awk入门-保护SSHD

awk入门例子-保护SSHD

一台Linux 服务器(不能用iptables )每天都有ssh 暴力连接，统计下最多竟然达到5650次

1 secure 日志

/bin/awk '/Failed/{print $(NF-3)}' /var/log/secure | /bin/sort | /usr/bin/uniq -c | sort -rn

5650 123.29.68.70
    893 219.232.104.2
    139 87.110.156.171
    139 41.212.83.191
     75 111.74.82.33
     35 61.155.178.242
     32 201.236.80.4
     24 218.91.253.123
     15 122.194.200.3
      8 221.230.133.67
      7 190.146.233.184
      4 94.76.229.11
      4 77.76.109.119
      4 209.165.131.61
      3 208.254.58.144
      3 109.75.21.195
      2 93.189.94.179
      2 116.58.221.96
      2 109.75.21.200
      1 64.185.226.120
      1 138.100.78.80

secure日志记录 61.155.178.242 这个ip尝试使用的账户 test/admin 等等

/bin/awk '/Failed/' /var/log/secure | tail -n 35

Oct 9 08:58:04 gw-new sshd[18864]: Failed password for root from 61.155.178.242 port 35336 ssh2
Oct 9 08:58:06 gw-new sshd[18866]: Failed password for root from 61.155.178.242 port 36064 ssh2
Oct 9 08:58:08 gw-new sshd[18868]: Failed password for root from 61.155.178.242 port 36365 ssh2
Oct 9 08:58:10 gw-new sshd[18870]: Failed password for root from 61.155.178.242 port 36643 ssh2
Oct 9 08:58:13 gw-new sshd[18872]: Failed password for root from 61.155.178.242 port 37517 ssh2
Oct 9 08:58:15 gw-new sshd[18874]: Failed password for root from 61.155.178.242 port 37852 ssh2
Oct 9 08:58:17 gw-new sshd[18876]: Failed password for root from 61.155.178.242 port 38683 ssh2
Oct 9 08:58:20 gw-new sshd[18878]: Failed password for root from 61.155.178.242 port 39059 ssh2
Oct 9 08:58:22 gw-new sshd[18880]: Failed password for root from 61.155.178.242 port 39919 ssh2
Oct 9 08:58:24 gw-new sshd[18882]: Failed password for root from 61.155.178.242 port 40181 ssh2
Oct 9 08:58:27 gw-new sshd[18884]: Failed password for root from 61.155.178.242 port 41065 ssh2
Oct 9 08:58:29 gw-new sshd[18886]: Failed password for root from 61.155.178.242 port 41404 ssh2
Oct 9 08:58:32 gw-new sshd[18888]: Failed password for root from 61.155.178.242 port 42254 ssh2
Oct 9 08:58:33 gw-new sshd[18890]: Failed password for invalid user oracle from 61.155.178.242 port 42614 ssh2
Oct 9 08:58:35 gw-new sshd[18892]: Failed password for invalid user test from 61.155.178.242 port 42997 ssh2
Oct 9 08:58:38 gw-new sshd[18894]: Failed password for invalid user admin from 61.155.178.242 port 43646 ssh2
Oct 9 08:58:40 gw-new sshd[18896]: Failed password for invalid user admin from 61.155.178.242 port 44022 ssh2
Oct 9 08:58:43 gw-new sshd[18898]: Failed password for invalid user test from 61.155.178.242 port 44820 ssh2
Oct 9 08:58:45 gw-new sshd[18900]: Failed password for invalid user admin from 61.155.178.242 port 45177 ssh2
Oct 9 08:58:47 gw-new sshd[18902]: Failed password for invalid user admin from 61.155.178.242 port 45979 ssh2
Oct 9 08:58:50 gw-new sshd[18904]: Failed password for root from 61.155.178.242 port 46233 ssh2
Oct 9 08:58:53 gw-new sshd[18906]: Failed password for root from 61.155.178.242 port 47140 ssh2
Oct 9 08:58:55 gw-new sshd[18908]: Failed password for root from 61.155.178.242 port 47430 ssh2
Oct 9 08:58:57 gw-new sshd[18910]: Failed password for root from 61.155.178.242 port 48241 ssh2
Oct 9 08:58:59 gw-new sshd[18912]: Failed password for root from 61.155.178.242 port 48526 ssh2
Oct 9 08:59:02 gw-new sshd[18914]: Failed password for root from 61.155.178.242 port 49295 ssh2
Oct 9 08:59:05 gw-new sshd[18916]: Failed password for root from 61.155.178.242 port 49739 ssh2
Oct 9 08:59:07 gw-new sshd[18918]: Failed password for root from 61.155.178.242 port 50554 ssh2
Oct 9 08:59:09 gw-new sshd[18920]: Failed password for root from 61.155.178.242 port 50838 ssh2
Oct 9 08:59:11 gw-new sshd[18922]: Failed password for root from 61.155.178.242 port 51625 ssh2
Oct 9 08:59:14 gw-new sshd[18924]: Failed password for root from 61.155.178.242 port 51876 ssh2
Oct 9 08:59:16 gw-new sshd[18926]: Failed password for root from 61.155.178.242 port 52718 ssh2
Oct 9 08:59:18 gw-new sshd[18928]: Failed password for root from 61.155.178.242 port 52969 ssh2
Oct 9 08:59:21 gw-new sshd[18930]: Failed password for root from 61.155.178.242 port 53268 ssh2
Oct 9 08:59:22 gw-new sshd[18932]: Failed password for root from 61.155.178.242 port 54034 ssh2

