生产环境可已直接使用
根据hosts.deny做出的对策
#!/bin/bash
#Host.deny Shell Script
#author wending
#20160726
SEC_FILE=/var/log/secure
IP_ADDR=`tail -n 1000 /var/log/secure |grep "Failed password"| egrep -o "([0-9]{1,3}\.){3}[0-9]{1,3}" | sort -nr | uniq -c |awk ' $1>=4 {print $2}'`
HOSTDENY=/etc/hosts.deny
for ((j=0;j
echo
for i in `echo $IP_ADDR`
do
cat $HOSTDENY |grep $i >/dev/null
if
[ $? -ne 0 ];then
echo sshd:$i >> $HOSTDENY
else
echo "This is $i is exist in iptables,please exit ......" >>/tmp/auto_passdrop.log
fi
done
2.根据iptables做出的对策
#!/bin/sh
#auto drop ssh failed IP address
#wending 2016-0604
#定义变量
SEC_FILE=/var/log/secure
#如下为截取secure文件恶意ip 远程登录22端口,大于等于4次就写入防火墙,禁止以后再登录服务器的22端口
IP_ADDR=`tail -n 1000 /var/log/secure |grep "Failed password"| egrep -o "([0-9]{1,3}\.){3}[0-9]{1,3}" | sort -nr | uniq -c |awk ' $1>=4 {print $2}'`
IPTABLE_CONF=/etc/sysconfig/iptables
#打印动态滚动条,参照老男孩博客-数组分析文章
for ((j=0;j
echo
for i in `echo $IP_ADDR`
do
#查看iptables配置文件是否含有提取的IP信息
cat $IPTABLE_CONF |grep $i >/dev/null
if
[ $? -ne 0 ];then
#判断iptables配置文件里面是否存在已拒绝的ip,如何不存在就不再添加相应条目
#sed -i "/lo/a -A INPUT -s $i -m state --state NEW -m tcp -p tcp --dport 22 -j DROP" $IPTABLE_CONF && /etc/init.d/iptables restart
sed -i "/lo/a -A INPUT -s $i -j DROP " $IPTABLE_CONF && /etc/init.d/iptables restart
else
#如何存在的话,就打印提示信息即可
echo "This is $i is exist in iptables,please exit ......"
fi
done