一:与登录相关文件介绍
ubuntu三个文件日志介绍:
1:/var/run/utmp:记录当前正在登录系统的用户信息,默认由who和w记录当前登录用户的信息,uptime记录系统启动时间;
2:/var/log/wtmp:记录当前正在登录和历史登录系统的用户信息,默认由last命令查看;
3:/var/log/btmp:记录失败的登录尝试信息,默认由lastb命令查看。
ubuntu查看失败登录记录,只需要
sudo lastb#或者sudo lastb -n 30 #查看最新前30条
二:查看失败登录记录
本人买来的服务器,一直没有用,闲置状态,没有管。虽然改了端口,禁止了root的ssh登录权限。但是只要别人不懒的话,随便用工具扫描端口还是很容易扫描出来的,这不,有人扫描出来啦,还正在用跑字典的形式试图暴力破解登录(好家伙,都已经从a都跑到m了)。
ubuntu@VM-20-6-ubuntu:~$ sudo lastb -n 20maven ssh:notty 138.68.86.65Tue Nov 23 12:58 - 12:58 (00:00)maven ssh:notty 138.68.86.65Tue Nov 23 12:58 - 12:58 (00:00)maxiao ssh:notty 138.68.86.65Tue Nov 23 12:58 - 12:58 (00:00)maxiao ssh:notty 138.68.86.65Tue Nov 23 12:58 - 12:58 (00:00)maundy ssh:notty 138.68.86.65Tue Nov 23 12:58 - 12:58 (00:00)maxssh:notty 138.68.86.65Tue Nov 23 12:57 - 12:57 (00:00)mawenche ssh:notty 138.68.86.65Tue Nov 23 12:57 - 12:57 (00:00)maundy ssh:notty 138.68.86.65Tue Nov 23 12:57 - 12:57 (00:00)maxssh:notty 138.68.86.65Tue Nov 23 12:57 - 12:57 (00:00)maxssh:notty 138.68.86.65Tue Nov 23 12:57 - 12:57 (00:00)mawenche ssh:notty 138.68.86.65Tue Nov 23 12:57 - 12:57 (00:00)maverick ssh:notty 138.68.86.65Tue Nov 23 12:57 - 12:57 (00:00)mawenche ssh:notty 138.68.86.65Tue Nov 23 12:57 - 12:57 (00:00)maxssh:notty 138.68.86.65Tue Nov 23 12:57 - 12:57 (00:00)maverick ssh:notty 138.68.86.65Tue Nov 23 12:57 - 12:57 (00:00)mawenche ssh:notty 138.68.86.65Tue Nov 23 12:57 - 12:57 (00:00)maverick ssh:notty 138.68.86.65Tue Nov 23 12:57 - 12:57 (00:00)maven ssh:notty 138.68.86.65Tue Nov 23 12:57 - 12:57 (00:00)maverick ssh:notty 138.68.86.65Tue Nov 23 12:57 - 12:57 (00:00)mauricio ssh:notty 138.68.86.65Tue Nov 23 12:57 - 12:57 (00:00)
查看失败记录并统计次数,发现最多的已经暴力破解跑了3万多条登录记录,虽然没有成功,但是确实像苍蝇般烦人。所以需要写个脚本将多次尝试登录,并失败的IP加入黑名单。
ubuntu@VM-20-6-ubuntu:~$ sudo lastb |awk '{print $3}'|sort |uniq -c1 4 119.165.181.2514 121.129.214.7030573 138.68.86.654 151.50.58.551 151.84.178.18230702 159.65.220.14054 177.249.47.1017 185.245.41.9715331 211.246.175.64 24.218.231.494 24.224.178.8759 47.102.111.1614 82.66.84.24 83.195.190.1874 83.228.156.118103 83.250.30.1824 88.157.49.1868 98.40.14.281 Sat1 Sun1 Wed
三:编写ssh失败登录限制IP脚本
这条命令,可以得到登录失败大于4次的IP,及需要加入黑名单的IP名单。
sudo lastb |awk '{print $3}'|sort |uniq -c|awk '{if ($1 > 4) print $2}'
显示如下:
ubuntu@VM-20-6-ubuntu:~$ sudo lastb |awk '{print $3}'|sort |uniq -c|awk '{if ($1 > 4) print $2}'138.68.86.65159.65.220.140177.249.47.101185.245.41.97211.246.175.647.102.111.16183.250.30.18298.40.14.28
开始写脚本,黑名单文件位置为/etc/hosts.deny,Ubuntu格式为ALL: IP的方式添加才有效
#!/bin/bash#set -xlist=$(sudo lastb |awk '{print $3}'|sort |uniq -c|awk '{if ($1 > 4) print $2}')for ip in ${list}doecho ALL: ${ip} >> /etc/hosts.deny #加入黑名单echo > /var/log/btmp#清空失败记录,防止脚本下次执行重复统计IPdone
四:脚本定时任务
crontab -e#内容为每1小时执行一次脚本* */1 * * * sudo bash /home/ubuntu/ssh_deny.sh
完成,服务器也每啥东西,为了测试,我将ssh端口改回默认的22端口,开始钓鱼,等过几个小时,看看/etc/hosts.deny黑名单有没有增加IP。
第二天更新效果:
钓了一晚上的鱼,效果不错
ubuntu@VM-20-6-ubuntu:~$ cat /etc/hosts.deny # /etc/hosts.deny: list of hosts that are _not_ allowed to access the system.# See the manual pages hosts_access(5) and hosts_options(5).## Example: ALL: some.host.name, .some.domain# ALL EXCEPT in.fingerd: other.host.name, .other.domain## If you're going to protect the portmapper use the name "rpcbind" for the# daemon name. See rpcbind(8) and rpc.mountd(8) for further information.## The PARANOID wildcard matches any host whose name does not match its# address.## You may wish to enable this to ensure any programs that don't# validate looked up hostnames still leave understandable logs. In past# versions of Debian this has been the default.# ALL: PARANOIDALL: 138.68.86.65ALL: 159.65.220.140ALL: 177.249.47.101ALL: 185.245.41.97ALL: 211.246.175.6ALL: 47.102.111.161ALL: 83.250.30.182ALL: 98.40.14.28ALL: 220.129.62.150ALL: 24.245.227.211ubuntu@VM-20-6-ubuntu:~$
失败登录记录也只有几条而已了
ubuntu@VM-20-6-ubuntu:~$ sudo lastb pi ssh:notty 122.199.7.19Wed Nov 24 05:39 - 05:39 (00:00)pi ssh:notty 122.199.7.19Wed Nov 24 05:39 - 05:39 (00:00)pi ssh:notty 122.199.7.19Wed Nov 24 05:39 - 05:39 (00:00)pi ssh:notty 122.199.7.19Wed Nov 24 05:39 - 05:39 (00:00)btmp begins Thu Jul 26 22:17:36 1917ubuntu@VM-20-6-ubuntu:~$
