https://www.andowson.com/posts/list/16.page JForum - http://www.jforum.net [quote]Jan 21 05:32:32 www sshd[24782]: Invalid user office from ::ffff:210.202.33.129
Jan 20 21:32:32 www sshd[24783]: input_userauth_request: invalid user office
Jan 21 05:32:35 www sshd[24782]: Failed password for invalid user office from ::ffff:210.202.33.129 port 61321 ssh2[/quote]

可是系統上並沒有office這個使用者，而且這個210.202.33.129還出現在其他連續的多筆記錄上，可以知道這是個嘗試入侵的行為，我們可以寫支 shell script 程式來自動擋掉這些討厭的傢伙。

將底下的程式碼複製存檔為 /root/admin/banip.sh
[code]#!/bin/bash
# Name: banip.sh
# Author: Andowson Chang (andowson [at] gmail [dot] com)
# Version: 0.1
# Last Modified: 2007-01-21

# 修改這邊的參數
EXTERNAL_INTERFACE="ppp0" # you must edit this
BANNEDHOSTFILE="/tmp/bannedhosts.txt" #edit this as required
HISTORYHOSTSFILE="/tmp/history.txt" #edit this as required
IPTABLES="/sbin/iptables"
GREP_PARAM="^[[:digit:]]*\.[[:digit:]]*\.[[:digit:]]*\.[[:digit:]]*"

# 找出攻擊的主機IP
grep "Failed password for invalid user" /var/log/secure | cut -d" " -f13 | sort | uniq | cut -d":" -f4 > /tmp/attack.log
grep "Failed password for invalid user" /var/log/secure | cut -d" " -f14 | sort | uniq | cut -d":" -f4 >> /tmp/attack.log
# 刪除一些不是IP的字，目前發現的有from和port，也可以包含測試用的來源IP
sed -e '/from/d' -e '/port/d' -e '/192.168.1/d' /tmp/attack.log > /tmp/attack.txt

# 加入新增的主機
touch $HISTORYHOSTSFILE
sort /tmp/attack.txt | uniq > /tmp/ip1
sort $HISTORYHOSTSFILE | uniq > /tmp/ip2
comm -23 /tmp/ip[1-2] > $BANNEDHOSTFILE # 新增站台資料
rm -rf /tmp/ip[1-2]
rm -rf /tmp/attack.*

# 將攻擊的主機IP加到iptables擋掉
for i in $( grep $GREP_PARAM $BANNEDHOSTFILE )
do
echo "Deny access to host: $i"
$IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -s $i -j DROP
$IPTABLES -A OUTPUT -o $EXTERNAL_INTERFACE -d $i -j DROP
done

# 將處理過的IP清單加到歷史檔去
cat $BANNEDHOSTFILE >> $HISTORYHOSTSFILE
sort $HISTORYHOSTSFILE | uniq > /tmp/history.tmp
mv -f /tmp/history.tmp $HISTORYHOSTSFILE
rm -rf $BANNEDHOSTFILE[/code]

然後chmod 755 /root/admin/banip.sh
接著掛到/etc/crontab讓它每五分鐘執行一次
[code]# ban intruder's ip (2007.01.21)
*/5 * * * * root /root/admin/banip.sh > /var/log/banip.log[/code]

察看目前被擋掉的IP：iptables -L -n
如果有誤加的IP，可以利用類似底下的指令來刪除設定
[code]iptables -D INPUT -i ppp0 -s 192.168.1.5 -j DROP
iptables -D OUTPUT -o ppp0 -d 192.168.1.5 -j DROP[/code]

:!:為避免重複加入iptables，已在$HISTORYHOSTSFILE裡面的ip，會被自動過濾掉。可是重開機之後iptables的設定會回到預設值，只剩下開放的服務port的設定，沒有擋掉任何主機的設定。如此一來，重開機後將不會再擋掉先前已在歷史檔內的主機。解決的方法是每次重開機後將歷史檔更名，如改為history.txt-yyyymmdd

vi /etc/rc.local
[code]
mv /tmp/history.txt /tmp/history.txt-`date +%Y%m%d`
[/code]
參考資料：[url=http://phi.sinica.edu.tw/aspac/reports/96/96005/]SED 手冊[/url]]]> https://www.andowson.com/posts/preList/33/37.page https://www.andowson.com/posts/preList/33/37.page GMT [code]
grep failure messages | awk '{print $13}' | uniq | grep -v tty | cut -d"=" -f2 | sort | grep "\." | uniq | grep -v "192.168.1" >> /tmp/attack.log
[/code]]]> https://www.andowson.com/posts/preList/33/258.page https://www.andowson.com/posts/preList/33/258.page GMT 想請問一下，我使用了這程式
在擋FTP那段，想請問一下如何判斷嘗試超過多少次才擋下IP呢
因為不這樣的話，會連本身使用者的IP都會擋掉。
這是FTP訊息
[code]vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=Administrator rhost=88.208.230.36
[/code]
]]> https://www.andowson.com/posts/preList/33/432.page https://www.andowson.com/posts/preList/33/432.page GMT https://www.andowson.com/posts/preList/33/433.page https://www.andowson.com/posts/preList/33/433.page GMT
[code=bash]
#!/bin/bash
# Name: banip.sh
# Author: Andowson Chang (andowson [at] gmail [dot] com)
# Version: 0.3
# Since: 2007-01-21
# Last Modified: 2010-10-24

