實現方法:
對/var/log/secure日誌文件解析,統計每十分鐘登錄超過10次的ip地址,並使用iptables對該IP地址進行攔截,並記錄到日誌。實現腳本如下:
file:/usr/local/bin/blacklist.sh
#!/usr/bin/bash
source ~/.bash_profile
source /etc/profile #引入環境變量,否則crontab執行結果會不正確
list=$(cat /var/log/secure | grep failure | awk ‘{print $14}’ | cut -d = -f 2 | grep -v ssh | sort -r | uniq -c | sort -k 1 -nr | awk ‘{if($1>10) print $2}’)
a=0
for i in (iptables -L -n -v | grep b" ];then
a=1;
iptables -I INPUT -s (date)add ip: $i into blacklist">>/var/log/blacklist.log;
fi
done;
if [ (date) not anyint attack source!">>/var/log/blacklist.log;
fi
配置定時器:
crontab -e
*/10 * * * * bash /usr/local/bin/blacklist.sh