防止恶意IP脚本
企业服务器暴露在外网,每天会有大量的人使用各种用户名和密码尝试登陆服务器,如果让其一直尝试,难免会猜出密码,通过开发Shell脚本,可以自动将尝试登陆服务器错误密码次数的IP列表加入到防火墙配置中。
Shell脚本实现服务器拒绝恶意IP登陆,编写思路如下:
- 登陆服务器日志/var/log/secure;
- 检查日志中认证失败的行并打印其IP地址;
- 将IP地址写入至防火墙;
- 禁止该IP访问服务器SSH 22端口;
- 将脚本加入Crontab实现自动禁止恶意IP;
iptables:
#!/bin/bash
file=/root/black.txt
secure=/var/log/secure
iptables=/etc/sysconfig/iptables
cat less $secure|grep -v "pam_systemd"|awk '/Failed/{print $(NF-3)}'|sort|uniq -c|sort -rn >$file
echo
cat<<EOF
++++++++++++++welcome to use ssh login drop failed ip+++++++++++++++++
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
++++++++++++++++------------------------------------++++++++++++++++++
EOF
echo
for i in `cat $file`
do
cat $iptables |grep $i >/dev/null
if [ $? -eq 0 ];then
sed -i "/lo/a -A INPUT -s $i -m state --state NEW -m tcp -p tcp --dport 22 -j DROP" $iptables
else
echo "This is $i is exist in iptables,please exit ..."
fi
done
/etc/init.d/iptables restart
firewalld:
#!/bin/bash
file=/root/black.txt
secure=/var/log/secure
FIREWALL_CONF=/etc/firewalld/zones/public.xml
cat less $secure|grep -v "pam_systemd"|awk '/Failed/{print $(NF-3)}'|sort|uniq -c|sort -rn >$file
echo
cat<<EOF
++++++++++++++welcome to use ssh login drop failed ip+++++++++++++++++
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
++++++++++++++++------------------------------------++++++++++++++++++
EOF
echo
systemctl status firewalld > /dev/null 2>&1
if [ $? -eq 0 ];then
firewall-cmd --reload > /dev/null 2>&1
echo "firewalld is running" >>$file 2>&1
else
echo "Firewalld looks like not running, trying to start..." >> $file 2>&1
systemctl start firewalld > /dev/null 2>&1
if [ $? -eq 0 ]; then
echo "Firewalld start successfully..." >> $file 2>&1
else
echo "Failed to start firewalld" >> $file 2>&1
fi
fi
for i in `seq $file`
do
cat $file |grep $i &>/dev/null
if [ $? -eq 0 ];then
firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address="$i/32" port port="$SSH_PORT" protocol=tcp drop" &>/dev/null
echo `date +"%Y-%m-%d %H:%M:%S $i 此ip增加到防火墙拉黑"` >> /root/drop_ip.txt
fi
done
firewall-cmd --reload >/dev/null 2>&1
继续阅读

我的微信
这是我的微信扫一扫
评论