Linux-----Ubuntu通过shell脚本将SSH多次登录失败的IP自动加入黑名单

一:与登录相关文件介绍

ubuntu三个文件日志介绍:
1:/var/run/utmp:记录当前正在登录系统的用户信息,默认由who和w记录当前登录用户的信息,uptime记录系统启动时间;

2:/var/log/wtmp:记录当前正在登录和历史登录系统的用户信息,默认由last命令查看;

3:/var/log/btmp:记录失败的登录尝试信息,默认由lastb命令查看。

ubuntu查看失败登录记录,只需要

sudo lastb
#或者
sudo lastb -n 30 #查看最新前30条

二:查看失败登录记录

本人买来的服务器,一直没有用,闲置状态,没有管。虽然改了端口,禁止了root的ssh登录权限。但是只要别人不懒的话,随便用工具扫描端口还是很容易扫描出来的,这不,有人扫描出来啦,还正在用跑字典的形式试图暴力破解登录(好家伙,都已经从a都跑到m了)。

ubuntu@VM-20-6-ubuntu:~$ sudo lastb -n 20
maven    ssh:notty    138.68.86.65     Tue Nov 23 12:58 - 12:58  (00:00)
maven    ssh:notty    138.68.86.65     Tue Nov 23 12:58 - 12:58  (00:00)
maxiao   ssh:notty    138.68.86.65     Tue Nov 23 12:58 - 12:58  (00:00)
maxiao   ssh:notty    138.68.86.65     Tue Nov 23 12:58 - 12:58  (00:00)
maundy   ssh:notty    138.68.86.65     Tue Nov 23 12:58 - 12:58  (00:00)
max      ssh:notty    138.68.86.65     Tue Nov 23 12:57 - 12:57  (00:00)
mawenche ssh:notty    138.68.86.65     Tue Nov 23 12:57 - 12:57  (00:00)
maundy   ssh:notty    138.68.86.65     Tue Nov 23 12:57 - 12:57  (00:00)
max      ssh:notty    138.68.86.65     Tue Nov 23 12:57 - 12:57  (00:00)
max      ssh:notty    138.68.86.65     Tue Nov 23 12:57 - 12:57  (00:00)
mawenche ssh:notty    138.68.86.65     Tue Nov 23 12:57 - 12:57  (00:00)
maverick ssh:notty    138.68.86.65     Tue Nov 23 12:57 - 12:57  (00:00)
mawenche ssh:notty    138.68.86.65     Tue Nov 23 12:57 - 12:57  (00:00)
max      ssh:notty    138.68.86.65     Tue Nov 23 12:57 - 12:57  (00:00)
maverick ssh:notty    138.68.86.65     Tue Nov 23 12:57 - 12:57  (00:00)
mawenche ssh:notty    138.68.86.65     Tue Nov 23 12:57 - 12:57  (00:00)
maverick ssh:notty    138.68.86.65     Tue Nov 23 12:57 - 12:57  (00:00)
maven    ssh:notty    138.68.86.65     Tue Nov 23 12:57 - 12:57  (00:00)
maverick ssh:notty    138.68.86.65     Tue Nov 23 12:57 - 12:57  (00:00)
mauricio ssh:notty    138.68.86.65     Tue Nov 23 12:57 - 12:57  (00:00)

查看失败记录并统计次数,发现最多的已经暴力破解跑了3万多条登录记录,虽然没有成功,但是确实像苍蝇般烦人。所以需要写个脚本将多次尝试登录,并失败的IP加入黑名单。

ubuntu@VM-20-6-ubuntu:~$ sudo lastb |awk '{print $3}'|sort |uniq -c
      1 
      4 119.165.181.251
      4 121.129.214.70
  30573 138.68.86.65
      4 151.50.58.55
      1 151.84.178.182
  30702 159.65.220.140
     54 177.249.47.101
      7 185.245.41.97
  15331 211.246.175.6
      4 24.218.231.49
      4 24.224.178.87
     59 47.102.111.161
      4 82.66.84.2
      4 83.195.190.187
      4 83.228.156.118
    103 83.250.30.182
      4 88.157.49.186
      8 98.40.14.28
      1 Sat
      1 Sun
      1 Wed

三:编写ssh失败登录限制IP脚本

这条命令,可以得到登录失败大于4次的IP,及需要加入黑名单的IP名单。

sudo lastb |awk '{print $3}'|sort |uniq -c|awk '{if ($1 > 4) print $2}'

显示如下:

ubuntu@VM-20-6-ubuntu:~$ sudo lastb |awk '{print $3}'|sort |uniq -c|awk '{if ($1 > 4) print $2}'
138.68.86.65
159.65.220.140
177.249.47.101
185.245.41.97
211.246.175.6
47.102.111.161
83.250.30.182
98.40.14.28

开始写脚本,黑名单文件位置为/etc/hosts.deny,Ubuntu格式为ALL: IP 的方式添加才有效

#!/bin/bash
#set -x
list=$(sudo lastb |awk '{print $3}'|sort |uniq -c|awk '{if ($1 > 4) print $2}')
for ip in ${list}
do
	echo ALL: ${ip} >> /etc/hosts.deny #加入黑名单
	echo > /var/log/btmp	#清空失败记录,防止脚本下次执行重复统计IP
done

四:脚本定时任务

crontab -e
#内容为每1小时执行一次脚本
* */1 * * * sudo bash /home/ubuntu/ssh_deny.sh

完成,服务器也每啥东西,为了测试,我将ssh端口改回默认的22端口,开始钓鱼,等过几个小时,看看/etc/hosts.deny黑名单有没有增加IP。



第二天更新效果:
钓了一晚上的鱼,效果不错

ubuntu@VM-20-6-ubuntu:~$ cat /etc/hosts.deny 
# /etc/hosts.deny: list of hosts that are _not_ allowed to access the system.
#                  See the manual pages hosts_access(5) and hosts_options(5).
#
# Example:    ALL: some.host.name, .some.domain
#             ALL EXCEPT in.fingerd: other.host.name, .other.domain
#
# If you're going to protect the portmapper use the name "rpcbind" for the
# daemon name. See rpcbind(8) and rpc.mountd(8) for further information.
#
# The PARANOID wildcard matches any host whose name does not match its
# address.
#
# You may wish to enable this to ensure any programs that don't
# validate looked up hostnames still leave understandable logs. In past
# versions of Debian this has been the default.
# ALL: PARANOID

ALL: 138.68.86.65
ALL: 159.65.220.140
ALL: 177.249.47.101
ALL: 185.245.41.97
ALL: 211.246.175.6
ALL: 47.102.111.161
ALL: 83.250.30.182
ALL: 98.40.14.28
ALL: 220.129.62.150
ALL: 24.245.227.211
ubuntu@VM-20-6-ubuntu:~$ 

失败登录记录也只有几条而已了

ubuntu@VM-20-6-ubuntu:~$ sudo lastb 
pi       ssh:notty    122.199.7.19     Wed Nov 24 05:39 - 05:39  (00:00)
pi       ssh:notty    122.199.7.19     Wed Nov 24 05:39 - 05:39  (00:00)
pi       ssh:notty    122.199.7.19     Wed Nov 24 05:39 - 05:39  (00:00)
pi       ssh:notty    122.199.7.19     Wed Nov 24 05:39 - 05:39  (00:00)

btmp begins Thu Jul 26 22:17:36 1917
ubuntu@VM-20-6-ubuntu:~$ 

你可能感兴趣的:(奇技淫巧,linux,ubuntu,shell,运维,ssh)