Use shell script to prevent SSH and vsftpd brute force crack explain

Use shell script to prevent SSH and vsftpd brute force crack explain _linux shell

Last Update:2017-01-18 Source: Internet

Author: User

Tags auth nets ssh

Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more ＞

Script requirements are as follows: This shell script is placed in the Crontab planning task, every 6 hours (this time according to the actual situation) to read the/var/log/secure script, take out the malicious guessing IP, if the unit time (a week) of the number of connections is higher than a threshold, For example 100 (this threshold can also be defined according to the actual situation), it is added into the/etc/hosts.deny blacklist, if below this threshold, then ignore this IP.

The authentication failure information in/var/log/secure is as follows:

Copy Code code as follows:

Nov 10:18:08 centos2 sshd[7556]: Connection closed by 222.216.30.109
Nov 10:18:08 centos2 sshd[7557]: Pam_unix (Sshd:auth): Authentication failure; Logname= uid=0 euid=0 tty=ssh ruser= rhost=222.216.30.109
Nov 10:18:09 centos2 sshd[7559]: Pam_unix (Sshd:auth): Authentication failure; Logname= uid=0 euid=0 tty=ssh ruser= rhost=222.216.30.109
Nov 10:18:10 centos2 sshd[7551]: Failed password for root from 222.216.30.109 Port 2391 ssh2
Nov 10:18:10 centos2 sshd[7552]: Connection closed by 222.216.30.109
Nov 10:18:10 centos2 sshd[7553]: Failed password for root from 222.216.30.109 Port 2397 ssh2
Nov 10:18:10 centos2 sshd[7554]: Connection closed by 222.216.30.109
Nov 10:18:11 centos2 sshd[7557]: Failed password for root from 222.216.30.109 Port 2401 ssh2
Nov 10:18:11 centos2 sshd[7558]: Connection closed by 222.216.30.109
Nov 10:18:11 centos2 sshd[7559]: Failed password for root from 222.216.30.109 Port 2403 ssh2
Nov 10:18:11 centos2 sshd[7560]: Connection closed by 222.216.30.109
Nov 10:37:01 centos2 Vsftpd:pam_unix (vsftpd:auth): Check pass; User Unknown
Nov 10:37:01 centos2 Vsftpd:pam_unix (Vsftpd:auth): Authentication failure; Logname= uid=0 euid=0 tty=ftp Ruser=hello rhost=centos1.cn7788.com
Nov 10:37:01 centos2 vsftpd:pam_succeed_if (vsftpd:auth): Error retrieving information about user Hello
Nov 10:37:19 centos2 Vsftpd:pam_unix (vsftpd:auth): Check pass; User Unknown
Nov 10:37:19 centos2 Vsftpd:pam_unix (Vsftpd:auth): Authentication failure; Logname= uid=0 euid=0 tty=ftp RUSER=YHC rhost=centos1.cn7788.com
Nov 10:37:19 centos2 vsftpd:pam_succeed_if (vsftpd:auth): Error retrieving information about user YHC
Nov 10:37:36 centos2 Vsftpd:pam_unix (vsftpd:auth): Check pass; User Unknown
Nov 10:37:36 centos2 Vsftpd:pam_unix (Vsftpd:auth): Authentication failure; Logname= uid=0 euid=0 tty=ftp Ruser=yuhongchun rhost=centos1.cn7788.com
Nov 10:37:36 centos2 vsftpd:pam_succeed_if (vsftpd:auth): Error retrieving information about user Yuhongchun
Nov 10:42:44 centos2 Vsftpd:pam_unix (vsftpd:auth): Check pass; User Unknown
Nov 10:42:44 centos2 Vsftpd:pam_unix (Vsftpd:auth): Authentication failure; Logname= uid=0 euid=0 tty=ftp Ruser=yuhongchun rhost=114.112.169.70
Nov 10:42:44 centos2 vsftpd:pam_succeed_if (vsftpd:auth): Error retrieving information about user Yuhongchun
Nov 10:42:56 centos2 Vsftpd:pam_unix (vsftpd:auth): Check pass; User Unknown
Nov 10:42:56 centos2 Vsftpd:pam_unix (Vsftpd:auth): Authentication failure; Logname= uid=0 euid=0 tty=ftp Ruser=andrewyu rhost=114.112.169.70
Nov 10:42:56 centos2 vsftpd:pam_succeed_if (vsftpd:auth): Error retrieving information about user Andrewyu

