实现方法:
对/var/log/secure日志文件解析,统计每十分钟登录超过10次的ip地址,并使用iptables对该IP地址进行拦截,并记录到日志。实现脚本如下:
file:/usr/local/bin/blacklist.sh
#!/usr/bin/bash
source ~/.bash_profile
source /etc/profile #引入环境变量,否则crontab执行结果会不正确
list=$(cat /var/log/secure | grep failure | awk ‘{print $14}’ | cut -d = -f 2 | grep -v ssh | sort -r | uniq -c | sort -k 1 -nr | awk ‘{if($1>10) print $2}’)
a=0
for i in (iptables -L -n -v | grep b" ];then
a=1;
iptables -I INPUT -s (date)add ip: $i into blacklist">>/var/log/blacklist.log;
fi
done;
if [ (date) not anyint attack source!">>/var/log/blacklist.log;
fi
配置定时器:
crontab -e
*/10 * * * * bash /usr/local/bin/blacklist.sh