First, use iptables to DROP the Internet ssh package;
The second idea is to use tcpwrapper to write the sshd allow to death;
The third idea is to modify sshd_config and only listen to intranet requests.
For some unclear reasons, iptables cannot be used, while tcpwrapper occupies a large amount of CPU resources. Therefore, the third method is used.
There are many servers in the company, and the sshd_config content is too different based on the result of random logon ~~ After one day of manual work, I changed the two groups of servers, and finally made up my mind to execute the whole full automatic script ...... The current method is as follows:
Cat ssh. exp
Copy codeThe Code is as follows :#! /Usr/bin/CT-f
Log_file exp. log
Set timeout-1
Set ipaddr [lrange $ argv 0 0]
For {set I 1} {$ I <4} {incr I }{
Spawn ssh $ ipaddr
CT {
"* Password:" break
"To host" {sleep 2 };
Sleep 3
}
}
Send "123456r"
CT "] #"
Send "cd/etc/sshr"
Send "cp sshd_config. 'date + % F-% t'. bakr"
Send "sed-I/^ ListenAddress. * $/d sshd_configr"
Send "echo ListenAddress '/sbin/ifconfig eth0 | awk'/inet/{print $2} '| awk-F:' {print $2}''> sshd_configr"
Send "service sshd restartr"
Send "exitr"
Interact
Cat do. sh
Copy codeThe Code is as follows :#! /Bin/sh
For ip in 'cat ip. lst'
Do
./Ssh. exp $ ip>/dev/null 2> & 1
Done
Cat exp. log | grep host | awk '{print $5}' | sort | uniq> errorip
Echo "The following IP addresses cannot be modified"; cat errorip