脚本简介,脚本会去过滤SSH的日志文件(/var/log/secure*),然后通过grep/awk/sort/uniq命令过滤出日志,以及日志的统计信息。
然后通过判断,当有一个IP的失败次数过多,就发送邮件和登陆失败的日志给管理员。在生产环境中可以需要把邮件地址改成admin的邮箱地址,前提是你的server可以通过本机的邮件服务器发送邮件。
脚本源码:
------------------------------------------------------------------------------------------------------------------------------
[root@youserver ~]# cat chk_ssh_login.sh
#!/bin/bash
ServerIP=`ifconfig eth0 | grep "inet addr" | awk '{print $2}' | awk -F ":" '{print $2}'`
# Get SSH failure login infos.
grep -r Failed /var/log/secure* > /root/ssh_failure_data.log
# Filter failure login infos.
cat /root/ssh_failure_data.log | awk '{print $(NF-3),$(NF-5)}' | sort | uniq -c | awk '{print $1"="$2"="$3}' > /root/ssh_data.log
for i in `cat /root/ssh_data.log`
do
Count=`echo $i |awk -F"=" '{print $1}'`
IP=`echo $i |awk -F"=" '{print $2}'`
User=`echo $i |awk -F"=" '{print $3}'`
if [ $Count -gt 10 ]; then
grep $IP /root/ssh_failure_data.log > /tmp/ssh_error.logs
mail -s "SSH abnormal login occurred on server $ServerIP." root@localhost < /tmp/ssh_error.logs
rm -rf /tmp/ssh_error.logs
fi
done
------------------------------------------------------------------------------------------------------------------------------
执行过程:
------------------------------------------------------------------------------------------------------------------------------
[root@youserver ~]# sh chk_ssh_login.sh
You have mail in /var/spool/mail/root
[root@youserver ~]#
[root@youserver ~]#
------------------------------------------------------------------------------------------------------------------------------
查看执行结果:
------------------------------------------------------------------------------------------------------------------------------
[root@youserver ~]# mail
Heirloom Mail version 12.4 7/29/08. Type ? for help.
"/var/spool/mail/root": 5 messages 1 new 3 unread
1 Cron Daemon Fri Jun 21 23:53 22/880 "Cron <root@instance-rhel63-11238> /usr/lib64/sa/sa2 -A"
U 2 user@localhost.strat Wed Feb 26 17:50 47/2260 "[abrt] full crash report"
U 3 Mail Delivery System Sun Aug 24 11:31 74/2797 "Undelivered Mail Returned to Sender"
4 root Thu Apr 23 11:03 29/2108 "SSH abnormal login occurred on server 10.9.249.173."
>N 5 root Thu Apr 23 11:04 28/2097 "SSH abnormal login occurred on server 10.9.249.173."
& 5
Message 5:
From root@youserver Thu Apr 23 11:04:02 2015
Return-Path: <root@youserver>
X-Original-To: root@localhost
Delivered-To: root@localhost
Date: Thu, 23 Apr 2015 11:04:02 +0800
To: root@localhost
Subject: SSH abnormal login occurred on server 10.9.249.173.
User-Agent: Heirloom mailx 12.4 7/29/08
Content-Type: text/plain; charset=us-ascii
From: root@youserver (root)
Status: R
/var/log/secure:Apr 22 15:10:55 youserver sshd[21486]: Failed password for user1 from 10.9.150.68 port 33275 ssh2
/var/log/secure:Apr 22 15:10:59 youserver sshd[21486]: Failed password for user1 from 10.9.150.68 port 33275 ssh2
/var/log/secure:Apr 22 15:11:03 youserver sshd[21486]: Failed password for user1 from 10.9.150.68 port 33275 ssh2
/var/log/secure:Apr 22 15:11:39 youserver sshd[21489]: Failed password for user1 from 10.9.150.68 port 33276 ssh2
/var/log/secure:Apr 22 15:13:27 youserver sshd[21498]: Failed password for user1 from 10.9.150.68 port 33277 ssh2
/var/log/secure:Apr 22 15:15:08 youserver sshd[21498]: Failed password for user1 from 10.9.150.68 port 33277 ssh2
/var/log/secure:Apr 22 15:15:19 youserver sshd[21506]: Failed password for user1 from 10.9.150.68 port 33278 ssh2
/var/log/secure:Apr 22 15:16:21 youserver sshd[21536]: Failed password for user1 from 10.9.150.68 port 33280 ssh2
/var/log/secure:Apr 22 15:16:25 youserver sshd[21536]: Failed password for user1 from 10.9.150.68 port 33280 ssh2
/var/log/secure:Apr 22 15:16:30 youserver sshd[21536]: Failed password for user1 from 10.9.150.68 port 33280 ssh2
/var/log/secure:Apr 22 15:19:07 youserver sshd[21571]: Failed password for user1 from 10.9.150.68 port 33281 ssh2
& q
Held 5 messages in /var/spool/mail/root
------------------------------------------------------------------------------------------------------------------------------