2 编写shell 脚本

思路:使用crontab 每3分钟执行一次defend_ssh.sh脚本, defend_ssh.sh调用 defend_ssh.awk 程序，awk 程序分析/var/log/secure日志，并输出超过20次的Failed ip地址，由shell脚本输出到 /etc/hosts.deny 文件，以达到拒绝某IP的目的，由于secure日志将保留7天，所以此IP 将被拒绝7天。

crontab -l

*/3 * * * * /root/sh/defend_ssh.sh >> /root/sh/cron_log 2>&1

cat defend_ssh.sh
#!/bin/bash
#Defend sshd
#Deny More than 20 black ip to "/etc/hosts.deny"
#/var/log/secure* log rotate every 7 days
#20120928 by dongnan
#variables
allow_num=20
#main
/bin/awk -v allow=$allow_num -f /root/sh/defend_ssh.awk /var/log/secure > /etc/hosts.deny

cat defend_ssh.awk
/Failed/ { ++S[$(NF-3)]}
END {
for (a in S) {
if(S[a] > allow) print "sshd:"a
}
}

awk 程序入门

-v 选项用于使用外部变量，这里在shell 中定义变量allow_num=20

-f 选项用于调用awk 程序

/Failed/ 为模式部分，具体是使用/正则表达式/ 匹配含有 Failed 行

{ ++S[$(NF-3)]} 为动作部分，使用数组每匹配一个Failed 则 ip([$(NF-3)]) 加1

END是特殊的动作，用于所有输入数据已经被处理完成之后，它多半用于产生摘要报告，这里则是使用循环for 读取数组S 元素，并使用if 语句判断是否大于20次，条件真则使用print 语句输出。

3 测试-超过20次拒绝连接

awk '/refused/' /var/log/secure

Oct 8 22:55:01 gw-new sshd[10324]: refused connect from ::ffff:218.91.253.123 (::ffff:218.91.253.123)
Oct 9 06:25:03 gw-new sshd[18367]: refused connect from ::ffff:201.236.80.4 (::ffff:201.236.80.4)
Oct 9 15:47:11 gw-new sshd[20491]: refused connect from ::ffff:61.155.178.242 (::ffff:61.155.178.242)
Oct 9 16:31:38 gw-new sshd[20742]: refused connect from ::ffff:61.155.178.242 (::ffff:61.155.178.242)
Oct 9 21:39:45 gw-new sshd[21892]: refused connect from ::ffff:61.155.178.242 (::ffff:61.155.178.242)
Oct 10 07:05:03 gw-new sshd[30559]: refused connect from ::ffff:211.113.151.201 (::ffff:211.113.151.201)
Oct 10 07:36:47 gw-new sshd[30668]: refused connect from ::ffff:61.155.178.242 (::ffff:61.155.178.242)

参考
用SHELL脚本来防SSH和vsftpd暴力破解
http://andrewyu.blog.51cto.com/1604432/662500

结束
更多请：
linux 相关 37275208
vmware 虚拟化相关 166682360

本文转自 dongnan 51CTO博客，原文链接：http://blog.51cto.com/dngood/1068094

awk入门-保护SSHD相关推荐

20分钟 Awk 入门
20分钟 Awk 入门什么是Awk Awk是一种小巧的编程语言及命令行工具.(其名称得自于它的创始人Alfred Aho.Peter Weinberger 和 Brian Kernighan姓氏的首 ...
shell脚本编程之awk入门
awk是一个基于列的文本处理工具,另外还有一个基于行模式的sed,本文简要介绍awk的基本使用示例 awk按行读取文本并视为一条记录,每条记录以字段分割成若干字段,然后输出各字段的值.分割方式默认是 ...
linux awk入门,awk入门应用
awk概述 awk是一种编程语言,用于在linux/unix下对文本和数据进行处理.数据可以来自标准输入.一个或多个文件,或其它命令的输出.它支持用户自定义函数和动态正则表达式等先进功能,是linux ...
awk入门（三）--getline用法
文章目录本文示例文本对输入内容的判断 getline数据处理顺序问题无参数的getline 一个参数的getline 从指定的文件读取数据从shell命令中读取数据本文示例文本 ~]$ ca ...
awk文本处理总结（入门，中级，高级）
1.什么是awk是一种程序设计语言, 主要用来处理数据和产生报表,它对输入数据(文件.标准输入或命令的输出)逐行进行扫描,匹配指定的模式,并执行指定的操作. 2.awk语法格式 awk ' ...
Shell脚本入门基础
Shell脚本 DKing~共享 1.1 脚本概念将多个命令先放入到一个文件中,方便一次性执行的一个程序文件统一脚本存放目录:/server/scripts 推荐使用vim编辑脚本查看脚本执行过 ...
Linux文本三剑客之一——awk详解(1)——awk看这两篇就够啦~PS：文末有练习，来练练手吧
shell编程三剑客 grep --> egrep --> 文本过滤查询 awk 文本截取 sed 文本的替换和修改目录 awk awk也可以做小数运算 awk命令简要处理流程 aw ...
shell 文本处理利器awk命令
11.1 awk入门 awk是一种非常强大的数据处理工具,其本身可以称为是一种程序设计语言,因而具有其他程序设计语言所共同拥有的一些特征,例如变量.函数以及表达式等.通过awk,用户可以编写一些非常 ...
shell脚本编程神器之awk语法案例详解
AWK入门指南文章目录 shell脚本编程神器之awk语法案例详解安装AWK AWK 起步示例 AWK程序的结构执行 awk 程序 awk 的错误提示简单输出打印每一行打印特定行 NF,字 ...

awk入门-保护SSHD

awk入门-保护SSHD相关推荐

最新文章

热门文章