SSH 무작위 로그인 scan시도 차단 스크립트

 

지겨운놈들.. 계속 공격 시도중…

경로 위치는 /usr/local/service/

]# vi denyip.sh
#!/bin/bash
# Script by Yunkiman
# Modified by icworld
# Second Modified by dksniper(http://blog.naver.com/dksniper)
# Convert oops-firewall to hosts.deny
days=`date +%d`
nowdir=`pwd`
savedir="$nowdir/denylist"
cleanfile="$nowdir/hosts.dat"
cnt=0
if [ -e /var/log/secure ]
then
        for i in $( tail -n50 /var/log/secure | grep "^[A-Za-z ]\{4,\}$days" | grep "Failed password" | awk -F "from" '{print $2}' | awk '{prin
t $1}' | sort | uniq -c | awk '$1 > 8 {print $2}'); do
                denyip=${i#::ffff:}  #ip format ::ffff:0.0.0.0
                echo "ALL : $denyip" >> $savedir
                cnt=$(($cnt+1))
        done
fi
#If not found then exit
if [ $cnt = 0 ]
then
        exit
fi
for a in $( cat /etc/hosts.deny | grep "ALL : " | awk '{print $3}' | sort | uniq -c | awk '{print $2}'); do
echo "ALL : $a" >> $savedir
done
#cp $cleanfile /etc/hosts.deny
echo "#
# hosts.deny    This file describes the names of the hosts which are
#               *not* allowed to use the local INET services, as decided
#               by the '/usr/sbin/tcpd' server.
#
# The portmap line is redundant, but it is left to remind you that
# the new secure portmap uses hosts.deny and hosts.allow.  In particular
# you should know that NFS uses portmap!
" > /etc/hosts.deny
 
for b in $( cat $savedir | grep "ALL : " | awk '{print $3}' | sort | uniq -c | awk '{print $2}'); do
echo "ALL : $b" >> /etc/hosts.deny
done
rm -rf $savedir
/etc/init.d/xinetd reload

위의 파일을 스크립트를 실행할 디렉토리(저의 경우는 /usr/local/service/)에 만들어 넣은 후
crontab에 다음과 같이 등록.

1-60/5 * * * * /usr/local/service/denyip.sh > /dev/null 2>&1

이렇게 하면 5분마다 한번씩 검사하여 5번이상 틀린사람은 거부를 하게함.

참고 :
http://www.oops.org/SERVICE/jsboard/read.php?table=jsboard_oopsFAQ&no=426&page=2
http://www.oops.org/SERVICE/jsboard/read.php?table=jsboard_oopsFAQ&no=503&page=2

 

This entry was posted in Security/Hacking, System and tagged , . Bookmark the permalink.

댓글 남기기