This article is the third edition of the automatic defense method (Improved Version), Modify the script to make it generic, such as ftp attack defense.
The complete configuration is as follows:
1. configuration file. swatchrc
# Cat/root/. swatchrc
#
# Bad login attempts
Watchfor/pam_unix \ (sshd: auth \): authentication failure ;. + rhost = ([0-9] + \. [0-9] + \. [0-9] + \. [0-9] + )/
# Echo magenta
Bell 0
Exec "/root/swatch-new.sh $1 22"
Watchfor/pam_unix \ (vsftpd: auth \): authentication failure ;. + rhost = ([0-9] + \. [0-9] + \. [0-9] + \. [0-9] + )/
Bell 0
Exec "/root/swatch-new.sh $1 21"
2. process the script swatch-new.sh
# Cat/root/swatch-new.sh
#! /Bin/sh
# Attacker ip Address
Ip = $1
# Attack Port
Port = $2
# Echo $ ip>/root/sshd_blocked_ip_list
SQL = "/usr/bin/sqlite3/root/sshd_blocked_ip.db"
Blockcmd = "/sbin/iptables-I INPUT-s $ ip-p tcp -- dport $ port-j DROP"
Unblockcmd =$ {blockcmd/-I/-D}
Blocktime = $ ($ SQL "select blocktime from ip where ip = '$ ip '")
:$ {Blocktime: = 0}
$ Blockcmd | exit 1
If [$ blocktime-eq 0]; then
/Usr/bin/at "now + 1 hours" <"$ unblockcmd 2>/root/at_result.log"
$ SQL "insert into ip values ('$ ip', 1, 1 )"
Else
(Blocktime * = 2 ))
/Usr/bin/at "now + $ blocktime hours" <"$ unblockcmd 2>/root/at_result.log"
$ SQL "update ip set blocktime = $ blocktime, count = count + 1 where ip = '$ ip '"
Fi
3. Start the command
#/Usr/bin/swatch-t/var/log/secure -- daemon
Note:
This is the end. Each service shares a database. If there are other services that require defense, you can add the relevant watchfor configuration. However, logs that fail to verify must appear in/var/log/secure. This is a situation where a log file is shared. Of course, you can start another swatch process. For other purposes, use your own extensions.