赞
踩
所在位置: /var/log/secure
登录成功日志
登录失败日志
过滤错误日志
grep 'Failed password' /var/log/secure
过滤出IPv4地址
grep 'Failed password' /var/log/secure | grep -P "((2(5[0-5]|[0-4]\d))|[0-1]?\d{1,2})(\.((2(5[0-5]|[0-4]\d))|[0-1]?\d{1,2})){3}"
grep 'Failed password' /var/log/secure | grep -Po "((2(5[0-5]|[0-4]\d))|[0-1]?\d{1,2})(\.((2(5[0-5]|[0-4]\d))|[0-1]?\d{1,2})){3}"
进行排序数字小的在前面
grep 'Failed password' /var/log/secure | grep -Po "((2(5[0-5]|[0-4]\d))|[0-1]?\d{1,2})(\.((2(5[0-5]|[0-4]\d))|[0-1]?\d{1,2})){3}" | sort -n
登录失败的次数进行统计
grep 'Failed password' /var/log/secure | grep -Po "((2(5[0-5]|[0-4]\d))|[0-1]?\d{1,2})(\.((2(5[0-5]|[0-4]\d))|[0-1]?\d{1,2})){3}" | sort -n | uniq -c
取出登录失败大于20的IP地址,演示使用的是大于2
grep 'Failed password' /var/log/secure | grep -Po "((2(5[0-5]|[0-4]\d))|[0-1]?\d{1,2})(\.((2(5[0-5]|[0-4]\d))|[0-1]?\d{1,2})){3}" | sort -n | uniq -c | awk '$1>20{print $2}'
拉黑处理
grep 'Failed password' /var/log/secure | grep -Po "((2(5[0-5]|[0-4]\d))|[0-1]?\d{1,2})(\.((2(5[0-5]|[0-4]\d))|[0-1]?\d{1,2})){3}" | sort -n | uniq -c | awk '$1>20{print $2}' | awk '{print "sshd:"$1":deny"}' >>/etc/hosts.deny
创建一个 shell.sh 上面的内容插入进入 给文件添加一个可执行权限,然后再添加一个定时任务,定时执行
*/1 * * * * /root/shell.sh
#每一分钟执行一次
优化:处理重复拉黑处理:
grep 'Failed password' /var/log/secure | awk '{print $11}'| sort -n | uniq -c | awk '$1>20{print $2}' | awk '{print "sshd:"$1":deny"}' >> /etc/hosts.deny
cat /etc/hosts.deny > lingshi
cat lingshi >hosts.deny
其他参考
lastb | awk '{print $3}' | sort | uniq -c | sort -nr | awk '$1>20{print $0}'| awk '{print "sshd:"$2":deny"}' >> /etc/hosts.deny
Copyright © 2003-2013 www.wpsshop.cn 版权所有,并保留所有权利。