awk入门-保护SSHD-白红宇

awk入门例子-保护SSHD

一台Linux 服务器(不能用iptables )每天都有ssh 暴力连接，统计下最多竟然达到5650次

1 secure 日志

/bin/awk '/Failed/{print $(NF-3)}' /var/log/secure | /bin/sort | /usr/bin/uniq -c | sort -rn

5650 123.29.68.70

893 219.232.104.2

139 87.110.156.171

139 41.212.83.191

75 111.74.82.33

35 61.155.178.242

32 201.236.80.4

24 218.91.253.123

15 122.194.200.3

8 221.230.133.67

7 190.146.233.184

4 94.76.229.11

4 77.76.109.119

4 209.165.131.61

3 208.254.58.144

3 109.75.21.195

2 93.189.94.179

2 116.58.221.96

2 109.75.21.200

1 64.185.226.120

1 138.100.78.80

secure日志记录 61.155.178.242 这个ip尝试使用的账户 test/admin 等等

/bin/awk '/Failed/' /var/log/secure | tail -n 35

Oct 9 08:58:04 gw-new sshd[18864]: Failed password for root from 61.155.178.242 port 35336 ssh2

Oct 9 08:58:06 gw-new sshd[18866]: Failed password for root from 61.155.178.242 port 36064 ssh2

Oct 9 08:58:08 gw-new sshd[18868]: Failed password for root from 61.155.178.242 port 36365 ssh2

Oct 9 08:58:10 gw-new sshd[18870]: Failed password for root from 61.155.178.242 port 36643 ssh2

Oct 9 08:58:13 gw-new sshd[18872]: Failed password for root from 61.155.178.242 port 37517 ssh2

Oct 9 08:58:15 gw-new sshd[18874]: Failed password for root from 61.155.178.242 port 37852 ssh2

Oct 9 08:58:17 gw-new sshd[18876]: Failed password for root from 61.155.178.242 port 38683 ssh2

Oct 9 08:58:20 gw-new sshd[18878]: Failed password for root from 61.155.178.242 port 39059 ssh2

Oct 9 08:58:22 gw-new sshd[18880]: Failed password for root from 61.155.178.242 port 39919 ssh2

Oct 9 08:58:24 gw-new sshd[18882]: Failed password for root from 61.155.178.242 port 40181 ssh2

Oct 9 08:58:27 gw-new sshd[18884]: Failed password for root from 61.155.178.242 port 41065 ssh2

Oct 9 08:58:29 gw-new sshd[18886]: Failed password for root from 61.155.178.242 port 41404 ssh2

Oct 9 08:58:32 gw-new sshd[18888]: Failed password for root from 61.155.178.242 port 42254 ssh2

Oct 9 08:58:33 gw-new sshd[18890]: Failed password for invalid user oracle from 61.155.178.242 port 42614 ssh2

Oct 9 08:58:35 gw-new sshd[18892]: Failed password for invalid user test from 61.155.178.242 port 42997 ssh2

Oct 9 08:58:38 gw-new sshd[18894]: Failed password for invalid user admin from 61.155.178.242 port 43646 ssh2

Oct 9 08:58:40 gw-new sshd[18896]: Failed password for invalid user admin from 61.155.178.242 port 44022 ssh2

Oct 9 08:58:43 gw-new sshd[18898]: Failed password for invalid user test from 61.155.178.242 port 44820 ssh2

Oct 9 08:58:45 gw-new sshd[18900]: Failed password for invalid user admin from 61.155.178.242 port 45177 ssh2

Oct 9 08:58:47 gw-new sshd[18902]: Failed password for invalid user admin from 61.155.178.242 port 45979 ssh2

Oct 9 08:58:50 gw-new sshd[18904]: Failed password for root from 61.155.178.242 port 46233 ssh2

Oct 9 08:58:53 gw-new sshd[18906]: Failed password for root from 61.155.178.242 port 47140 ssh2

Oct 9 08:58:55 gw-new sshd[18908]: Failed password for root from 61.155.178.242 port 47430 ssh2

Oct 9 08:58:57 gw-new sshd[18910]: Failed password for root from 61.155.178.242 port 48241 ssh2

Oct 9 08:58:59 gw-new sshd[18912]: Failed password for root from 61.155.178.242 port 48526 ssh2

