Script requirements are as follows: This shell script is placed in the Crontab planning task, every 6 hours (this time according to the actual situation) to read the/var/log/secure script, take out the malicious guessing IP, if the unit time (a week) of the number of connections is higher than a threshold, For example 100 (this threshold can also be defined according to the actual situation), it is added into the/etc/hosts.deny blacklist, if below this threshold, then ignore this IP.
The authentication failure information in/var/log/secure is as follows:
Copy Code code as follows:
Nov 10:18:08 centos2 sshd[7556]: Connection closed by 222.216.30.109
Nov 10:18:08 centos2 sshd[7557]: Pam_unix (Sshd:auth): Authentication failure; Logname= uid=0 euid=0 tty=ssh ruser= rhost=222.216.30.109
Nov 10:18:09 centos2 sshd[7559]: Pam_unix (Sshd:auth): Authentication failure; Logname= uid=0 euid=0 tty=ssh ruser= rhost=222.216.30.109
Nov 10:18:10 centos2 sshd[7551]: Failed password for root from 222.216.30.109 Port 2391 ssh2
Nov 10:18:10 centos2 sshd[7552]: Connection closed by 222.216.30.109
Nov 10:18:10 centos2 sshd[7553]: Failed password for root from 222.216.30.109 Port 2397 ssh2
Nov 10:18:10 centos2 sshd[7554]: Connection closed by 222.216.30.109
Nov 10:18:11 centos2 sshd[7557]: Failed password for root from 222.216.30.109 Port 2401 ssh2
Nov 10:18:11 centos2 sshd[7558]: Connection closed by 222.216.30.109
Nov 10:18:11 centos2 sshd[7559]: Failed password for root from 222.216.30.109 Port 2403 ssh2
Nov 10:18:11 centos2 sshd[7560]: Connection closed by 222.216.30.109
Nov 10:37:01 centos2 Vsftpd:pam_unix (vsftpd:auth): Check pass; User Unknown
Nov 10:37:01 centos2 Vsftpd:pam_unix (Vsftpd:auth): Authentication failure; Logname= uid=0 euid=0 tty=ftp Ruser=hello rhost=centos1.cn7788.com
Nov 10:37:01 centos2 vsftpd:pam_succeed_if (vsftpd:auth): Error retrieving information about user Hello
Nov 10:37:19 centos2 Vsftpd:pam_unix (vsftpd:auth): Check pass; User Unknown
Nov 10:37:19 centos2 Vsftpd:pam_unix (Vsftpd:auth): Authentication failure; Logname= uid=0 euid=0 tty=ftp RUSER=YHC rhost=centos1.cn7788.com
Nov 10:37:19 centos2 vsftpd:pam_succeed_if (vsftpd:auth): Error retrieving information about user YHC
Nov 10:37:36 centos2 Vsftpd:pam_unix (vsftpd:auth): Check pass; User Unknown
Nov 10:37:36 centos2 Vsftpd:pam_unix (Vsftpd:auth): Authentication failure; Logname= uid=0 euid=0 tty=ftp Ruser=yuhongchun rhost=centos1.cn7788.com
Nov 10:37:36 centos2 vsftpd:pam_succeed_if (vsftpd:auth): Error retrieving information about user Yuhongchun
Nov 10:42:44 centos2 Vsftpd:pam_unix (vsftpd:auth): Check pass; User Unknown
Nov 10:42:44 centos2 Vsftpd:pam_unix (Vsftpd:auth): Authentication failure; Logname= uid=0 euid=0 tty=ftp Ruser=yuhongchun rhost=114.112.169.70
Nov 10:42:44 centos2 vsftpd:pam_succeed_if (vsftpd:auth): Error retrieving information about user Yuhongchun
Nov 10:42:56 centos2 Vsftpd:pam_unix (vsftpd:auth): Check pass; User Unknown
Nov 10:42:56 centos2 Vsftpd:pam_unix (Vsftpd:auth): Authentication failure; Logname= uid=0 euid=0 tty=ftp Ruser=andrewyu rhost=114.112.169.70
Nov 10:42:56 centos2 vsftpd:pam_succeed_if (vsftpd:auth): Error retrieving information about user Andrewyu
We looked at the/var/log/secure file polling feature as follows:
