SSH暴力破解排查与防御
1.统计日志中失败的登录次数
grep -o "Failed password" /var/log/secure|uniq -c[root@VM-4-15-centos etc]# grep -o "Failed password" /var/log/secure|uniq -c
54970 Failed password
2.输出登录失败的第一行和最后一行,确认时间范围:
grep "Failed password" /var/log/secure|head -1
grep "Failed password" /var/log/secure|tail -1[root@VM-4-15-centos etc]# grep "Failed password" /var/log/secure|tail -1
Dec 26 15:11:03 VM-4-15-centos sshd[30859]: Failed password for root from 124.148.168.201 port 48553 ssh2
[root@VM-4-15-centos etc]# grep "Failed password" /var/log/secure|head -1
Dec 16 12:37:34 VM-4-15-centos sshd[3429]: Failed password for root from 152.89.196.123 port 63710 ssh2
3. 定位有哪些IP在爆破
grep "Failed password" /var/log/secure|grep -E -o "(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)"|uniq -c | sort -nr 4.登录成功的日期、用户名、IP:
grep "Accepted " /var/log/secure | awk '{print $1,$2,$3,$9,$11}'5.统计登录成功的IP有哪些
grep "Accepted " /var/log/secure | awk '{print $11}' | sort | uniq -c | sort -nr | more6.网上抄了一份脚本,登录10次失败的ip加黑名单
--路径: /usr/local/bin/secure_ssh.sh
#! /bin/bash
cat /var/log/secure|awk '/Failed/{print $(NF-3)}'|sort|uniq -c|awk '{print $2"="$1;}' > /usr/local/bin/black.list
for i in `cat /usr/local/bin/black.list`
do
IP=`echo $i |awk -F= '{print $1}'`
NUM=`echo $i|awk -F= '{print $2}'`
if [ ${#NUM} -gt 1 ]; then
grep $IP /etc/hosts.deny > /dev/null
if [ $? -gt 0 ];then
echo "sshd:$IP:deny" >> /etc/hosts.deny
fi
fi
done
#--:将secure_ssh.sh脚本放入cron计划任务,每1分钟执行一次。
# crontab -e
*/1 * * * * sh /usr/local/bin/secure_ssh.sh
#--:记得把允许的IP填入 /etc/hosts.allow
sshd:192.168.6.240:allow