在工作中,我发现只要开放到公网的主机,都会受到各种攻击的威胁,常见的就是ssh暴力破解,以下是一个python脚本,对/var/log/secure登录日志中的ssh记录进行简单分析,并将一周内多次进行破解试探的ip地址,存入到/etc/hosts.deny中拒绝其连接,代码于centos6.5下测试正常工作。如需定期执行,可以配合crond使用。
-
#!/usr/bin/env python
-
# Hackers try to login in servers by ssh too much times, in /var/log/secure you can find it .The script will add hackers's ip to /etc/hosts.deny last a week
-
#by hank 2015-03-27
-
-
import re
-
from datetime import date
-
-
logfile = r'/var/log/secure'
-
denyfile = r'/etc/hosts.deny'
-
months_31 = ['Jan','Mar','May','Jul','Aug','Oct','Dec']
-
months_30 = ['Apr','Jun','Sep','Nov']
-
month_28or29 = 'Feb'
-
months = {
-
'Jan':1,'Feb':2,'Mar':3,'Apr':4,'May':5,'Jun':6,
-
'Jul':7,'Aug':8,'Sep':9,'Oct':10,'Nov':11,'Dec':12
-
}
-
month_days = {}
-
for mon in months_31:
-
month_days[mon] = 31
-
for mon in months_30:
-
month_days[mon] = 30
-
if date.isocalendar(date.today())[0] % 4 == 0:
-
month_days[month_28or29] = 29
-
else:
-
month_days[month_28or29] = 28
-
-
def search_source():
-
t = date.today()
-
month = t.strftime('%b')
-
day = t.strftime('%d')
-
pat = re.compile('.+sshd.+Failed password.+ (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) .+')
-
lines = []
-
f = open(logfile,'r')
-
for line in f:
-
if line.split()[0] == month and (int(day) - int(line.split()[1])) < 7 and (int(day) - int(line.split()[1])) >= 0:
-
if re.search(pat,line):
-
lines.append(line)
-
elif (months[month] - months[line.split()[0]]) == 1 or (months[month] - months[line.split()[0]]) == -11:
-
if (int(day) + month_days[line.split()[0]] - int(line.split()[1])) < 7 and re.search(pat,line):
-
lines.append(line)
-
return lines
-
-
def count_ips(lines):
-
count = {}
-
if len(lines) == 0:
-
print 'No one use ssh and failed.'
-
raise SystemExit
-
pat = re.compile(' (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) ')
-
for line in lines:
-
ip = re.findall(pat,line)[0]
-
if ip in count:
-
count[ip] += 1
-
else:
-
count[ip] = 1
-
return count
-
-
def deny_ips(count):
-
f = open(denyfile,'w')
-
valve = 50
-
for ip in count:
-
if count[ip] >= valve:
-
word = 'ALL: %s #failed %d times in a week.\n' % (ip,count[ip])
-
f.write(word)
-
f.close()
-
-
def main():
-
lines = search_source()
-
count = count_ips(lines)
-
deny_ips(count)
-
-
if __name__ == '__main__
-
main()
如果使用非root账户,那么得对这两个文件具有读(/var/log/secure)写(/etc/hosts.deny)权限方可进行。
使用方法:
-
#cp /etc/hosts.deny /etc/hosts.deny.bak #备份源文件
-
#vim much_failed_ssh_deny.py #添加代码
-
#chmod +x much_failed_ssh_deny.py #授予执行权限
-
#./much_failed_ssh_deny.py #执行脚本
-
#cat /etc/hosts.deny #查看结果
阅读(5338) | 评论(0) | 转发(0) |