Shell and iptables automatically reject malicious ssh connection

Source: Internet
Author: User
Tags egrep

 

Modify the function to automatically release the locked IP Address

Increase the automatic execution time, without modifying it in the task plan

No frequent alerts

Use this method to change the marked red area to your desired

Run the command to create a file named ssh and copy the script content to the ssh file.

Execute Command

# Nohup./ssh &

It runs continuously in the background.

 

Stop method:

# Ps aux | grep./ssh | grep-v '/usr/sbin/sshd' | grep-v grep | awk' {print $2} '| xargs kill-9

 

Script content

 

#! /Bin/bash

While [1]

Do

# Set the script running interval (in seconds)

EXEC_TIME = 60

# Set the number of connection errors

NUMBER = 5

# Email alarm Address Settings

MAILFROM = monitor@x.x.x.x.com

MAILTO = x.x.x.x@sina.cn

# Set the time (in seconds) for releasing the locked IP Address)

RETIME = 3000.

 

# Set the local IP address, which is used for mail alarm

IPADDR = 192.168.0.91

 

# Set the storage location of the obtained IP Address

BADIP =/tmp/. ssh/. ssh_badip

BKIP =/tmp/. ssh/. back_ssh_badip

Mkdir/tmp/. ssh 2>/dev/null

Touch $ BADIP $ BKIP

LOG =/var/log/messages

# Obtain the sshd service port

SSHPORT = 'netstat-antlp | grep sshd | awk-F: '{print $4}' | sed-n '1p''

TIME = 'date + "% Y-% m-% d % H: % M: % S "'

IPTFILE =/tmp/. ssh/. iptables

IPLIST =/tmp/. ssh/. iplist

Touch $ IPTFILE $ IPLIST

LINEA = 'grep-v date $ BKIP | wc-l | awk '{print $1 }''

Echo "day" Hour "connection times" IP address "date" Hour "> $ BADIP; lastb-I | awk '{print $3 "" $6 "" $7}' | awk-F: '{print $1}' | sort | uniq-c | awk '$1>' $ number' {print $1 "" $2 "" $3 "" $4} '| awk-vtime = "$ TIME"' {print time "" $1 "" $2 "" $3 "" $4} '| column-t> $ BADIP

Cat $ BADIP> $ BKIP

DROPIP = 'cat $ BADIP | wc-l'

Ipline =/tmp/. ssh/. ipline

Touch $ ipline

If [$ DROPIP-gt 1]; then

For bip in 'grep-v date $ BADIP | awk '{print $4 }''

Do

IPLINEA = '/sbin/iptables-L-n -- line-number | egrep' [DROP | 22] '| grep-v Ch | awk' {print $1}' | wc -l'

Echo $ IPLINEA> $ ipline

Iptables-I INPUT-s $ bip-p tcp -- dport $ SSHPORT-j DROP

Echo $ bip> $ IPLIST

Echo "$ TIME Lock IP address $ bip iptables"> $ LOG

Cat/var/log/btmp>/var/log/btmp. bak;>/var/log/btmp

TIME_NOWA = 'date + % s'

Echo $ TIME_NOWA> time

Done

Fi

LINEVE = 'wc-l/tmp/. ssh/. ipline | awk '{print $1 }''

If [$ LINEVE-gt 0]; then

Echo linefile OK>/dev/null

Else

Echo 0> $ ipline

Fi

IPLINE = 'cat $ ipline'

LINEB = 'grep-v date $ BKIP | wc-l | awk '{print $1 }''

VALUE = 'echo "$ LINEB-$ LINEA" | bc'

# Obtain the IP address included in $ BKIP

LAST = 'Tail-n $ VALUE $ bkip'

If [$ VALUE-gt 0]; then

Sendmail-t <EOF

From: $ MAILFROM

To: $ MAILTO

Subject: severe warning

$ Time someone is trying to connect to the SSH service. The system has helped you intercept it. For details, log on to the server $ IPADDR.

$ LAST

EOF

Echo "$ TIME send mail to $ MAILTO"> $ LOG

Fi

IPLINEB = '/sbin/iptables-L-n -- line-number | egrep' [DROP | 22] '| grep-v Ch | awk' {print $1}' | wc -l'

If [$ IPLINEB-eq 1]; then

IPLINEB = '/sbin/iptables-L-n -- line-number | egrep' [DROP | 22] '| grep-v Ch | awk' {print $1}' | wc -l>/dev/null; echo "$ IPLINEB + 1" | bc'

Fi

# Current time

OLD_TIME = 'cat time'

TIME_NOWB = 'date + % s'

# Interval Determination

TIME_IN = 'echo "$ TIME_NOWB-$ OLD_TIME" | bc'

# Deleting prohibited IP addresses

LNUMBER = 'echo "$ IPLINEB-$ IPLINE" | bc'

If [$ LNUMBER-lt 2]; then

LNUMBER = 'echo "$ IPLINEB-$ IPLINE + 2" | bc'

Else

LNUMBER = 'echo "$ IPLINEB-$ IPLINE" | bc'

Fi

If [$ LNUMBER-gt 1]; then

If [$ TIME_IN-gt $ RETIME]; then

Iptables-L-n -- line-number | awk '{print $5 "" $2 "" $1 "" $8}' | awk-Fdpt: '{print $1 "" $2}' | egrep-V' [num | Ch] '| grep $ SSHPORT | column-t> $ IPTFILE

RMIP = 'cat $ IPLIST | awk '{print $1 }''

For I in 'awk' NR = FNR {a [$1] = $2 "" $3 "" $4} NR> FNR {print $0, a [$1]} '$ IPTFILE $ IPLIST | awk' {print $3 }''

Do

Iptables-d input $ I

> $ IPLIST

Echo "$ TIME Remove lock $ rmip ip address"> $ LOG

Done

Fi

Fi

# Ps aux | grep./ssh | grep-v '/usr/sbin/sshd' | grep-v grep | awk' {print $2} '> $ LOG

Sleep $ EXEC_TIME

Done

This article is from the "Technical Exchange" blog

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.