We apologize that the translated content is not provided to this page.
和防止漏洞扫描的shell一个原理
还是在此推荐不允许root登录,或者禁止远程登录、改名
使用步骤
-
新建文件
vi /usr/local/bin/block_ssh.sh -
复制下列内容,保存
普通版(攻击较少)
#!/bin/bash
cat /var/log/secure|awk '/Failed/{print $(NF-3)}'|sort|uniq -c|awk '{print $2"="$1;}' > /usr/local/bin/black.list #登记失败登录的IP
cat /var/log/secure|awk '/Invalid user/{print $(NF-2)}'|sort|uniq -c|awk '{print $2"="$1;}' >>/usr/local/bin/black.list #登记错误用户名的IP
for i in `cat /usr/local/bin/black.list`
do
IP=`echo $i |awk -F= '{print $1}'`
NUM=`echo $i|awk -F= '{print $2}'`
if [ $NUM -gt 10 ]; then
grep $IP /etc/hosts.deny > /dev/null
if [ $? -gt 0 ];then
echo "sshd:$IP" >> /etc/hosts.deny
fi
fi
done改进版不使用grep(攻击较多)
#!/bin/bash
cat /var/log/secure|awk '/Failed/{print $(NF-3)}' > /usr/local/bin/blacks.list #登记失败登录的IP
cat /var/log/secure|awk '/Invalid user/{print $(NF-2)}' >>/usr/local/bin/blacks.list #登记错误用户名的IP
cat /usr/local/bin/blacks.list|sort|uniq -c|awk '{print $2"="$1;}' > /usr/local/bin/black.list
cp /etc/hosts.deny /usr/local/bin/hosts.deny
for i in `cat /usr/local/bin/black.list`
do
IP=`echo $i |awk -F= '{print $1}'`
NUM=`echo $i|awk -F= '{print $2}'`
if [ $NUM -gt 10 ]; then
echo "sshd:$IP" >> /usr/local/bin/hosts.deny
fi
done
cat /usr/local/bin/hosts.deny | uniq > /etc/hosts.deny
-
更改权限:
chmod 0755 /usr/local/bin/block_ssh.sh -
放入
crontab -e中定时执行*/5 * * * * sh /usr/local/bin/block_ssh.sh
