无限发现他的ssh服务器有人企图暴力破解账号,我也自查了一下,发现我也一样受到了此类攻击,ssh中的相关log如下:
- May 10 23:20:21 localhost sshd[9075]: Invalid user x from x.x.x.x
明显x.x.x.x在进行账号猜测。随即写了个ruby脚本,监控sshd的此类日志,并对连续输错用户名十次以上的IP用iptables进行封堵。
- #!/usr/bin/ruby
-
#
-
-
class Daemon
-
def Daemon.start
-
exit!(0) if fork
-
Process::setsid
-
exit!(0) if fork
-
Dir::chdir("/")
-
File::umask(0)
-
STDIN.reopen("/dev/null")
-
STDOUT.reopen("/dev/null", "w")
-
STDERR.reopen("/dev/null", "w")
-
yield if block_given?
-
end
-
end
-
-
def block_ip(ip)
-
cmd = "iptables -A block_ip -s #{ip} -j DROP"
-
system(cmd)
-
end
-
-
def block_invalid(filename)
-
block_limit = 10
-
-
log_file = File.new(filename)
-
ips = Hash.new
-
blocked_ips = Hash.new
-
log_file.each do |line|
-
field = line.split
-
if field[5] == "Invalid"
-
ip = field[field.length - 1]
-
if ips.key?(ip)
-
ips[ip] += 1
-
else
-
ips[ip] = 1
-
end
-
if ips[ip] > block_limit and not blocked_ips.key?(ip)
-
blocked_ips[ip] = 1
-
block_ip(ip)
-
end
-
end
-
end
-
end
-
-
if system("iptables -nvL block_ip &>/dev/null")
-
system("iptables -F block_ip")
-
else
-
system("iptables -N block_ip")
-
system("iptables -I INPUT -j block_ip")
-
end
-
-
Daemon.start do
-
block_invalid("/var/lib/myips.fifo")
-
end
本质上,这就是一个简单的LIPS--基于日志的入侵防护系统。
阅读(7366) | 评论(4) | 转发(1) |