本文为sshd被***的自动防御方法的第三版(改进版本),修改脚本,使之能通用,比如ftp的***防御。完整的配置如下:1、配置文件.swatchrc# cat /root/.swatchrc## b
.本文为sshd被***的自动防御方法的第三版(改进版本),修改脚本,使之能通用,比如ftp的***防御。.
..完整的配置如下:..
..1、配置文件.swatchrc..# cat /root/.swatchrc....#
# bad login attempts
watchfor /pam_unix/(sshd:auth/): authentication failure; .+ rhost=([0-9]+/.[0-9]+/.[0-9]+/.[0-9]+)/
#echo magenta
bell 0
exec "/root/swatch-new.sh $1 22"
watchfor /pam_unix/(vsftpd:auth/): authentication failure; .+ rhost=([0-9]+/.[0-9]+/.[0-9]+/.[0-9]+)/
bell 0
exec "/root/swatch-new.sh $1 21"..
..2、处理脚本swatch-new.sh..# cat /root/swatch-new.sh....#!/bin/sh
#***者ip
ip=$1
#***端口
port=$2
#echo $ip >> /root/sshd_blocked_ip_list
sql="/usr/bin/sqlite3 /root/sshd_blocked_ip.db "
blockcmd="/sbin/iptables -I INPUT -s $ip -p tcp --dport $port -j DROP"
unblockcmd=${blockcmd/-I/-D}
blocktime=$($sql "select blocktime from ip where ip='$ip'")
: ${blocktime:=0}
$blockcmd || exit 1
if [ $blocktime -eq 0 ];then
/usr/bin/at "now + 1 hours" <<< "$unblockcmd 2>> /root/at_result.log"
$sql "insert into ip values('$ip',1,1)"
else
((blocktime*=2))
/usr/bin/at "now + $blocktime hours" <<< "$unblockcmd 2>> /root/at_result.log"
$sql "update ip set blocktime=$blocktime,count=count+1 where ip='$ip'"
fi..
..3、启动命令..# /usr/bin/swatch -t /var/log/secure --daemon..
..Note:..至此就完毕了。各个服务共用一个数据库,如果还有其他服务需要做防御,可以再添加相关watchfor配置,但是验证失败的日志需要出现在/var/log/secure中。这是共用一个日志文件的情况,当然了,还可以再启动一个swatch进程。其他用途自己扩展。..
