将尝试SSH爆破的IP批量添加到hosts.deny

如果有人尝试爆破ssh服务,就会在 /var/log/secure留下错误记录,因此我们可以利用下面的脚本批量添加历史IP到/etc/hosts.deny

#!/bin/bash

#add ip ban list and log the first 1000 lines
#grep "Failed password for invalid user" /var/log/secure | awk '{print $13}' | sort | uniq -c | sort -nr | head -n 1000|
#add invalid user ban list and log the first 100 lines
grep "Failed password for invalid user" /var/log/secure | awk '{print $11}' | sort | uniq -c | sort -nr|head -n 100|

while read a b  
do  
    grep -q $b /etc/hosts.deny
      if [ $? != 0 ] ; then
        if [ $a -ge 5 ] ; then
            echo "sshd: $b" >> /etc/hosts.deny
            fi
      fi
done
标签:SSH 发布于:2019-11-07 11:38:02