Deny. Sh

Tag: hosts. Deny lastb

Purpose: To automatically capture and lock the IP address of a malicious link and add it to hosts. Deny

Idea: Use the command lastb to find the recently rejected access, filter out its IP address, and add it to/hosts. Deny with the output redirection.

Set automatic run.

Problems found during writing:

1. When lastb is used, the lastb output will show the first line and blank line.

To filter it out, select the grep command to only filter out the rows with IP segments

Lastb | grep '[0-9] \ {1, 3 \}\. [0-9] \ {1, 3 \}\. [0-9] \ {1, 3 \}\. [0-9] \ {1, 3 \}'

650) This. width = 650; "width =" 554 "Height =" 79 "src ="/e/u261/themes/default/images/spacer.gif "style =" Background: URL ("/e/u261/lang/ZH-CN/images/localimage.png") No-repeat center; Border: 1px solid # DDD; "alt =" spacer.gif "/>

When the IP segment is found to be in the third segment, cat can only separate a single space, but cannot separate consecutive spaces. Therefore, select the awk command: lastb | grep '[0-9] \ {1, 3 \}\. [0-9] \ {1, 3 \}\. [0-9] \ {1, 3 \}\. [0-9] \ {1, 3 \} '| awk' {print $3 }'

650) This. width = 650; "width =" 554 "Height =" 117 "src ="/e/u261/themes/default/images/spacer.gif "style =" Background: URL ("/e/u261/lang/ZH-CN/images/localimage.png") No-repeat center; Border: 1px solid # DDD; "alt =" spacer.gif "/>

Generally, weak password attacks may occur multiple times, so the same IP address will appear again. Here, sort-u is used to filter out duplicate IP addresses: lastb | grep '[0-9] \ {1, 3 \}\. [0-9] \ {1, 3 \}\. [0-9] \ {1, 3 \}\. [0-9] \ {1, 3 \} '| awk' {print $3} '| sort-u

650) This. width = 650; "width =" 554 "Height =" 61 "src ="/e/u261/themes/default/images/spacer.gif "style =" Background: URL ("/e/u261/lang/ZH-CN/images/localimage.png") No-repeat center; Border: 1px solid # DDD; "alt =" spacer.gif "/>

In this way, the IP address that fails to be accessed is locked. Next, write the script and add the IP address to hosts. Deny.

#! /Bin/bash

 

While ["1"> "0"]

Do

TXT = $ (lastb | grep '[0-9] \ {1, 3 \}\. [0-9] \ {1, 3 \}\. [0-9] \ {1, 3 \}\. [0-9] \ {1, 3 \} '| awk' {print $3} '| sort-U)

File = '/etc/hosts. deny'

For IP in $ txt

Do

Echo "sshd: $ IP" >>$ File

Done

Sleep 120 s

Done

In this way, data is written every two minutes, but the same IP address is repeatedly written. In this case, you need to perform the following steps to check whether the captured IP address already exists in hosts. Deny:

Grep $ IP $ File>/dev/null

If ["$? "! = "0"]; then

Echo "sshd: $ IP" >>$ File

Fi

The integrated script is:

#! /Bin/bash

 

While ["1"> "0"]

Do

TXT = $ (lastb | grep '[0-9] \ {1, 3 \}\. [0-9] \ {1, 3 \}\. [0-9] \ {1, 3 \}\. [0-9] \ {1, 3 \} '| awk' {print $3} '| sort-U)

Filepath 'txt.txt'

For IP in $ txt

Do

Grep $ IP $ File>/dev/null

If ["$? "! = "0"]; then

Echo "sshd: $ IP" >>$ File

Fi

Done

Sleep 120 s

Done

Basically, access from IP addresses that failed to be accessed can be rejected. However, when the Administrator fails to log on by mistake, the Administrator will be banned. in practical use, hackers may not access IP addresses but domain names, the following script is designed to address the above issues (developed by yuanpeng,)

#! /Bin/bash

# Prevent SSH attack

# Author: Li yuanpeng

# V1.0

# Date: 20140806

 

Sleeptime = 30

 

While true

Do

Lastb-N 500 | grep-V "^ $" | grep-V "btmp" | awk '{print $3}' | sort | uniq-c | grep-V "172.16.1.51 "| sort-Nr> attack. log # Read the attack IP address and sort it by the number of attacks (filter the Administrator IP address)

While read line

Do

IP = 'echo $ Line | awk' {print $2 }''

Time = 'echo $ Line | awk' {print $1 }''

If ["$ time"-GT 5]; then

Grep "$ IP"/etc/hosts. Deny &>/dev/null

If ["$? "-Ne" 0 "]; then

Echo "sshd: $ IP">/etc/hosts. Deny

Fi

Fi

Done <attack. Log

/Bin/sleep $ sleeptime

Done

Deny. Sh