Copy Code code as follows:
[Root@centos2 log]# Ls-lsart secure.*
512-RW-------1 root root 516379 11-04 01:31 secure.4
660-RW-------1 root root 668192 11-11 00:05 secure.3
304-RW-------1 root root 306589 11-17 10:33 secure.2
484-RW-------1 root root 488620 11-25 02:33 secure.1
Basically, secure file is a week for polling cycle, if the strict security requirements of friends can also be the spirit of "a Do not let go" principle to crawl above the old secure malicious IP, the following we have to find ways to effectively crawl these malicious IP, If you refer to the original version of the shell script, we are here to crawl the secure log of the detection vsftpd and SSHD service IP address, we can use the following command, the following command:
Copy Code code as follows:
Cat/var/log/secure | awk '/failed/{print $ (NF-3)} ' | Sort| uniq-c| awk ' {print $ ' = ' $} '
It is obvious that this is not the VSFTPD failed IP value, sshd log failure information is not the same as the VSFTPD log failure information, I wrote several awk mixed sed method, test efficiency, feel the fastest use of awk script, you can write several, with the time command to test Finally, the following code is streamlined and the entire script is completed, and the script reads as follows:
Copy Code code as follows:
#!/bin/bash
#Denyhosts for VSFTPD and sshd
#2012-12-28
awk ' {for (i=1;i<=nf;i++) {if ($i ~/rhost/) Print substr ($i, 7)}} '/var/log/secure | Sort | Uniq-c >/root/black.txt
define= "100"
For i in ' cat/root/black.txt '
Todo
Ip= ' echo $i |awk ' {print $} '
Num= ' echo $i |awk ' {print $} '
If [$NUM-gt $DEFINE];
Then
grep $IP/etc/hosts.deny >/dev/null
If [$?-gt 0];
Then
echo "sshd: $IP" >>/etc/hosts.deny
echo "VSFTPD: $IP" >>/etc/hosts.deny
Fi
Fi
Done
After the script has been running for some time, we can observe some of the files involved in this script, such as/root/black.txt, and the results are as follows:
Copy Code code as follows:
[Root@centos2 ~]# Cat/root/black.txt
2 113.17.144.156
4 114.112.51.208
4 114.112.69.170
169 118-163-227-50.hinet-ip.hinet.net
8 119.188.7.200
8 122.70.130.11
61 124.248.32.246
12 183.203.14.121
3 189.26.255.11
56 199.204.237.60
3 199.30.53.220
5 201.236.80.4
6 220.172.191.31
30 222.216.30.109
60 222.253.159.111
58 223.4.180.23
166 58.221.42.178
1 61.132.4.85
152 61.142.106.34
22 61.167.33.222
7 85.126.166.83
166 www.b-nets.com
The contents of the/etc/hosts.deny script are as follows:
Copy Code code as follows:
sshd:124.248.32.246
vsftpd:124.248.32.246
sshd:199.204.237.60
vsftpd:199.204.237.60
sshd:222.253.159.111
vsftpd:222.253.159.111
sshd:223.4.180.23
vsftpd:223.4.180.23
sshd:58.221.42.178
vsftpd:58.221.42.178
sshd:61.142.106.34
vsftpd:61.142.106.34
Sshd:118-163-227-50.hinet-ip.hinet.net
Vsftpd:118-163-227-50.hinet-ip.hinet.net
Sshd:www.b-nets.com
Vsftpd:www.b-nets.com
Finally, we put this shell script into the crontab and run it once every six hours, as follows:
Copy Code code as follows:
* */6 * * * * root/bin/bash/root/hostsdeny.sh >>/dev/null 2>&1
Because the/var/log/secure log is polling for the week, this script executes the frequency to set itself, if the sense server is frequently detected, the execution frequency interval may set short, conversely, may set longer.