The first idea, with iptables the external network SSH packet drop off;
The second idea, with Tcpwrapper to sshd allow write death;
The third idea, revise sshd_config, only listens intranet request.
Due to some unclear reasons, the iptables approach is not available, and Tcpwrapper occupies more CPU resources, so finally decided to use a third approach.
Company server more, and according to the results of random login view, sshd_config content incredibly still too different ~ ~ Hand dry Day, changed the two groups of servers, finally determined to complete the full automatic script out to work ... The current approach is this:
Cat Ssh.exp
Copy Code code as follows:
#!/usr/bin/expect-f
Log_file Exp.log
Set Timeout-1
Set ipaddr [lrange $argv 0 0]
For {set I 1} {$i <4} {incr i} {
Spawn ssh $ipaddr
Expect {
"*password:" Break
' to host ' {Sleep 2};
Sleep 3
}
}
Send "123456r"
Expect "]#"
Send "Cd/etc/sshr"
Send "CP sshd_config sshd_config. ' Date +%f-%t '. Bakr"
Send "Sed-i/^listenaddress.*$/d sshd_configr"
Send "Echo listenaddress '/sbin/ifconfig Eth0|awk '/inet/{print $} ' |awk-f: ' {print $} ' >> Sshd_configr '
Send "service sshd RESTARTR"
Send "Exitr"
Interact
Cat do.sh
Copy Code code as follows:
#!/bin/sh
For IP in ' cat ip.lst '
Todo
./ssh.exp $ip >/dev/null 2>&1
Done
Cat Exp.log | grep Host | awk ' {print $} ' |sort|uniq >> Errorip
echo "The following IP cannot be modified"; Cat Errorip