First shell script-monitors rogue logons to remote servers

recently learned Linux system logs and scheduled tasks on the subway coming home from work with inspiration. , try to write your own first script to monitor if there is a malicious login to the server, send an email to notify the administrator. Not yet learned how to send an e-mail to the administrator, currently only the command line reminders and logging, the content of the script is relatively simple, are the basic knowledge of learning, ingenious.

1. First write a script:

Define a variable LT, the value of the variable is the number of rows listed by the LASTB command (that is, the number of invalid logins, if there is a malicious login, the number of rows will become more);

Executes an if judgment statement, and if the defined value is greater than 15 times, it is determined to be a malicious login, notifying the administrator.

The script reads as follows:

[email protected] ~]# cat lt.sh #!        /bin/bash# defines the variable LT and logs the number of invalid logins; lt= ' Lastb |wc-l |cut-d '-F 1 ' If [$LT-gt "]" #判断无效登录的次数如果大于15的话, perform the following operations; Then echo ' Somebody try to login ' please check log ' #打印有人尝试登录系统请检查日志fi

650) this.width=650; "src="/e/u261/themes/default/images/spacer.gif "style=" Background:url ("/e/u261/lang/zh-cn/ Images/localimage.png ") no-repeat center;border:1px solid #ddd;" alt= "Spacer.gif"/>

2. Write a scheduled task

Automatically executes the above script every minute

[Email protected] ~]# CRONTAB-L*/1 * * * */bin/sh/root/lt.sh

3. Viewing effects

More than 15 logins in the current command line mode will prompt, there is a new message under/var/spool/mail/root;

[Email protected] ~]# you have new mail in/var/spool/mail/root

Check the new mail, you will find the contents of the script to prove that someone is trying to log on the host;

[Email protected] ~]# Tail-2/var/spool/mail/root Somebody try to login please check log

Execute the LASTB command to see a record of many login failures found

[[email protected] ~]# lastb |headuser1    ssh:notty     192.168.22.1     Tue Apr 21 22:04 - 22:04   ( 00:00)     user1    ssh:notty    192.168.22.1      Tue Apr 21 22:04 - 22:04   (00:00)      user1    ssh:notty    192.168.22.1      tue apr 21 22:03 - 22:03   (00:00)     user1     ssh:notty    192.168.22.1     tue apr 21  22:03 - 22:03   (00:00)     user1    ssh:notty     192.168.22.1     Tue Apr 21 22:03 -  22:03 &nbSP; (00:00)     user1    ssh:notty    192.168.22.1      Tue Apr 21 22:03 - 22:03   (00:00)      user1    ssh:notty    192.168.22.1      Tue Apr 21 22:03 - 22:03   (00:00)     user1     ssh:notty    192.168.22.1     tue apr  21 21:29 - 21:29   (00:00)     user1     Ssh:notty    192.168.22.1     tue apr 21 21:29  - 21:29   (00:00)     user1    ssh:notty     192.168.22.1     tue apr 21 21:29 - 21:29    (00:00)

Viewing the/var/log/secure log also finds records with multiple login failures

Apr 21 22:03:35 localhost unix_chkpwd[1501]: password check failed for  user  (user1)  apr 21 22:03:35 localhost sshd[1499]: pam_unix (Sshd:auth ):  authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost= 192.168.22.1  user=user1apr 21 22:03:36 localhost sshd[1499]: failed  password for user1 from 192.168.22.1 port 50591 ssh2apr 21  22:03:39 localhost unix_chkpwd[1502]: password check failed for user  ( User1) Apr 21 22:03:41 localhost sshd[1499]: failed password for user1  from 192.168.22.1 port 50591 ssh2apr 21 22:03:44 localhost unix_ chkpwd[1503]: password check failed for user  (user1) Apr 21 22:03:46  localhost sshd[1499]: failed password for user1 from 192.168.22.1 port 50591  ssh2Apr 21 22:03:49 localhost unix_chkpwd[1504]: password check  failed for user  (user1) apr 21 22:03:51 localhost sshd[1499]: failed  password for user1 from 192.168.22.1 port 50591 ssh2Apr 21  22:03:52 localhost sshd[1499]: failed password for user1 from  192.168.22.1 port 50591 ssh2apr 21 22:03:54 localhost sshd[1500]:  Received disconnect from 192.168.22.1: 0:

Depending on the source IP of the access log, we can set the iptables rule to the source, prohibit access to the server's port 22, or close the IP address;

Temporarily only so much, little pride, give yourself a little self-confidence, I believe that after the study will be more in-depth understanding of Linux;

Share with you, mutual encouragement.

This article is from the "Model Student's Learning blog" blog, please be sure to keep this source http://8802265.blog.51cto.com/8792265/1636847

First shell script-monitors rogue logons to remote servers