Shell and iptables automatically reject malicious ssh connection

Last Update:2013-11-29 Source: Internet

Author: User

Tags egrep

Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more ＞

Modify the function to automatically release the locked IP Address

Increase the automatic execution time, without modifying it in the task plan

No frequent alerts

Use this method to change the marked red area to your desired

Run the command to create a file named ssh and copy the script content to the ssh file.

Execute Command

# Nohup./ssh &

It runs continuously in the background.

Stop method:

# Ps aux | grep./ssh | grep-v '/usr/sbin/sshd' | grep-v grep | awk' {print $2} '| xargs kill-9

Script content

#! /Bin/bash

While [1]

# Set the script running interval (in seconds)

EXEC_TIME = 60

# Set the number of connection errors

NUMBER = 5

# Email alarm Address Settings

MAILFROM = monitor@x.x.x.x.com

MAILTO = x.x.x.x@sina.cn

# Set the time (in seconds) for releasing the locked IP Address)

RETIME = 3000.

# Set the local IP address, which is used for mail alarm

IPADDR = 192.168.0.91

# Set the storage location of the obtained IP Address

BADIP =/tmp/. ssh/. ssh_badip

BKIP =/tmp/. ssh/. back_ssh_badip

Mkdir/tmp/. ssh 2>/dev/null

Touch $ BADIP $ BKIP

LOG =/var/log/messages

# Obtain the sshd service port

SSHPORT = 'netstat-antlp | grep sshd | awk-F: '{print $4}' | sed-n '1p''

TIME = 'date + "% Y-% m-% d % H: % M: % S "'

IPTFILE =/tmp/. ssh/. iptables

IPLIST =/tmp/. ssh/. iplist

Touch $ IPTFILE $ IPLIST

LINEA = 'grep-v date $ BKIP | wc-l | awk '{print $1 }''

Echo "day" Hour "connection times" IP address "date" Hour "> $ BADIP; lastb-I | awk '{print $3 "" $6 "" $7}' | awk-F: '{print $1}' | sort | uniq-c | awk '$1>' $ number' {print $1 "" $2 "" $3 "" $4} '| awk-vtime = "$ TIME"' {print time "" $1 "" $2 "" $3 "" $4} '| column-t> $ BADIP

Cat $ BADIP> $ BKIP

DROPIP = 'cat $ BADIP | wc-l'

Ipline =/tmp/. ssh/. ipline

Touch $ ipline

If [$ DROPIP-gt 1]; then

For bip in 'grep-v date $ BADIP | awk '{print $4 }''

IPLINEA = '/sbin/iptables-L-n -- line-number | egrep' [DROP | 22] '| grep-v Ch | awk' {print $1}' | wc -l'

Echo $ IPLINEA> $ ipline

Iptables-I INPUT-s $ bip-p tcp -- dport $ SSHPORT-j DROP

Echo $ bip> $ IPLIST

Echo "$ TIME Lock IP address $ bip iptables"> $ LOG

Cat/var/log/btmp>/var/log/btmp. bak;>/var/log/btmp

TIME_NOWA = 'date + % s'

Echo $ TIME_NOWA> time

Done

LINEVE = 'wc-l/tmp/. ssh/. ipline | awk '{print $1 }''

If [$ LINEVE-gt 0]; then

Echo linefile OK>/dev/null

Else

Echo 0> $ ipline

IPLINE = 'cat $ ipline'

LINEB = 'grep-v date $ BKIP | wc-l | awk '{print $1 }''

VALUE = 'echo "$ LINEB-$ LINEA" | bc'

# Obtain the IP address included in $ BKIP

LAST = 'Tail-n $ VALUE $ bkip'

If [$ VALUE-gt 0]; then

Sendmail-t <EOF

From: $ MAILFROM

To: $ MAILTO

Subject: severe warning

$ Time someone is trying to connect to the SSH service. The system has helped you intercept it. For details, log on to the server $ IPADDR.

$ LAST

EOF

Echo "$ TIME send mail to $ MAILTO"> $ LOG

IPLINEB = '/sbin/iptables-L-n -- line-number | egrep' [DROP | 22] '| grep-v Ch | awk' {print $1}' | wc -l'

If [$ IPLINEB-eq 1]; then

IPLINEB = '/sbin/iptables-L-n -- line-number | egrep' [DROP | 22] '| grep-v Ch | awk' {print $1}' | wc -l>/dev/null; echo "$ IPLINEB + 1" | bc'

# Current time

OLD_TIME = 'cat time'

TIME_NOWB = 'date + % s'

# Interval Determination

TIME_IN = 'echo "$ TIME_NOWB-$ OLD_TIME" | bc'

# Deleting prohibited IP addresses

LNUMBER = 'echo "$ IPLINEB-$ IPLINE" | bc'

If [$ LNUMBER-lt 2]; then

LNUMBER = 'echo "$ IPLINEB-$ IPLINE + 2" | bc'

Else

LNUMBER = 'echo "$ IPLINEB-$ IPLINE" | bc'

If [$ LNUMBER-gt 1]; then

If [$ TIME_IN-gt $ RETIME]; then

Iptables-L-n -- line-number | awk '{print $5 "" $2 "" $1 "" $8}' | awk-Fdpt: '{print $1 "" $2}' | egrep-V' [num | Ch] '| grep $ SSHPORT | column-t> $ IPTFILE

RMIP = 'cat $ IPLIST | awk '{print $1 }''

For I in 'awk' NR = FNR {a [$1] = $2 "" $3 "" $4} NR> FNR {print $0, a [$1]} '$ IPTFILE $ IPLIST | awk' {print $3 }''

Iptables-d input $ I

> $ IPLIST

Echo "$ TIME Remove lock $ rmip ip address"> $ LOG

Done

# Ps aux | grep./ssh | grep-v '/usr/sbin/sshd' | grep-v grep | awk' {print $2} '> $ LOG

Sleep $ EXEC_TIME

Done

This article is from the "Technical Exchange" blog

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

Sales Support

1 on 1 presale consultation

Chat Contact Sales
After-Sales Support

24/7 Technical Support 6 Free Tickets per Quarter Faster Response

Open a Ticket
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

Learn More