When I routinely checked/var/log/secure logs on the FTP backup server, I found a lot of authentication information for sshd and vsftpd failures. It is obvious that someone wants to use brute force cracking tools to steal passwords, therefore, you need to write a security script to prevent it. The script requirements are as follows: This SHELL script is placed in the crontab scheduled task and read the/var/log/secure script every six hours (defined according to the actual situation, attackers can obtain malicious IP addresses. If an FTP backup server is connected to a new FTP backup server within one week, when performing routine checks on/var/log/secure logs, I found a lot of authentication information for sshd and vsftpd failures. It is obvious that some people want to use brute force cracking tools to steal passwords, so they need to write a security script to prevent them. The script requirements are as follows: This SHELL script is placed in the crontab scheduled task and read the/var/log/secure script every six hours (defined according to the actual situation, obtain the malicious IP address. If the number of connections per week is higher than a threshold value, for example, 100 (this threshold value can also be defined based on the actual situation ), add it to/etc/hosts. if the value in the deny blacklist is lower than this threshold, the IP address is ignored. /Var/log/secure: Nov 28 10:18:08 centos2 sshd [7556]: Connection closed by 222.216.30.109
Nov 28 10:18:08 centos2 sshd [7557]: pam_unix (sshd: auth): authentication failure; logname = uid = 0 euid = 0 tty = ssh ruser = rhost = 222.216.30.109 user = root
Nov 28 10:18:09 centos2 sshd [7559]: pam_unix (sshd: auth): authentication failure; logname = uid = 0 euid = 0 tty = ssh ruser = rhost = 222.216.30.109 user = root
Nov 28 10:18:10 centos2 sshd [7551]: Failed password for root from 222.216.30.109 port 2391 ssh2
Nov 28 10:18:10 centos2 sshd [7552]: Connection closed by 222.216.30.109
Nov 28 10:18:10 centos2 sshd [7553]: Failed password for root from 222.216.30.109 port 2397 ssh2
Nov 28 10:18:10 centos2 sshd [7554]: Connection closed by 222.216.30.109
Nov 28 10:18:11 centos2 sshd [7557]: Failed password for root from 222.216.30.109 port 2401 ssh2
Nov 28 10:18:11 centos2 sshd [7558]: Connection closed by 222.216.30.109
Nov 28 10:18:11 centos2 sshd [7559]: Failed password for root from 222.216.30.109 port 2403 ssh2
Nov 28 10:18:11 centos2 sshd [7560]: Connection closed by 222.216.30.109
Nov 28 10:37:01 centos2 vsftpd: pam_unix (vsftpd: auth): check pass; user unknown
Nov 28 10:37:01 centos2 vsftpd: pam_unix (vsftpd: auth): authentication failure; logname = uid = 0 euid = 0 tty = ftp ruser = hello rhost = centos1.cn7788.com
Nov 28 10:37:01 centos2 vsftpd: pam_succeed_if (vsftpd: auth): error retrieving information about user hello
Nov 28 10:37:19 centos2 vsftpd: pam_unix (vsftpd: auth): check pass; user unknown
Nov 28 10:37:19 centos2 vsftpd: pam_unix (vsftpd: auth): authentication failure; logname = uid = 0 euid = 0 tty = ftp ruser = yhc rhost = centos1.cn7788.com
Nov 28 10:37:19 centos2 vsftpd: pam_succeed_if (vsftpd: auth): error retrieving information about user yhc
Nov 28 10:37:36 centos2 vsftpd: pam_unix (vsftpd: auth): check pass; user unknown
Nov 28 10:37:36 centos2 vsftpd: pam_unix (vsftpd: auth): authentication failure; logname = uid = 0 euid = 0 tty = ftp ruser = yuhongchun rhost = centos1.cn7788.com
Nov 28 10:37:36 centos2 vsftpd: pam_succeed_if (vsftpd: auth): error retrieving information about user yuhongchun
Nov 28 10:42:44 centos2 vsftpd: pam_unix (vsftpd: auth): check pass; user unknown
Nov 28 10:42:44 centos2 vsftpd: pam_unix (vsftpd: auth): authentication failure; logname = uid = 0 euid = 0 tty = ftp ruser = yuhongchun rhost = 114.112.169.70