# 修改這邊的參數
EXTERNAL_INTERFACE="eth0" # value can be "eth0" or "ppp0"
BANNED_HOST_FILE="/tmp/bannedhosts.txt"
HISTORY_HOSTS_FILE="/tmp/history.txt"
IPTABLES="/sbin/iptables"
GREP_PARAM="^[[:digit:]]*\.[[:digit:]]*\.[[:digit:]]*\.[[:digit:]]*"
TODAY=`date +%Y-%m-%d`
SECURE_LOG="/tmp/secure.$TODAY"
FAILURE_LOG="/tmp/failure.$TODAY"
FAILED_LOG="/tmp/failed.$TODAY"

# 將資料資料範圍縮小到今天
grep $TODAY /var/log/secure > $SECURE_LOG
grep "authentication failure" $SECURE_LOG | awk '{print $12}' | cut -d"=" -f2 > $FAILURE_LOG
# 因rhost可能是domain name方式，為避免重複計算次數，另存到一個檔案去
grep "Failed password for invalid user" $SECURE_LOG | awk '{print $11}' > $FAILED_LOG
grep "Failed password" $SECURE_LOG | grep -v "invalid user" | awk '{print $9}' >> $FAILED_LOG

# 找出攻擊的主機IP
cat $FAILURE_LOG $FAILED_LOG > /tmp/attacker.log

# 加入新增的主機
touch $HISTORY_HOSTS_FILE
sort /tmp/attacker.log | uniq > /tmp/attacker_ip1
sort $HISTORY_HOSTS_FILE | uniq > /tmp/attacker_ip2
comm -23 /tmp/attacker_ip[1-2] > $BANNED_HOST_FILE # 新增主機資料
rm -rf /tmp/attacker*

# 將攻擊的主機IP加到iptables擋掉
for ip in $( grep $GREP_PARAM $BANNED_HOST_FILE )
do
#計算失敗次數
failcount=`grep $ip $FAILURE_LOG | wc -l`
failcount2=`grep $ip $FAILED_LOG | wc -l`
#超過三次失敗者加入阻擋名單
if [ $failcount > 3 ] || [ $failcount2 > 3 ]; then
echo "Deny access to host: $ip"
$IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -s $ip -j DROP
$IPTABLES -A OUTPUT -o $EXTERNAL_INTERFACE -d $ip -j DROP
# 將處理過的IP清單加到歷史檔去
echo $ip >> $HISTORY_HOSTS_FILE
fi
done

rm -rf $BANNED_HOST_FILE
rm -rf $SECURE_LOG
rm -rf $FAILURE_LOG
rm -rf $FAILED_LOG
[/code]]]> https://www.andowson.com/posts/preList/33/913.page https://www.andowson.com/posts/preList/33/913.page GMT
[code=bash]
#!/bin/bash
# Name: banip.sh
# Author: Andowson Chang (andowson [at] gmail [dot] com)
# Version: 0.6
# Since: 2007-01-21
# Last Modified: 2013-06-09

# 修改這邊的參數
EXTERNAL_INTERFACE="eth0" # value can be "eth0" or "ppp0"
BANNED_HOSTS="/tmp/bannedhosts.txt"
BANNED_HOSTS_HISTORY="/tmp/history.txt"
IPTABLES="/sbin/iptables"
GREP_PARAM="^[[:digit:]]*\.[[:digit:]]*\.[[:digit:]]*\.[[:digit:]]*"
export LANG=en_US
TODAY=`date +%Y-%m-%d`
RANGE=`date "+%b %e"`
SECURE_LOG="/tmp/secure.${TODAY}"
SUSPECTED="/tmp/failed.${TODAY}"

# 將資料資料範圍縮小到今天
grep "$RANGE" /var/log/secure > $SECURE_LOG
grep "Failed password for invalid user" $SECURE_LOG | awk '{print $13}' > $SUSPECTED
grep "Failed password" $SECURE_LOG | grep -v "invalid user" | awk '{print $11}' >> $SUSPECTED

# 找出攻擊的主機IP
cat $SUSPECTED | sort | uniq > /tmp/attacker_ip1

# 找出已被封鎖的主機IP
$IPTABLES -L OUTPUT -n | grep DROP | awk '{print $5}' | sort | uniq > /tmp/attacker_ip2

# 比對差異，找出新增的IP
comm -23 /tmp/attacker_ip[1-2] > $BANNED_HOSTS # 新增主機資料
rm -rf /tmp/attacker*

# 將攻擊的主機IP加到iptables擋掉
for ip in $( grep $GREP_PARAM $BANNED_HOSTS )
do
echo "Check $ip"
#計算失敗次數
failcount=`grep $ip $SUSPECTED | wc -l`
#超過三次失敗者加入阻擋名單
if [ $failcount > 3 ]; then
echo "Deny access from host: $ip"
$IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -s $ip -j DROP
$IPTABLES -A OUTPUT -o $EXTERNAL_INTERFACE -d $ip -j DROP
# 將處理過的IP清單加到歷史檔去
echo $ip >> $BANNED_HOSTS_HISTORY
fi
done

rm -rf $BANNED_HOSTS
rm -rf $SECURE_LOG
rm -rf $SUSPECTED
[/code]]]> https://www.andowson.com/posts/preList/33/1293.page https://www.andowson.com/posts/preList/33/1293.page GMT