• CentOS/REHL 6 SSH日志过滤脚本,防止暴力破解


    脚本简介,脚本会去过滤SSH的日志文件(/var/log/secure*),然后通过grep/awk/sort/uniq命令过滤出日志,以及日志的统计信息。

    然后通过判断,当有一个IP的失败次数过多,就发送邮件和登陆失败的日志给管理员。在生产环境中可以需要把邮件地址改成admin的邮箱地址,前提是你的server可以通过本机的邮件服务器发送邮件。

    脚本源码:

    ------------------------------------------------------------------------------------------------------------------------------

    [root@youserver ~]# cat chk_ssh_login.sh
    #!/bin/bash

    ServerIP=`ifconfig  eth0 | grep "inet addr" | awk '{print $2}' | awk -F ":" '{print $2}'`

    # Get SSH failure login infos.
    grep -r Failed /var/log/secure* > /root/ssh_failure_data.log

    # Filter failure login infos.
    cat /root/ssh_failure_data.log | awk '{print $(NF-3),$(NF-5)}' | sort | uniq -c | awk '{print $1"="$2"="$3}' >  /root/ssh_data.log

    for i in `cat /root/ssh_data.log`
        do
            Count=`echo $i |awk -F"=" '{print $1}'`
            IP=`echo $i |awk  -F"=" '{print $2}'`
            User=`echo $i |awk -F"=" '{print $3}'`
            if [ $Count -gt 10 ]; then
                grep $IP /root/ssh_failure_data.log > /tmp/ssh_error.logs
                mail -s "SSH abnormal login occurred on server $ServerIP." root@localhost < /tmp/ssh_error.logs
                rm -rf /tmp/ssh_error.logs
            fi
    done
    ------------------------------------------------------------------------------------------------------------------------------

    执行过程:

    ------------------------------------------------------------------------------------------------------------------------------
    [root@youserver ~]# sh chk_ssh_login.sh
    You have mail in /var/spool/mail/root
    [root@youserver ~]#
    [root@youserver ~]#

    ------------------------------------------------------------------------------------------------------------------------------

    查看执行结果:

    ------------------------------------------------------------------------------------------------------------------------------
    [root@youserver ~]# mail
    Heirloom Mail version 12.4 7/29/08.  Type ? for help.
    "/var/spool/mail/root": 5 messages 1 new 3 unread
        1 Cron Daemon           Fri Jun 21 23:53  22/880   "Cron <root@instance-rhel63-11238> /usr/lib64/sa/sa2 -A"
     U  2 user@localhost.strat  Wed Feb 26 17:50  47/2260  "[abrt] full crash report"
     U  3 Mail Delivery System  Sun Aug 24 11:31  74/2797  "Undelivered Mail Returned to Sender"
        4 root                  Thu Apr 23 11:03  29/2108  "SSH abnormal login occurred on server 10.9.249.173."
    >N  5 root                  Thu Apr 23 11:04  28/2097  "SSH abnormal login occurred on server 10.9.249.173."
    & 5
    Message  5:
    From root@youserver  Thu Apr 23 11:04:02 2015
    Return-Path: <root@youserver>
    X-Original-To: root@localhost
    Delivered-To: root@localhost
    Date: Thu, 23 Apr 2015 11:04:02 +0800
    To: root@localhost
    Subject: SSH abnormal login occurred on server 10.9.249.173.
    User-Agent: Heirloom mailx 12.4 7/29/08
    Content-Type: text/plain; charset=us-ascii
    From: root@youserver (root)
    Status: R

    /var/log/secure:Apr 22 15:10:55 youserver sshd[21486]: Failed password for user1 from 10.9.150.68 port 33275 ssh2
    /var/log/secure:Apr 22 15:10:59 youserver sshd[21486]: Failed password for user1 from 10.9.150.68 port 33275 ssh2
    /var/log/secure:Apr 22 15:11:03 youserver sshd[21486]: Failed password for user1 from 10.9.150.68 port 33275 ssh2
    /var/log/secure:Apr 22 15:11:39 youserver sshd[21489]: Failed password for user1 from 10.9.150.68 port 33276 ssh2
    /var/log/secure:Apr 22 15:13:27 youserver sshd[21498]: Failed password for user1 from 10.9.150.68 port 33277 ssh2
    /var/log/secure:Apr 22 15:15:08 youserver sshd[21498]: Failed password for user1 from 10.9.150.68 port 33277 ssh2
    /var/log/secure:Apr 22 15:15:19 youserver sshd[21506]: Failed password for user1 from 10.9.150.68 port 33278 ssh2
    /var/log/secure:Apr 22 15:16:21 youserver sshd[21536]: Failed password for user1 from 10.9.150.68 port 33280 ssh2
    /var/log/secure:Apr 22 15:16:25 youserver sshd[21536]: Failed password for user1 from 10.9.150.68 port 33280 ssh2
    /var/log/secure:Apr 22 15:16:30 youserver sshd[21536]: Failed password for user1 from 10.9.150.68 port 33280 ssh2
    /var/log/secure:Apr 22 15:19:07 youserver sshd[21571]: Failed password for user1 from 10.9.150.68 port 33281 ssh2

    & q
    Held 5 messages in /var/spool/mail/root

    ------------------------------------------------------------------------------------------------------------------------------

  • 相关阅读:
    XSS漏洞学习笔记
    【react】使用 create-react-app 构建基于TypeScript的React前端架构
    React-使用装饰器
    探究Hybrid-APP技术原理
    getBoundingClientRect使用指南
    React.js + LiveReload配置详解
    《高性能JavaScript》学习笔记(2)——日更中
    JavaScript设计模式学习之路——继承
    JavaScript数组去重的四种方法
    《高性能JavaScript》学习笔记——日更中
  • 原文地址:https://www.cnblogs.com/torvalds0310/p/4449854.html
Copyright © 2020-2023  润新知