#!/bin/bash
LIMIT=10
LOGFILE="/var/log/block_ssh.log"
TIME=$(date '+%b %e %H')
BLOCK_IP=$(grep "$TIME" /var/log/secure|grep Failed|awk '{print $(NF-3)}'|sort|uniq -c|awk '$1>'$LIMIT'{print $1":"$2}')
for i in $BLOCK_IP
do
IP=$(echo $i|awk -F: '{print $2}')
TIMES=$(echo $i|awk -F: '{print $1}')
iptables-save|grep INPUT|grep DROP|grep $IP>/dev/null
if [ $? -gt 0 ];then
iptables -D INPUT -s $IP -j DROP
iptables -A INPUT -s $IP -j DROP
NOW=$(date '+%Y-%m-%d %H:%M')
echo -e "$NOW : $TIMES times $IP">>${LOGFILE}
fi
done FREBSD 系统下,脚本如下:
#!/bin/sh
SCANIP=`grep "Failed" /var/log/auth.log | awk '{print $(NF-3)}' | sort | uniq -c | awk '{print $1"="$2;}'`
for i in $SCANIP
do
NUMBER=`echo $i | awk -F= '{print $1}'`
SCANIP=`echo $i | awk -F= '{print $2}'`
echo "$NUMBER($SCANIP)"
if [ $NUMBER -gt 10 ] && [ -z "`/sbin/ipfw show | grep $SCANIP`" ]
then
/sbin/ipfw add 1 deny ip from $SCANIP to me 22
echo "`date` $SCANIP($NUMBER)" >> /var/log/scanip.log
fi
done Vsftpd服务可以参考命令:awk '/'"FAIL LOGIN: Client"'/ {print $12}' /var/log/vsftpd.log | uniq -c | sort -k1n | awk -F'["]' '{print $1$2}' | awk '{if ($1 >=20) print $2}' 下面用C语言实现上面的代码:
#includetypes.h> #include <unistd.h> #include <stdlib.h> #include <stdio.h> #include <string.h> #include <sys stat.h> #include#include #define SSH_LOG_PATH "/var/log/block_ssh.log" #define SSH_SECURE_FILE "/var/log/secure" #define SSH_MAX_LOG_FILE_SIZE (10*1024*1024) #define SSH_LIMIT 10 #define SSH_BUF_SIZE 1024 #define SSH_BLOCK_IP "grep \"%s\" %s | grep \"Failed\" | awk \'{print $(NF-3)}\' | sort | uniq -c | awk \'$1 > %d {print $1\":\"$2}\'" #define SSH_IPTABLES_SAVE "iptables-save | grep INPUT |grep DROP | grep \"%s\" >/dev/null 2>&1" #define SSH_IPTABLES_D "iptables -D INPUT -s \"%s\" -j DROP" #define SSH_IPTABLES_A "iptables -A INPUT -s \"%s\" -j DROP" static FILE * ssh_logHander = NULL; int init_ssh_log() { ssh_logHander = fopen(SSH_LOG_PATH,"a"); if(!ssh_logHander){ return -1; } return 0; } void ssh_log(char *p_fmt,...) { char date[SSH_BUF_SIZE] = {'\0'}; time_t now; struct tm ptm; char tmp[SSH_BUF_SIZE] = {'\0'}; struct stat buf; va_list ap; if(!ssh_logHander){ return; } time(&now;); if(localtime_r(&now;,&ptm;)){ strftime(date,sizeof(date),"%F %T",&ptm;); fprintf(ssh_logHander,"[ %s ]",date); va_start(ap,p_fmt); vfprintf(ssh_logHander,p_fmt,ap); va_end(ap); fflush(ssh_logHander); } if(stat(tmp,&buf;) == 0){ if(buf.st_size > SSH_MAX_LOG_FILE_SIZE){ fclose(ssh_logHander); ssh_logHander = fopen(SSH_LOG_PATH,"w+"); } } } int check_systrm_result(char *cmd) { int result = -1; if(!cmd){ return result; } result = system(cmd); if((result != -1) && WIFEXITED(result) && (WEXITSTATUS(result) == 0)){ return 0; } return -1; } int main() { FILE *p_stream; FILE *p_log; char time_buf[1024] = {'\0'}; char block_ipbuf[1024] = {'\0'}; char cmd_line[1024] = {'\0'}; char *p_times,*p_ip; init_ssh_log(); p_stream = popen("date \'+%b %e %H\'","r"); fgets(time_buf,SSH_BUF_SIZE - 1,p_stream); printf("time_buf is %s\n",time_buf); pclose(p_stream); sprintf(block_ipbuf,SSH_BLOCK_IP,time_buf,SSH_SECURE_FILE,SSH_LIMIT); printf("block_ipbuf is %s\n",block_ipbuf); p_stream = popen(block_ipbuf,"r"); while(fgets(cmd_line,SSH_BUF_SIZE,p_stream) != NULL){ printf("cmd_line is %s\n",cmd_line); p_times = cmd_line; p_ip = strchr(p_times,':'); if(p_ip == NULL){ memset(cmd_line,0,SSH_BUF_SIZE); continue; } *p_ip++ = '\0'; p_ip[strlen(p_ip)-1] = '\0'; printf("p_times :%d,p_ip is %s \n",atoi(p_times),p_ip); memset(block_ipbuf,0,SSH_BUF_SIZE); sprintf(block_ipbuf,SSH_IPTABLES_SAVE,p_ip); printf("block_ipbuf is %s\n",block_ipbuf); if(check_systrm_result(block_ipbuf)){ memset(block_ipbuf,0,SSH_BUF_SIZE); sprintf(block_ipbuf,SSH_IPTABLES_D,p_ip); printf("block_ipbuf is %s\n",block_ipbuf); check_systrm_result(block_ipbuf); memset(block_ipbuf,0,SSH_BUF_SIZE); sprintf(block_ipbuf,SSH_IPTABLES_A,p_ip); printf("block_ipbuf is %s\n",block_ipbuf); check_systrm_result(block_ipbuf); ssh_log(" : %d times ip %s unauthorized access\n",atoi(p_times),p_ip); } memset(cmd_line,0,SSH_BUF_SIZE); } pclose(p_stream); }
http://www.92csz.com/11/1094.html