標籤:
指令碼簡介,指令碼會去過濾SSH的記錄檔(/var/log/secure*),然後通過grep/awk/sort/uniq命令過濾出日誌,以及日誌的統計資訊。
然後通過判斷,當有一個IP的失敗次數過多,就發送郵件和登陸失敗的日誌給管理員。在生產環境中可以需要把郵件地址改成admin的郵箱地址,前提是你的server可以通過原生郵件伺服器發送郵件。
指令碼源碼:
------------------------------------------------------------------------------------------------------------------------------
[[email protected] ~]# cat chk_ssh_login.sh
#!/bin/bash
ServerIP=`ifconfig eth0 | grep "inet addr" | awk ‘{print $2}‘ | awk -F ":" ‘{print $2}‘`
# Get SSH failure login infos.
grep -r Failed /var/log/secure* > /root/ssh_failure_data.log
# Filter failure login infos.
cat /root/ssh_failure_data.log | awk ‘{print $(NF-3),$(NF-5)}‘ | sort | uniq -c | awk ‘{print $1"="$2"="$3}‘ > /root/ssh_data.log
for i in `cat /root/ssh_data.log`
do
Count=`echo $i |awk -F"=" ‘{print $1}‘`
IP=`echo $i |awk -F"=" ‘{print $2}‘`
User=`echo $i |awk -F"=" ‘{print $3}‘`
if [ $Count -gt 10 ]; then
grep $IP /root/ssh_failure_data.log > /tmp/ssh_error.logs
mail -s "SSH abnormal login occurred on server $ServerIP." [email protected] < /tmp/ssh_error.logs
rm -rf /tmp/ssh_error.logs
fi
done
------------------------------------------------------------------------------------------------------------------------------
執行過程:
------------------------------------------------------------------------------------------------------------------------------
[[email protected] ~]# sh chk_ssh_login.sh
You have mail in /var/spool/mail/root
[[email protected] ~]#
[[email protected] ~]#
------------------------------------------------------------------------------------------------------------------------------
查看執行結果:
------------------------------------------------------------------------------------------------------------------------------
[[email protected] ~]# mail
Heirloom Mail version 12.4 7/29/08. Type ? for help.
"/var/spool/mail/root": 5 messages 1 new 3 unread
1 Cron Daemon Fri Jun 21 23:53 22/880 "Cron <[email protected]> /usr/lib64/sa/sa2 -A"
U 2 [email protected] Wed Feb 26 17:50 47/2260 "[abrt] full crash report"
U 3 Mail Delivery System Sun Aug 24 11:31 74/2797 "Undelivered Mail Returned to Sender"
4 root Thu Apr 23 11:03 29/2108 "SSH abnormal login occurred on server 10.9.249.173."
>N 5 root Thu Apr 23 11:04 28/2097 "SSH abnormal login occurred on server 10.9.249.173."
& 5
Message 5:
From [email protected] Thu Apr 23 11:04:02 2015
Return-Path: <[email protected]>
X-Original-To: [email protected]
Delivered-To: [email protected]
Date: Thu, 23 Apr 2015 11:04:02 +0800
To: [email protected]
Subject: SSH abnormal login occurred on server 10.9.249.173.
User-Agent: Heirloom mailx 12.4 7/29/08
Content-Type: text/plain; charset=us-ascii
From: [email protected] (root)
Status: R
/var/log/secure:Apr 22 15:10:55 youserver sshd[21486]: Failed password for user1 from 10.9.150.68 port 33275 ssh2
/var/log/secure:Apr 22 15:10:59 youserver sshd[21486]: Failed password for user1 from 10.9.150.68 port 33275 ssh2
/var/log/secure:Apr 22 15:11:03 youserver sshd[21486]: Failed password for user1 from 10.9.150.68 port 33275 ssh2
/var/log/secure:Apr 22 15:11:39 youserver sshd[21489]: Failed password for user1 from 10.9.150.68 port 33276 ssh2
/var/log/secure:Apr 22 15:13:27 youserver sshd[21498]: Failed password for user1 from 10.9.150.68 port 33277 ssh2
/var/log/secure:Apr 22 15:15:08 youserver sshd[21498]: Failed password for user1 from 10.9.150.68 port 33277 ssh2
/var/log/secure:Apr 22 15:15:19 youserver sshd[21506]: Failed password for user1 from 10.9.150.68 port 33278 ssh2
/var/log/secure:Apr 22 15:16:21 youserver sshd[21536]: Failed password for user1 from 10.9.150.68 port 33280 ssh2
/var/log/secure:Apr 22 15:16:25 youserver sshd[21536]: Failed password for user1 from 10.9.150.68 port 33280 ssh2
/var/log/secure:Apr 22 15:16:30 youserver sshd[21536]: Failed password for user1 from 10.9.150.68 port 33280 ssh2
/var/log/secure:Apr 22 15:19:07 youserver sshd[21571]: Failed password for user1 from 10.9.150.68 port 33281 ssh2
& q
Held 5 messages in /var/spool/mail/root
------------------------------------------------------------------------------------------------------------------------------
CentOS/REHL 6 SSH日誌過濾指令碼,防止暴力破解