Script
#! /Bin/bash
Cat/var/log/secure | awk '/Failed/{print $(NF-3 )} '| sort | uniq-c | awk' {print $2 "=" $1;} '>/root/black.txt # filter the ip addresses and times in the Failed status
Cat/var/log/secure | awk '/Invalid user/{print $ NF}' | sort | uniq-c | awk '{print $2 "=" $1 ;} '>/root/black.txt # filter the ip addresses and times of Invalid users
DEFINE = "20" # The number of allowed times is 20
For I in 'cat/root/black.txt'
Do
IP = 'echo $ I | awk-F = '{print $1 }''
NUM = 'echo $ I | awk-F = '{print $2 }''
If [$ NUM-gt $ DEFINE];
Then
Grep $ IP/etc/hosts. deny>/dev/null
If [$? -Gt 0];
Then
Echo "sshd: $ IP">/etc/hosts. deny
Fi
Fi
Done
It is required that the ip address be added to hosts. deny when the logon fails or the number of illegal ip addresses reaches 20.
Because the secure log files are automatically archived every Saturday, we can write a schedule to run this script.
Run at every day
0 1 ***/usr/local/bin/ssh_black.sh 2> & 1>/dev/null