We looked at the/var/log/secure file polling feature as follows:

Copy Code code as follows:

[Root@centos2 log]# Ls-lsart secure.*
512-RW-------1 root root 516379 11-04 01:31 secure.4
660-RW-------1 root root 668192 11-11 00:05 secure.3
304-RW-------1 root root 306589 11-17 10:33 secure.2
484-RW-------1 root root 488620 11-25 02:33 secure.1

Basically, secure file is a week for polling cycle, if the strict security requirements of friends can also be the spirit of "a Do not let go" principle to crawl above the old secure malicious IP, the following we have to find ways to effectively crawl these malicious IP, If you refer to the original version of the shell script, we are here to crawl the secure log of the detection vsftpd and SSHD service IP address, we can use the following command, the following command:

Copy Code code as follows:

Cat/var/log/secure | awk '/failed/{print $ (NF-3)} ' | Sort| uniq-c| awk ' {print $ ' = ' $} '

It is obvious that this is not the VSFTPD failed IP value, sshd log failure information is not the same as the VSFTPD log failure information, I wrote several awk mixed sed method, test efficiency, feel the fastest use of awk script, you can write several, with the time command to test Finally, the following code is streamlined and the entire script is completed, and the script reads as follows:

Copy Code code as follows:

#!/bin/bash
#Denyhosts for VSFTPD and sshd
#2012-12-28
awk ' {for (i=1;i<=nf;i++) {if ($i ~/rhost/) Print substr ($i, 7)}} '/var/log/secure | Sort | Uniq-c >/root/black.txt
define= "100"
For i in ' cat/root/black.txt '
Todo
Ip= ' echo $i |awk ' {print $} '
Num= ' echo $i |awk ' {print $} '
If [$NUM-gt $DEFINE];
Then
grep $IP/etc/hosts.deny >/dev/null
If [$?-gt 0];
Then
echo "sshd: $IP" >>/etc/hosts.deny
echo "VSFTPD: $IP" >>/etc/hosts.deny
Fi
Fi
Done

After the script has been running for some time, we can observe some of the files involved in this script, such as/root/black.txt, and the results are as follows:

Copy Code code as follows:

[Root@centos2 ~]# Cat/root/black.txt
2 113.17.144.156
4 114.112.51.208
4 114.112.69.170
169 118-163-227-50.hinet-ip.hinet.net
8 119.188.7.200
8 122.70.130.11
61 124.248.32.246
12 183.203.14.121
3 189.26.255.11
56 199.204.237.60
3 199.30.53.220
5 201.236.80.4
6 220.172.191.31
30 222.216.30.109
60 222.253.159.111
58 223.4.180.23
166 58.221.42.178
1 61.132.4.85
152 61.142.106.34
22 61.167.33.222
7 85.126.166.83
166 www.b-nets.com

The contents of the/etc/hosts.deny script are as follows:

Copy Code code as follows:

sshd:124.248.32.246
vsftpd:124.248.32.246
sshd:199.204.237.60
vsftpd:199.204.237.60
sshd:222.253.159.111
vsftpd:222.253.159.111
sshd:223.4.180.23
vsftpd:223.4.180.23
sshd:58.221.42.178
vsftpd:58.221.42.178
sshd:61.142.106.34
vsftpd:61.142.106.34
Sshd:118-163-227-50.hinet-ip.hinet.net
Vsftpd:118-163-227-50.hinet-ip.hinet.net
Sshd:www.b-nets.com
Vsftpd:www.b-nets.com

Finally, we put this shell script into the crontab and run it once every six hours, as follows:

Copy Code code as follows:

* */6 * * * * root/bin/bash/root/hostsdeny.sh >>/dev/null 2>&1

Because the/var/log/secure log is polling for the week, this script executes the frequency to set itself, if the sense server is frequently detected, the execution frequency interval may set short, conversely, may set longer.

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

Sales Support

1 on 1 presale consultation

Chat Contact Sales
After-Sales Support

24/7 Technical Support 6 Free Tickets per Quarter Faster Response

Open a Ticket
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

Learn More