Nov 28 10:42:44 centos2 vsftpd: pam_succeed_if (vsftpd: auth): error retrieving information about user yuhongchun
Nov 28 10:42:56 centos2 vsftpd: pam_unix (vsftpd: auth): check pass; user unknown
Nov 28 10:42:56 centos2 vsftpd: pam_unix (vsftpd: auth): authentication failure; logname = uid = 0 euid = 0 tty = ftp ruser = andrewyu rhost = 114.112.169.70
Nov 28 10:42:56 centos2 vsftpd: pam_succeed_if (vsftpd: auth): error retrieving information about user andrewyu we observe the polling characteristics of/var/log/secure files, as shown below: [root @ centos2 log] # ls-lsart secure. * 512-rw ------- 1 root 516379 11-04 secure.4
660-rw ------- 1 root 668192 11-11 secure.3
304-rw ------- 1 root 306589 11-17 :33 secure.2
484-rw ------- 1 root 488620 11-25 secure.1 basically, the/var/log/secure file takes the week as the polling cycle, if you have strict security requirements, you can also stick to the principle of "Never let go" to capture the malicious IP of the old secure, and then throw it into/etc/hosts. in the deny file. Next we will try to capture these malicious IP addresses efficiently. If you refer to the original SHELL script, we will capture the IP addresses of the detection vsftpd and sshd service in the secure log, we can use the following command, the command is as follows: cat/var/log/secure | awk '/Failed/{print $(NF-3 )} '| sort | uniq-c | awk' {print $2 "=" $1;} '. Obviously, the IP address that failed vsftpd cannot be obtained, the sshd log Failure Information is different from the vsftpd log failure information. I have written several awk mixed sed methods to test the efficiency. I feel that the awk script is the fastest speed. You can also write several types, run the time command to test the script. At last, the code is simplified and the entire script is completed. The script content is as follows :#! /Bin/bash
Awk '{for (I = 1; I <= NF; I ++) {if ($ I ~ /Rhost/) print substr ($ I, 7)} '/var/log/secure | sort | uniq-c>/root/black.txt
Defines = "100"
Cat/root/black.txt | while read LINE
Do
NUM = 'echo $ LINE | awk' {print $1 }''
Host = 'echo $ LINE | awk' {print $2 }''
If [$ NUM-gt $ DEFINE];
Then
Grep $ host/etc/hosts. deny>/dev/null
If [$? -Gt 0];
Then
Echo "sshd: $ host">/etc/hosts. deny
Echo "vsftpd: $ host">/etc/hosts. deny
Fi
Fi
Done
After the script runs for a period of time, we can observe the files involved in the script, such as/root/black.txt. The results are as follows: [root @ centos2 ~] # Cat/root/black.txt 2 113.17.144.156
4 114.112.51.208
4 114.112.69.170
169 118-163-227-50.hinet-ip.hinet.net
8 119.188.7.200
8 122.70.130.11
61 124.248.32.246
12 183.203.14.121
3 189.26.20.11
56 199.204.237.60
3 199.30.53.220
5 201.236.80.4
6 220.172.191.31
30 222.216.30.109
60 222.253.159.111
58 223.4.180.23
166 58.221.42.178
1 61.132.4.85
152 61.142.106.34
22 61.167.33.222
7 85.126.166.83
166 www.b-nets.com
The content of the/etc/hosts. deny script is as follows: sshd: 124.248.32.246
Vsftpd: 124.248.32.246
Sshd: 199.204.237.60
Vsftpd: 199.204.237.60
Sshd: 222.253.159.111
Vsftpd: 222.253.159.111
Sshd: 223.4.180.23
Vsftpd: 223.4.180.23
Sshd: 58.221.42.178
Vsftpd: 58.221.42.178
Sshd: 61.142.106.34
Vsftpd: 61.142.106.34
Sshd: 118-163-227-50.hinet-ip.hinet.net
Vsftpd: 118-163-227-50.hinet-ip.hinet.net
Sshd: www.b-nets.com
Vsftpd: www.b-nets.com
Finally, we put the shell script into crontab and run it every six hours. The command is as follows: **/6 *** root/bin/bash/root/hostsdeny. sh>/dev/null 2> & 1 because/var/log/secure logs are round-robin every week, you can set the script execution frequency. If the server is frequently detected, the execution frequency interval can be set to a shorter value. Otherwise, the interval can be set to a longer value.
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.