Network Security Internet Technology Development Database Servers Mobile Phone Android Software Apple Software Computer Software News IT Information

In addition to Weibo, there is also WeChat

Please pay attention

WeChat public account

Shulou

How to prevent ssh and vsftpd from brute force cracking with shell script

2025-01-19 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Development >

Share

Shulou(Shulou.com)06/03 Report--

This article focuses on "how to use shell scripts to prevent ssh and vsftpd from being violently cracked". Interested friends may wish to have a look. The method introduced in this paper is simple, fast and practical. Let's let the editor take you to learn how to use shell scripts to prevent ssh and vsftpd from being violently cracked.

The requirements of the script are as follows: this SHELL script is placed in the crontab scheduled task. Every 6 hours (this time is defined according to the actual situation), the / var/log/secure script is read, and the malicious guess IP is taken out. If the number of connections per unit time (a week) is higher than a threshold, for example, 100 (this threshold can also be defined according to the actual situation), it will be added to the / etc/hosts.deny blacklist, if it is lower than this threshold. Ignore this IP.

The verification failure information in / var/log/secure is as follows:

The code is as follows:

Nov 28 10:18:08 centos2 sshd [7556]: Connection closed by 222.216.30.109

Nov 28 10:18:08 centos2 sshd [7557]: pam_unix (sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.216.30.109 user=root

Nov 28 10:18:09 centos2 sshd [7559]: pam_unix (sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.216.30.109 user=root

Nov 28 10:18:10 centos2 sshd [7551]: Failed password for root from 222.216.30.109 port 2391 ssh3

Nov 28 10:18:10 centos2 sshd [7552]: Connection closed by 222.216.30.109

Nov 28 10:18:10 centos2 sshd [7553]: Failed password for root from 222.216.30.109 port 2397 ssh3

Nov 28 10:18:10 centos2 sshd [7554]: Connection closed by 222.216.30.109

Nov 28 10:18:11 centos2 sshd [7557]: Failed password for root from 222.216.30.109 port 2401 ssh3

Nov 28 10:18:11 centos2 sshd [7558]: Connection closed by 222.216.30.109

Nov 28 10:18:11 centos2 sshd [7559]: Failed password for root from 222.216.30.109 port 2403 ssh3

Nov 28 10:18:11 centos2 sshd [7560]: Connection closed by 222.216.30.109

Nov 28 10:37:01 centos2 vsftpd: pam_unix (vsftpd:auth): check pass; user unknown

Nov 28 10:37:01 centos2 vsftpd: pam_unix (vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=hello rhost=centos1.cn7788.com

Nov 28 10:37:01 centos2 vsftpd: pam_succeed_if (vsftpd:auth): error retrieving information about user hello

Nov 28 10:37:19 centos2 vsftpd: pam_unix (vsftpd:auth): check pass; user unknown

Nov 28 10:37:19 centos2 vsftpd: pam_unix (vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=yhc rhost=centos1.cn7788.com

Nov 28 10:37:19 centos2 vsftpd: pam_succeed_if (vsftpd:auth): error retrieving information about user yhc

Nov 28 10:37:36 centos2 vsftpd: pam_unix (vsftpd:auth): check pass; user unknown

Nov 28 10:37:36 centos2 vsftpd: pam_unix (vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=yuhongchun rhost=centos1.cn7788.com

Nov 28 10:37:36 centos2 vsftpd: pam_succeed_if (vsftpd:auth): error retrieving information about user yuhongchun

Nov 28 10:42:44 centos2 vsftpd: pam_unix (vsftpd:auth): check pass; user unknown

Nov 28 10:42:44 centos2 vsftpd: pam_unix (vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=yuhongchun rhost=114.112.169.70

Nov 28 10:42:44 centos2 vsftpd: pam_succeed_if (vsftpd:auth): error retrieving information about user yuhongchun

Nov 28 10:42:56 centos2 vsftpd: pam_unix (vsftpd:auth): check pass; user unknown

Nov 28 10:42:56 centos2 vsftpd: pam_unix (vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=andrewyu rhost=114.112.169.70

Nov 28 10:42:56 centos2 vsftpd: pam_succeed_if (vsftpd:auth): error retrieving information about user andrewyu

Let's take a look at the polling characteristics of the / var/log/secure file, as follows:

The code is as follows:

[root@centos2 log] # ls-lsart secure.*

512-rw- 1 root root 516379 11-04 01:31 secure.4

60-rw- 1 root root 668192 11-11 00:05 secure.3

304-rw- 1 root root 306589 11-17 10:33 secure.2

484-rw- 1 root root 488620 11-25 02:33 secure.1

Basically, the secure file takes the week as the polling cycle. If friends with strict security requirements can crawl the malicious IP of the old secure in accordance with the principle of "one will not let go", then we need to find a way to efficiently capture these malicious IP. If we refer to the original version of the SHELL script, we want to grab the IP address of the detection vsftpd and sshd service in the secure log, we can use the following command The command is as follows:

The code is as follows:

Cat / var/log/secure | awk'/ Failed/ {print $(NF-3)}'| sort | uniq-c | awk'{print $2 "=" $1;}'

Obviously, it is impossible to get the IP value of vsftpd failure. The failure information of sshd log is different from that of vsftpd log. I wrote several methods of mixing sed with awk and tested the efficiency. I feel that the speed of using awk script is the fastest, and you can also write several and test them with time command. Finally, we simplify the code and complete the entire script. The content of the script is as follows:

The code is as follows:

#! / bin/bash

# Denyhosts For vsftpd and sshd

# 2012-12-28

Awk'{for

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

Views: 0

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.

Share To

Development

Wechat

© 2024 shulou.com SLNews company. All rights reserved.

12
Report