Tag: hosts. Deny lastb
Purpose: To automatically capture and lock the IP address of a malicious link and add it to hosts. Deny
Idea: Use the command lastb to find the recently rejected access, filter out its IP address, and add it to/hosts. Deny with the output redirection.
Set automatic run.
Problems found during writing:
1. When lastb is used, the lastb output will show the first line and blank line.
To filter it out, select the grep command to only filter out the rows with IP segments
Lastb | grep '[0-9] \ {1, 3 \}\. [0-9] \ {1, 3 \}\. [0-9] \ {1, 3 \}\. [0-9] \ {1, 3 \}'
650) This. width = 650; "width =" 554 "Height =" 79 "src ="/e/u261/themes/default/images/spacer.gif "style =" Background: URL ("/e/u261/lang/ZH-CN/images/localimage.png") No-repeat center; Border: 1px solid # DDD; "alt =" spacer.gif "/>
When the IP segment is found to be in the third segment, cat can only separate a single space, but cannot separate consecutive spaces. Therefore, select the awk command: lastb | grep '[0-9] \ {1, 3 \}\. [0-9] \ {1, 3 \}\. [0-9] \ {1, 3 \}\. [0-9] \ {1, 3 \} '| awk' {print $3 }'
650) This. width = 650; "width =" 554 "Height =" 117 "src ="/e/u261/themes/default/images/spacer.gif "style =" Background: URL ("/e/u261/lang/ZH-CN/images/localimage.png") No-repeat center; Border: 1px solid # DDD; "alt =" spacer.gif "/>
Generally, weak password attacks may occur multiple times, so the same IP address will appear again. Here, sort-u is used to filter out duplicate IP addresses: lastb | grep '[0-9] \ {1, 3 \}\. [0-9] \ {1, 3 \}\. [0-9] \ {1, 3 \}\. [0-9] \ {1, 3 \} '| awk' {print $3} '| sort-u
650) This. width = 650; "width =" 554 "Height =" 61 "src ="/e/u261/themes/default/images/spacer.gif "style =" Background: URL ("/e/u261/lang/ZH-CN/images/localimage.png") No-repeat center; Border: 1px solid # DDD; "alt =" spacer.gif "/>
In this way, the IP address that fails to be accessed is locked. Next, write the script and add the IP address to hosts. Deny.
#! /Bin/bash
While ["1"> "0"]
Do
TXT = $ (lastb | grep '[0-9] \ {1, 3 \}\. [0-9] \ {1, 3 \}\. [0-9] \ {1, 3 \}\. [0-9] \ {1, 3 \} '| awk' {print $3} '| sort-U)
File = '/etc/hosts. deny'
For IP in $ txt
Do
Echo "sshd: $ IP" >>$ File
Done
Sleep 120 s
Done
In this way, data is written every two minutes, but the same IP address is repeatedly written. In this case, you need to perform the following steps to check whether the captured IP address already exists in hosts. Deny:
Grep $ IP $ File>/dev/null
If ["$? "! = "0"]; then
Echo "sshd: $ IP" >>$ File
Fi
The integrated script is:
#! /Bin/bash
While ["1"> "0"]
Do
TXT = $ (lastb | grep '[0-9] \ {1, 3 \}\. [0-9] \ {1, 3 \}\. [0-9] \ {1, 3 \}\. [0-9] \ {1, 3 \} '| awk' {print $3} '| sort-U)
Filepath 'txt.txt'
For IP in $ txt
Do
Grep $ IP $ File>/dev/null
If ["$? "! = "0"]; then
Echo "sshd: $ IP" >>$ File
Fi
Done
Sleep 120 s
Done
Basically, access from IP addresses that failed to be accessed can be rejected. However, when the Administrator fails to log on by mistake, the Administrator will be banned. in practical use, hackers may not access IP addresses but domain names, the following script is designed to address the above issues (developed by yuanpeng,)
#! /Bin/bash
# Prevent SSH attack
# Author: Li yuanpeng
# V1.0
# Date: 20140806
Sleeptime = 30
While true
Do
Lastb-N 500 | grep-V "^ $" | grep-V "btmp" | awk '{print $3}' | sort | uniq-c | grep-V "172.16.1.51 "| sort-Nr> attack. log # Read the attack IP address and sort it by the number of attacks (filter the Administrator IP address)
While read line
Do
IP = 'echo $ Line | awk' {print $2 }''
Time = 'echo $ Line | awk' {print $1 }''
If ["$ time"-GT 5]; then
Grep "$ IP"/etc/hosts. Deny &>/dev/null
If ["$? "-Ne" 0 "]; then
Echo "sshd: $ IP">/etc/hosts. Deny
Fi
Fi
Done <attack. Log
/Bin/sleep $ sleeptime
Done
Deny. Sh