110 -j DROP
#屏蔽最后一段
iptables -I INPUT -s 221.3.131.0/24 -j DROP
#屏蔽最后二段
iptables -I INPUT -s 221.3.0.0/16 -j DROP
#删除屏蔽单个IP
iptables -D INPUT -s 221.3.131.110 -j DROP
#删除INPUT链中第三条规则
iptables -D INPUT 3
#查看iptalbes
iptables -L
#防火墙规则只在计算机处于开启状态时才有效。如果系统被重新引导,这些规则就会自动被清除并重设。要保存规则以便今后载入,请使用以下命令
/sbin/service iptables save
#查看ssh登录记录
cat /var/log/messages|grep rhost
#统计ssh登录记录
cat /var/log/messages|grep rhost|wc -l
#显示ssh登录大于1次的ip及数量
cat /var/log/messages|grep rhost| awk ‘{print $13}’|awk ‘BEGIN { FS=”=” } { Num[$2]++ } END { for(i in Num) if(Num[i]>1) { print i,Num[i]} }’
#显示ssh登录大于15次的ip
cat /var/log/messages|grep rhost| awk ‘{print $13}’|awk ‘BEGIN { FS=”=” } { Num[$2]++ } END { for(i in Num) if(Num[i]>15) { print i} }’
#禁止ssh登录大于15次的ip(慎用,不要把自已的ip放进去)
cat /var/log/messages|grep rhost| awk ‘{print $13}’|awk ‘BEGIN { FS=”=” } { Num[$2]++ } END { for(i in Num) if(Num[i]>15) { print i} }’|xargs -i[] iptables -I INPUT -s [] -j DROP
#查看rhel5的ssh登录
cat /var/log/audit/audit.log|grep authentication
暂时缓解方法:
iptables -I INPUT -p tcp –dport 22 -m state –state NEW -m limit –limit 5/sec -j DROP
iptables -I INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT
脚本:
来自cu的cn_jhz :
http://linux.chinaunix.net/bbs/thread-909381-1-4.html
#!/bin/bash
MONITOR_FILE=”/var/log/messages”
MONITOR_LOG_FILE=”/var/crontab/anti_scan.log”
TABLES=”/tmp/anti_scan.pid”
tmp=”/tmp/anti_scan.pid.tmp”
test -e $TABLES || touch $TABLES
test -e $TABLES || touch $tmp
while read line
do
str=`echo $line | grep “authentication failure” | grep -v “grep” | awk ‘{for(x=1;x<=NF;x++){if(match($x,"rhost=")){rhost=substr($x,RSTART+RLENGTH,length($x)); printf ("%s %s\n",$3,rhost);}}}'`
if [ -n "$str" ]; then
NEWTIME=`echo $str | awk '{print $1}' |awk -F":" '{printf ("%s:%s",$1,$2);}'`
OLDTIME=`tail -n 1 $TABLES | awk '{print $1}' |awk -F":" '{printf ("%s:%s",$1,$2);}'`
if [ "$NEWTIME" == "$OLDTIME" ]; then
echo $str >> $TABLES
else
echo $str > $TABLES
fi
cat $TABLES | awk ‘{print $2}’ | sort | uniq -c | sort -rn | xargs -l | \
while read amount ip
do
if [ $amount -gt 6 ]; then
iptables -A INPUT -s $ip -j DROP
sed ‘/$ip/d’ $TABLES > $tmp
cat $tmp > $TABLES
fi
done
fi
done<`tail -f $MONITOR_FILE`
来自cu的platinum
http://linux.chinaunix.net/bbs/thread-909563-1-1.html
#! /bin/bash
SCANNER=
</span> <span style="color: #ff0000;">grep</span> <span style="color: #ff00ff;">"\date \”+ %d %H:%M\” -d \”-1min\”`” /var/
log
/secure|awk ‘/Failed/{print $(NF-3)}’
|
sort
|uniq –c|awk ‘{print $1″=”$2;}’
`
Name: blockscanner.sh by Platinum
for i in $
SCANNER
do
NUM=
</span>echo <span style="color: #0000ff;">$</span> <span style="color: #008080;">i</span> <span style="color: #0000cc;">|</span>awk <span style="color: #0000cc;">-</span>F<span style="color: #0000cc;">=</span> <span style="color: #ff00ff;">'{print $1}'</span> <span style="color: #ff00ff;">
IP=
</span>echo <span style="color: #0000ff;">$</span> <span style="color: #008080;">i</span> <span style="color: #0000cc;">|</span>awk <span style="color: #0000cc;">-</span>F<span style="color: #0000cc;">=</span> <span style="color: #ff00ff;">'{print $2}'</span> <span style="color: #ff00ff;">
echo $
NUM
echo $
IP
if [ $
NUM –
gt 10 ] &
& [ –z “iptables -vnL INPUT|grep $IP“ ]
then
iptables –I INPUT –s $
IP –m state –
–state NEW,RELATED,ESTABLISHED –j DROP
echo “date $IP($NUM)” >
> /var/
log
/scanner.
log
fi
done
脚本下载 blockscanner
其它工具:
你也可以使用fail2ban 自动封IP来解决这个问题。
denyhosts
sshblack
使用iptable来ban ip总有一天会满的。
其它改善的方法:
如果你是从固定ip使用ssh,用hosts.deny 和hosts.allow配合使用限制IP登陆
使用key文件认证
修改默认端口
No Responses (yet)
Stay in touch with the conversation, subscribe to the RSS feed for comments on this post.