我的解决办法是使用swatch和iptables结合.
到网上找一找swatch有很多相关文章.
注意,安装swatch时需要很多类如
Time::HiRes
Date::Calc
Date::Format
File::Tail
Date::Parse
之类的东东,
这些都是Perl的可选模块,请用以下方法安装(有些模块在yum里面找不到)
perl -MCPAN -e "shell"
install Some::Module
这些必要的模块安装好了以后再到
rpm.phone.net上找与你的OS对应的swatch安装程序(RPM格式)
安装时加-nodeps参数,
安装好以后再进行设置,设置中发现有人恶意登陆还可以给自己发邮件呢.
我现在的设置是当用户通过ssh登陆一次不成功就立即添加到防火墙,所以以后自己登陆时要小心.!
以下是我的设置:
代码:
# Global swatch filter file
# To ignore a IP-range
# ignore /216\.239\.37\./
# Invalid SSH Login Attempts
watchfor /(: [iI]nvalid [uU]ser )(.*)( from ::ffff:)(.*)$/
throttle threshold=3,delay=0:1:0,key=$4
mail addresses=xxx\@vip.sina.com,subject="SSH:\ Invalid\ User\ Rule1\ $4"
exec "/sbin/iptables -A swatch_rejects -s $4 -j DROP"
# Failed SSH Login Attempts
watchfor /(: [fF]ailed password for )(.*)( from ::ffff:)(.*)( port )(.*)$/
throttle threshold=3,delay=0:1:0,key=$4
mail addresses=xxxx\@vip.sina.com,subject="SSH:\ Invalid\ User\ Rule2\ $4"
exec "/sbin/iptables -A swatch_rejects -s $4 -j DROP"
# Invalid SSH Login Attempts. Another one - just formed differently
# watchfor /([aA]uthentication [fF]ailure; logname)(.*)(rhost=)(\d+\.\d+\.\d+\.\d+)(.*)$/
# throttle threshold=3,delay=0:1:0,key=$4
# mail addresses=xxxx\@vip.sina.com,subject="SSH:\ Invalid\ User\ Rule3\ $4"
# exec "/sbin/iptables -A swatch_rejects -s $4 -j DROP"
然后在/etc/rc.d/rc.sysinit中添加
# /usr/bin/swatch --tail-file=/var/log/messages
--tail-args='--follow=name --lines=1'
--config-file=/etc/swatch/ssh-swatch.conf
--pid-file=/var/run/swatch.pid --daemon
或者使用下面的服务启动:
代码:
#!/bin/bash
#
# swatch This shell script enables the automatic use of YUM
#
# Author: Seth Vidal
#
# chkconfig: 2345 11 91
#
# description: Enable daily run of yum, a program updater.
# processname: swatch
# config: /etc/swatch/ssh-swatch.conf
pid=`/bin/ps -e -o cmd,pid | /bin/grep ^swatch | /bin/awk '{print $2}'`
case "$1" in
'start')
# start the swatch process
if [ "$pid" != "" ];
then
echo 'Swatch System is already initialized.'
exit 0
fi
if [ -f /usr/bin/swatch -a -f /etc/swatch/ssh-swatch.conf ];
then /usr/bin/swatch --config-file=/etc/swatch/ssh-swatch.conf --tail-file=/var/log/messages --tail-args='--follow=name --lines=1' --pid-file=/var/run/swatch.pid --daemon &
exit
fi
echo 'Swatch System startup complete.' ;;
'stop')
#stop all swatch processes
if [ "$pid" != "" ];
then kill -TERM $pid
##/usr/bin/killall tail
echo 'Swatch System shutdown complete.'
else
echo 'No Swatch System initialized.'
fi ;;
*)
echo "Usage: /etc/init.d/swatch { start | stop }" ;;
esac
你就大功告成啦............................
参考网址:
另外,还可以给自己发邮件的还有一个地方
/etc/log.d/logwatch.conf中的Mailto:
改成自己的外网邮箱,就可以每天收到系统日志,不用登陆服务器也可以掌握服务器的运行情况啦.
我的机器还运行了jboss,在$JBOSS_HOME/server/all/conf/log4j.xml中更改以下参数
当JBOSS有错误时也会给自己发邮件啦.
另外在这里发个广告:
我的服务器提供虚拟主机服务,想要服务器空间的请联系,服务器情况如下:
位置:北京
操作系统CentOS4.3
运行apache+jboss4.0.3+ejb3+jsf+mysql4
不考虑运行其他任何框架及技术,合作者的应用必需是成熟的,无错的.
合作的前一个月如果出现10次错误则中止使用.
可能有不合理之处,有意者请与我联系:
阅读(1114) | 评论(0) | 转发(0) |
