Title, start playing Linux people, every time, will encounter this hint, good worry about the system was breached, how to put these tempted IP caught out, and shielding it, today to record my practice, for everyone reference
In fact, this problem has been supported at the system level, the existing solutions are as follows:
1 using Ssh-keygen, disable password login
2 using the Pam module, refer to the Howto:configure Linux to track and Log Failed login attempt Records, in fact, the number of login attempts set and delay
My approach is as follows:
1 using a script to obtain an IP that failed to log in
2 Write the acquired IP to the/etc/hosts.deny file for masking
3 use Inotify-tools to monitor/var/log/secure files to update/etc/hosts.deny files in real time
Below I explain the operation process and principle in detail:
1 Installing Inotify-tools
The Inotify-tools is a set of C development Interface library functions provided by the INotify File Monitoring tool for Linux (kernel 2.6.1 and above), as well as a series of command-line tools that can be used to monitor file system events. Inotify-tools is written in C, except that it requires the kernel to support inotify, and does not depend on others. Inotify-tools provides two tools, one is inotifywait, it is used to monitor file or directory changes, and the second is Inotifywatch, it is used to count the number of file system access
installation process root. ~:wget http://github.com/downloads/rvoicilas/inotify-tools/inotify-tools-3.14.tar.gz-- No-check-certificate #下载root.~:tar zxvf inotify-tools-3.14. Tar . GZ #解压root. ~:CD inotify-tools-3.14 root. ~:./configure&&make &&makeinstall #安装
2 Writing a monitoring script
Root.scripts:VISecurelogwatch #!/bin/bash# #Description: #Use Inotify-tools to monitor the Modify Of/var/log/securefile#And Add the illegalLoginIP To/etc/hosts.denyfile# #Time: -auther:lee#1Initialize value export Totalline=`Cat/var/log/secure|WC-l ' Export lastline=1#2Monitoring/var/log/securefileModification of files whileINOTIFYWAIT-E modify/var/log/secure; Do if Tail-N + $LastLine/var/log/secure|grep "Failed Password"; Then#2.1Write illegal IP to/etc/Host.deny FileCat/var/log/secure |Tail-N + $LastLine |grep 'Failed Password'|awk '$11~/\./{print $11} $9~/invalid/{print $13}'|Sort|Uniq| sed 's/$/,/g'|TR-D"\ n"|sed 's/^/sshd:/g'|sed 's/,$/\n/g' 1>>/etc/Hosts.deny #2.2Update log read location Totalline=`Cat/var/log/secure|WC-l ' lastline=${totalline}fiSleep 2#因为更新一次secure文件, INotify will monitor two changes in a short time, in order to avoid duplicate IP, but sleep a while Done
Note: Talk about the scripting features and the knowledge points used in them
Script function: Read the changes of the/var/log/secure file in real-time, then find the content of the incremental update, and for the IP of illegal experiment, it will be added to the Etc/hosts.deny file for masking. There are problems: because of the failure to block the first time, so it will be killed; duplicate records are added to the Etc/hosts.deny file
Knowledge Points:
1 inotify use: inotifywait-e modify/var/log/secure #监测文件是否修改
2 awk string judged and printed: awk ' $11~/\./{print $11} $9~/invalid/{print $13} #判断是否存在IP地址中的 ".", the print IP column exists, and the other column of the printer does not exist
3 Tail external variable use: Tail-n + $LastLine #每次读取上次读到的日志行 to the tail of the log
4 sed character substitution and external variables used: sed ' s/$/,/g ' #替换换行符为逗号
5 TR Delete and replace to merge multiple lines: tr-d "\ n" #删除每行尾部的换行符, merging rows
6 Sort|uniq Sorting and deleting duplicate rows
7 about the use of the SED external variables, the following situation should be not supported, support situation, see the following links:
Lastline=0; Totalline= -; root.~:sed-N"${lastline},${totalline}p"~/secure.bak;Echo$TotalLinesed:-E Expression #1Character6: illegal use of address 0 above the use of SED variables, always error, all kinds of ways to try, can not, and can not be replaced by the following OH LastLine=0; Totalline= -;Cat~/secure.bak |sed-N'/' "$LastLine"',' "$TotalLine"'/ P'~/secure.bak
Use variable substitution in sed and execute external command
3 Running the script
There are several ways to run a script
1 run root.scripts directly: SH Securelogwatch 2 Online background run root.scripts: SH Securelogwatch &3 offline background run root.scripts:nohup. /ecurelogwatch &4 can be added directly to the boot, self-implementation of it
Reference:
INotify Installation
Inotify-tools Introduction to How to use
There were X failed login attempts since the last successful login