#!/bin/bash
#       修改日期 fix.05.31.05
# 目的: 為了改善被暴力入侵ssh。
# 方式: 利用TCP_Wrappers,當對方進行ssh到本機時,
#       帳號為root,且密碼失敗時,丟給iptables擋掉。

syslog=/var/log/secure  # 系統記綠檔。
path=/etc/ips/          # 執行檔放置路徑,注意最後要加 / 。

passlog=pass.log        # 自訂的輸出記錄檔。
faillog=fail.log
commonlog=common.log

checkchar="Failed password.*root"               # 在/var/log/secure檔中
                                                                                                                                                                                # 搜尋要檢驗的字串。
nowmonday=`date | awk '{print $2" "$3}'`        # 使用時間來判斷此一時間裡
nowday=`date | awk '{print $3}'`                # 失敗的情況。
nowhrmin=`date +%H:%M`
nowhr=`date +%H`
nowmin=`date +%M`
nowminfirstchar=`echo  $nowmin | cut -c1`
nowmondayhr=$nowmonday" "$nowhr
nowmondayhrmin=$nowmonday" "$nowhrmin
nowdayhrmin=$nowday" "$nowhrmin
nowmondayhrminfirstchar=$nowmonday" "$nowhr:$nowminfirstchar
ruleexistchar="icmp echo-request"                       # iptables 中已存在的rule。

failed=`   cat "$syslog" | grep "$nowmondayhrminfirstchar" | grep "$checkchar"`                 # 輸出時間內失敗的。
failcount=`cat "$syslog" | grep "$nowmondayhrminfirstchar" | grep "$checkchar" | wc -l`         # 輸出時間內失敗的次數。
ip=`       cat "$syslog" | grep "$nowmondayhrminfirstchar" | grep "$checkchar" | awk '{print $11}' | cut -d: -f4 | sort | uniq`         # 找出失敗中的ip。
ipcount=`  cat "$syslog" | grep "$nowmondayhrminfirstchar" | grep "$checkchar" | awk '{print $11}' | cut -d: -f4 | sort | uniq | wc -l` # 找出失敗中ip,清掉同ip後的ip總數。

ruleexist=`iptables -L INPUT | grep "$ruleexistchar"`   # iptables中,找出定義的ruleexistchar。
ruleexistip=`iptables -L INPUT | grep "$ruleexistchar" | awk '{print $4}'` # iptables中,找出定義的ruleexistchar中的ip。
ruleexistcount=`iptables -L INPUT | grep "$ruleexistchar" | wc -l`      # iptables中,找出定義的ruleexistchar中的ip總數。
# 以下的程式為,從secure找出的失敗開始判斷,如在May 28 21:5,在5月28號21點,所有的5十幾分中,
# 判斷有失敗的、失敗幾次,判斷ip存在於iptables與否,才不會讓iptables一直加rule進去。

if [ "$failcount" -gt "0" ]; then                               # 如果失敗次數大於0的話,開始drop。
        echo "drop"
        if [ "$ruleexistcount" != "$ipcount" ]; then            # 如果iptables與secure中的ip總合不相同
                for x in $ip                                    # 利用迴圈讓多個ip可加入iptables
                do
                        if [ "$x" = "$ruleexistip" ]; then      # 如果從secure找出的ip已存在於iptables,就不需要加這條rule了。
                                :
                        else
                                `iptables -I INPUT -s "$x" -p icmp –icmp-type 8 -j ACCEPT`
                        fi
                done
        else
                :
        fi
        echo "drop"                                             >       $path$faillog
        echo "failcount . $failcount"                           >>      $path$faillog
        echo "$failed"                                          >>      $path$faillog
        echo " "                                                >       $path$passlog

        echo "drop"                                     > $path$commonlog
        echo "nowmonday        . $nowmonday"           >> $path$commonlog
        echo "nowhrmin         . $nowhrmin"            >> $path$commonlog
        echo "nowhr            . $nowhr"               >> $path$commonlog
        echo "nowmin           . $nowmin"              >> $path$commonlog
        echo "nowmondayhr      . $nowmondayhr"         >> $path$commonlog
        echo "nowmondayhrmin   . $nowmondayhrmin"      >> $path$commonlog
        echo "nowmondayhrminfirstchar . $nowmondayhrminfirstchar" >> $path$commonlog
        echo "failed           . $failed"              >> $path$commonlog
        echo "ip               . $ip"                  >> $path$commonlog
        echo "failcount        . $failcount"           >> $path$commonlog
        echo "ruleexist        . $ruleexist"           >> $path$commonlog

        mail -s "drop" cross@mail.chiahui.com   < $path$commonlog
else
        `iptables -I OUTPUT -p icmp –icmp-type 8 -j ACCEPT`
        echo "pass"
        echo "pass"                                             >       $path$passlog
        echo " "                                                >       $path$faillog

        echo "pass"                                     > $path$commonlog
        echo "nowmonday        . $nowmonday"           >> $path$commonlog
        echo "nowhrmin         . $nowhrmin"            >> $path$commonlog
        echo "nowhr            . $nowhr"               >> $path$commonlog
        echo "nowmin           . $nowmin"              >> $path$commonlog
        echo "nowmondayhr      . $nowmondayhr"         >> $path$commonlog
        echo "nowmondayhrmin   . $nowmondayhrmin"      >> $path$commonlog
        echo "nowmondayhrminfirstchar . $nowmondayhrminfirstchar" >> $path$commonlog
        echo "failed           . $failed"              >> $path$commonlog
        echo "ip               . $ip"                  >> $path$commonlog
        echo "failcount        . $failcount"           >> $path$commonlog
        echo "ruleexist        . $ruleexist"           >> $path$commonlog
        mail -s "pass" cross@mail.chiahui.com   < $path$commonlog
fi

Related posts 相關文章
架設 VPN 服務 – WireGuard – 主打比 IPSec、OpenVPN 更快、安全
More...
ssh 到裝有 cygwin openssh 的 windows 主機卻出現 no kex alg 錯誤
More...
透過 SSH Tunnel 從 A SSH 連到 B
More...
瀏覽器設定 proxy 透過 SSH Tunnel 連線網站
More...

作者

留言

撰寫回覆或留言

發佈留言必須填寫的電子郵件地址不會公開。