In addition to Weibo, there is also WeChat
Please pay attention
WeChat public account
Shulou
2025-01-19 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Development >
Share
Shulou(Shulou.com)06/03 Report--
This article focuses on "how to use shell scripts to prevent ssh and vsftpd from being violently cracked". Interested friends may wish to have a look. The method introduced in this paper is simple, fast and practical. Let's let the editor take you to learn how to use shell scripts to prevent ssh and vsftpd from being violently cracked.
The requirements of the script are as follows: this SHELL script is placed in the crontab scheduled task. Every 6 hours (this time is defined according to the actual situation), the / var/log/secure script is read, and the malicious guess IP is taken out. If the number of connections per unit time (a week) is higher than a threshold, for example, 100 (this threshold can also be defined according to the actual situation), it will be added to the / etc/hosts.deny blacklist, if it is lower than this threshold. Ignore this IP.
The verification failure information in / var/log/secure is as follows:
The code is as follows:
Nov 28 10:18:08 centos2 sshd [7556]: Connection closed by 222.216.30.109
Nov 28 10:18:08 centos2 sshd [7557]: pam_unix (sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.216.30.109 user=root
Nov 28 10:18:09 centos2 sshd [7559]: pam_unix (sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.216.30.109 user=root
Nov 28 10:18:10 centos2 sshd [7551]: Failed password for root from 222.216.30.109 port 2391 ssh3
Nov 28 10:18:10 centos2 sshd [7552]: Connection closed by 222.216.30.109
Nov 28 10:18:10 centos2 sshd [7553]: Failed password for root from 222.216.30.109 port 2397 ssh3
Nov 28 10:18:10 centos2 sshd [7554]: Connection closed by 222.216.30.109
Nov 28 10:18:11 centos2 sshd [7557]: Failed password for root from 222.216.30.109 port 2401 ssh3
Nov 28 10:18:11 centos2 sshd [7558]: Connection closed by 222.216.30.109
Nov 28 10:18:11 centos2 sshd [7559]: Failed password for root from 222.216.30.109 port 2403 ssh3
Nov 28 10:18:11 centos2 sshd [7560]: Connection closed by 222.216.30.109
Nov 28 10:37:01 centos2 vsftpd: pam_unix (vsftpd:auth): check pass; user unknown
Nov 28 10:37:01 centos2 vsftpd: pam_unix (vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=hello rhost=centos1.cn7788.com
Nov 28 10:37:01 centos2 vsftpd: pam_succeed_if (vsftpd:auth): error retrieving information about user hello
Nov 28 10:37:19 centos2 vsftpd: pam_unix (vsftpd:auth): check pass; user unknown
Nov 28 10:37:19 centos2 vsftpd: pam_unix (vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=yhc rhost=centos1.cn7788.com
Nov 28 10:37:19 centos2 vsftpd: pam_succeed_if (vsftpd:auth): error retrieving information about user yhc
Nov 28 10:37:36 centos2 vsftpd: pam_unix (vsftpd:auth): check pass; user unknown
Nov 28 10:37:36 centos2 vsftpd: pam_unix (vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=yuhongchun rhost=centos1.cn7788.com
Nov 28 10:37:36 centos2 vsftpd: pam_succeed_if (vsftpd:auth): error retrieving information about user yuhongchun
Nov 28 10:42:44 centos2 vsftpd: pam_unix (vsftpd:auth): check pass; user unknown
Nov 28 10:42:44 centos2 vsftpd: pam_unix (vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=yuhongchun rhost=114.112.169.70
Nov 28 10:42:44 centos2 vsftpd: pam_succeed_if (vsftpd:auth): error retrieving information about user yuhongchun
Nov 28 10:42:56 centos2 vsftpd: pam_unix (vsftpd:auth): check pass; user unknown
Nov 28 10:42:56 centos2 vsftpd: pam_unix (vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=andrewyu rhost=114.112.169.70
Nov 28 10:42:56 centos2 vsftpd: pam_succeed_if (vsftpd:auth): error retrieving information about user andrewyu
Let's take a look at the polling characteristics of the / var/log/secure file, as follows:
The code is as follows:
[root@centos2 log] # ls-lsart secure.*
512-rw- 1 root root 516379 11-04 01:31 secure.4
60-rw- 1 root root 668192 11-11 00:05 secure.3
304-rw- 1 root root 306589 11-17 10:33 secure.2
484-rw- 1 root root 488620 11-25 02:33 secure.1
Basically, the secure file takes the week as the polling cycle. If friends with strict security requirements can crawl the malicious IP of the old secure in accordance with the principle of "one will not let go", then we need to find a way to efficiently capture these malicious IP. If we refer to the original version of the SHELL script, we want to grab the IP address of the detection vsftpd and sshd service in the secure log, we can use the following command The command is as follows:
The code is as follows:
Cat / var/log/secure | awk'/ Failed/ {print $(NF-3)}'| sort | uniq-c | awk'{print $2 "=" $1;}'
Obviously, it is impossible to get the IP value of vsftpd failure. The failure information of sshd log is different from that of vsftpd log. I wrote several methods of mixing sed with awk and tested the efficiency. I feel that the speed of using awk script is the fastest, and you can also write several and test them with time command. Finally, we simplify the code and complete the entire script. The content of the script is as follows:
The code is as follows:
#! / bin/bash
# Denyhosts For vsftpd and sshd
# 2012-12-28
Awk'{for
Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.
Views: 0
*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.
Continue with the installation of the previous hadoop.First, install zookooper1. Decompress zookoope
"Every 5-10 years, there's a rare product, a really special, very unusual product that's the most un
© 2024 shulou.com SLNews company. All rights reserved.