Oct 9 08:59:02 gw-new sshd[18914]: Failed password for root from 61.155.178.242 port 49295 ssh2

Oct 9 08:59:05 gw-new sshd[18916]: Failed password for root from 61.155.178.242 port 49739 ssh2

Oct 9 08:59:07 gw-new sshd[18918]: Failed password for root from 61.155.178.242 port 50554 ssh2

Oct 9 08:59:09 gw-new sshd[18920]: Failed password for root from 61.155.178.242 port 50838 ssh2

Oct 9 08:59:11 gw-new sshd[18922]: Failed password for root from 61.155.178.242 port 51625 ssh2

Oct 9 08:59:14 gw-new sshd[18924]: Failed password for root from 61.155.178.242 port 51876 ssh2

Oct 9 08:59:16 gw-new sshd[18926]: Failed password for root from 61.155.178.242 port 52718 ssh2

Oct 9 08:59:18 gw-new sshd[18928]: Failed password for root from 61.155.178.242 port 52969 ssh2

Oct 9 08:59:21 gw-new sshd[18930]: Failed password for root from 61.155.178.242 port 53268 ssh2

Oct 9 08:59:22 gw-new sshd[18932]: Failed password for root from 61.155.178.242 port 54034 ssh2

2 编写shell 脚本

思路:使用crontab 每3分钟执行一次defend_ssh.sh脚本, defend_ssh.sh调用 defend_ssh.awk 程序，awk 程序分析/var/log/secure日志，并输出超过20次的Failed ip地址，由shell脚本输出到 /etc/hosts.deny 文件，以达到拒绝某IP的目的，由于secure日志将保留7天，所以此IP 将被拒绝7天。

crontab -l

*/3 * * * * /root/sh/defend_ssh.sh >> /root/sh/cron_log 2>&1

cat defend_ssh.sh

#!/bin/bash

#Defend sshd

#Deny More than 20 black ip to "/etc/hosts.deny"

#/var/log/secure* log rotate every 7 days

#20120928 by dongnan

#variables

allow_num=20

#main

/bin/awk -v allow=$allow_num -f /root/sh/defend_ssh.awk /var/log/secure > /etc/hosts.deny

cat defend_ssh.awk

/Failed/ { ++S[$(NF-3)]}

END {

for (a in S) {

if(S[a] > allow) print "sshd:"a

}

}

awk 程序入门

-v 选项用于使用外部变量，这里在shell 中定义变量allow_num=20

-f 选项用于调用awk 程序

/Failed/ 为模式部分，具体是使用/正则表达式/ 匹配含有 Failed 行

{ ++S[$(NF-3)]} 为动作部分，使用数组每匹配一个Failed 则 ip([$(NF-3)]) 加1

END是特殊的动作，用于所有输入数据已经被处理完成之后，它多半用于产生摘要报告，这里则是使用循环for 读取数组S 元素，并使用if 语句判断是否大于20次，条件真则使用print 语句输出。

3 测试-超过20次拒绝连接

awk '/refused/' /var/log/secure

Oct 8 22:55:01 gw-new sshd[10324]: refused connect from ::ffff:218.91.253.123 (::ffff:218.91.253.123)

Oct 9 06:25:03 gw-new sshd[18367]: refused connect from ::ffff:201.236.80.4 (::ffff:201.236.80.4)

Oct 9 15:47:11 gw-new sshd[20491]: refused connect from ::ffff:61.155.178.242 (::ffff:61.155.178.242)

Oct 9 16:31:38 gw-new sshd[20742]: refused connect from ::ffff:61.155.178.242 (::ffff:61.155.178.242)

Oct 9 21:39:45 gw-new sshd[21892]: refused connect from ::ffff:61.155.178.242 (::ffff:61.155.178.242)

Oct 10 07:05:03 gw-new sshd[30559]: refused connect from ::ffff:211.113.151.201 (::ffff:211.113.151.201)

Oct 10 07:36:47 gw-new sshd[30668]: refused connect from ::ffff:61.155.178.242 (::ffff:61.155.178.242)

参考

用SHELL脚本来防SSH和vsftpd暴力破解

http://andrewyu.blog.51cto.com/1604432/662500

结束

更多请：

linux 相关 37275208

vmware 虚拟化相关 166682360

本文转自 dongnan 51CTO博客，原文链接：http://blog.51cto.com/dngood/1068094