上一篇
返回
下一篇
改善被暴力入侵 ssh (一) checkssh.sh
作者: cross 日期: 2006-11-07 11:30
#!/bin/bash
# 修改日期 fix.05.31.05
# 目的: 為了改善被暴力入侵ssh。
# 方式: 利用TCP_Wrappers,當對方進行ssh到本機時,
# 帳號為root,且密碼失敗時,丟給iptables擋掉。
syslog=/var/log/secure # 系統記綠檔。
path=/etc/ips/ # 執行檔放置路徑,注意最後要加 / 。
passlog=pass.log # 自訂的輸出記錄檔。
faillog=fail.log
commonlog=common.log
checkchar="Failed password.*root" # 在/var/log/secure檔中
# 搜尋要檢驗的字串。
nowmonday=`date | awk '{print $2" "$3}'` # 使用時間來判斷此一時間裡
nowday=`date | awk '{print $3}'` # 失敗的情況。
nowhrmin=`date +%H:%M`
nowhr=`date +%H`
nowmin=`date +%M`
nowminfirstchar=`echo $nowmin | cut -c1`
nowmondayhr=$nowmonday" "$nowhr
nowmondayhrmin=$nowmonday" "$nowhrmin
nowdayhrmin=$nowday" "$nowhrmin
nowmondayhrminfirstchar=$nowmonday" "$nowhr\:$nowminfirstchar
ruleexistchar="icmp echo-request" # iptables 中已存在的rule。
failed=` cat "$syslog" | grep "$nowmondayhrminfirstchar" | grep "$checkchar"` # 輸出時間內失敗的。
failcount=`cat "$syslog" | grep "$nowmondayhrminfirstchar" | grep "$checkchar" | wc -l` # 輸出時間內失敗的次數。
ip=` cat "$syslog" | grep "$nowmondayhrminfirstchar" | grep "$checkchar" | awk '{print $11}' | cut -d: -f4 | sort | uniq` # 找出失敗中的ip。
ipcount=` cat "$syslog" | grep "$nowmondayhrminfirstchar" | grep "$checkchar" | awk '{print $11}' | cut -d: -f4 | sort | uniq | wc -l` # 找出失敗中ip,清掉同ip後的ip總數。
ruleexist=`iptables -L INPUT | grep "$ruleexistchar"` # iptables中,找出定義的ruleexistchar。
ruleexistip=`iptables -L INPUT | grep "$ruleexistchar" | awk '{print $4}'` # iptables中,找出定義的ruleexistchar中的ip。
ruleexistcount=`iptables -L INPUT | grep "$ruleexistchar" | wc -l` # iptables中,找出定義的ruleexistchar中的ip總數。
# 以下的程式為,從secure找出的失敗開始判斷,如在May 28 21:5,在5月28號21點,所有的5十幾分中,
# 判斷有失敗的、失敗幾次,判斷ip存在於iptables與否,才不會讓iptables一直加rule進去。
if [ "$failcount" -gt "0" ]; then # 如果失敗次數大於0的話,開始drop。
echo "drop"
if [ "$ruleexistcount" != "$ipcount" ]; then # 如果iptables與secure中的ip總合不相同
for x in $ip # 利用迴圈讓多個ip可加入iptables
do
if [ "$x" = "$ruleexistip" ]; then # 如果從secure找出的ip已存在於iptables,就不需要加這條rule了。
:
else
`iptables -I INPUT -s "$x" -p icmp --icmp-type 8 -j ACCEPT`
fi
done
else
:
fi
echo "drop" > $path$faillog
echo "failcount . $failcount" >> $path$faillog
echo "$failed" >> $path$faillog
echo " " > $path$passlog
echo "drop" > $path$commonlog
echo "nowmonday . $nowmonday" >> $path$commonlog
echo "nowhrmin . $nowhrmin" >> $path$commonlog
echo "nowhr . $nowhr" >> $path$commonlog
echo "nowmin . $nowmin" >> $path$commonlog
echo "nowmondayhr . $nowmondayhr" >> $path$commonlog
echo "nowmondayhrmin . $nowmondayhrmin" >> $path$commonlog
echo "nowmondayhrminfirstchar . $nowmondayhrminfirstchar" >> $path$commonlog
echo "failed . $failed" >> $path$commonlog
echo "ip . $ip" >> $path$commonlog
echo "failcount . $failcount" >> $path$commonlog
echo "ruleexist . $ruleexist" >> $path$commonlog
mail -s "drop" cross@mail.chiahui.com < $path$commonlog
else
`iptables -I OUTPUT -p icmp --icmp-type 8 -j ACCEPT`
echo "pass"
echo "pass" > $path$passlog
echo " " > $path$faillog
echo "pass" > $path$commonlog
echo "nowmonday . $nowmonday" >> $path$commonlog
echo "nowhrmin . $nowhrmin" >> $path$commonlog
echo "nowhr . $nowhr" >> $path$commonlog
echo "nowmin . $nowmin" >> $path$commonlog
echo "nowmondayhr . $nowmondayhr" >> $path$commonlog
echo "nowmondayhrmin . $nowmondayhrmin" >> $path$commonlog
echo "nowmondayhrminfirstchar . $nowmondayhrminfirstchar" >> $path$commonlog
echo "failed . $failed" >> $path$commonlog
echo "ip . $ip" >> $path$commonlog
echo "failcount . $failcount" >> $path$commonlog
echo "ruleexist . $ruleexist" >> $path$commonlog
mail -s "pass" cross@mail.chiahui.com < $path$commonlog
fi
標籤:
如何在ssh登入主機遠端主機時不要有key的檢查 (2012-01-03 09:16)
設定ssh連線30分鐘後沒有動作就自動斷線 (2011-12-26 23:59)
把 ssh public key 遠端複製過去 (另一種方式) (2011-10-26 14:32)
ssh搭配pam_tally2讓使用者登入,幾次失敗就鎖定時間,過了才可再次登入 (2011-04-28 14:58)
SSH 幾項安全性設置 (2011-04-27 00:19)
防ssh的暴力式攻擊-DenyHosts (2011-04-17 23:45)
怎麼在ssh console底下刪除特殊字元的檔案 (2010-02-22 19:28)
SSH 使用技巧 - 縮短名稱 (2009-04-21 21:04)
sudo 讓一般使用者有 Root 權限 (Part II) (2008-08-04 22:19)