SSH 무작위 로그인 scan시도 차단 스크립트
지겨운놈들.. 계속 공격 시도중… 경로 위치는 /usr/local/service/
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 |
]# vi denyip.sh #!/bin/bash # Script by Yunkiman # Modified by icworld # Second Modified by dksniper(http://blog.naver.com/dksniper) # Convert oops-firewall to hosts.deny days=`date +%d` nowdir=`pwd` savedir="$nowdir/denylist" cleanfile="$nowdir/hosts.dat" cnt=0 if [ -e /var/log/secure ] then for i in $( tail -n50 /var/log/secure | grep "^[A-Za-z ]\{4,\}$days" | grep "Failed password" | awk -F "from" '{print $2}' | awk '{prin t $1}' | sort | uniq -c | awk '$1 > 8 {print $2}'); do denyip=${i#::ffff:} #ip format ::ffff:0.0.0.0 echo "ALL : $denyip" >> $savedir cnt=$(($cnt+1)) done fi #If not found then exit if [ $cnt = 0 ] then exit fi for a in $( cat /etc/hosts.deny | grep "ALL : " | awk '{print $3}' | sort | uniq -c | awk '{print $2}'); do echo "ALL : $a" >> $savedir done #cp $cleanfile /etc/hosts.deny echo "# # hosts.deny This file describes the names of the hosts which are # *not* allowed to use the local INET services, as decided # by the '/usr/sbin/tcpd' server. # # The portmap line is redundant, but it is left to remind you that # the new secure portmap uses hosts.deny and hosts.allow. In particular # you should know that NFS uses portmap! " > /etc/hosts.deny for b in $( cat $savedir | grep "ALL : " | awk '{print $3}' | sort | uniq -c | awk '{print $2}'); do echo "ALL : $b" >> /etc/hosts.deny done rm -rf $savedir /etc/init.d/xinetd reload |
위의 파일을 스크립트를 실행할 디렉토리(저의 경우는 /usr/local/service/)에 만들어 넣은 후 crontab에 다음과 같이 등록.
|
1 |
1-60/5 * * * * /usr/local/service/denyip.sh > /dev/null 2>&1 |
이렇게 하면 5분마다 한번씩 검사하여 5번이상 틀린사람은 거부를 하게함. 참고 : http://www.oops.org/SERVICE/jsboard/read.php?table=jsboard_oopsFAQ&no=426&page=2 http://www.oops.org/SERVICE/jsboard/read.php?table=jsboard_oopsFAQ&no=503&page=2