文章目錄
- 如何快速將惡意IP 加入防火墻黑名單
- 前言
- 需求描述
- 實驗步驟
- 總結
如何快速將惡意IP 加入防火墻黑名單
前言
經常我們的服務器在深夜,往往會遭到Nmap 掃描,然后有很多ip 試探登錄連接我們的服務器,那么我們該如何面對這種情況呢?
需求描述
分析Linux系統/var/log/secure安全日志檔案,將黑客或者惡意登陸次數大于20次的IP地址加入Iptables防火墻黑名單;
實驗步驟
-
首先查看安全日志檔案
[root@localhost ~]# cat /var/log/secure|more Jun 5 10:25:56 localhost sshd[10165]: Accepted password for root from 192.168.10.1 port 58525 ssh2 Jun 5 10:25:56 localhost sshd[10165]: pam_unix(sshd:session): session opened for user root by (uid= 0) Jun 5 10:25:59 localhost sshd[10184]: Accepted password for root from 192.168.10.1 port 58528 ssh2 Jun 5 10:25:59 localhost sshd[10184]: pam_unix(sshd:session): session opened for user root by (uid= 0) Jun 5 12:51:19 localhost sshd[10394]: Accepted password for root from 192.168.10.1 port 64063 ssh2 Jun 5 12:51:19 localhost sshd[10394]: pam_unix(sshd:session): session opened for user root by (uid= 0) Jun 5 13:03:00 localhost sshd[10428]: pam_unix(sshd:auth): authentication failure; logname= uid=0 e uid=0 tty=ssh ruser= rhost=192.168.10.1 user=root Jun 5 13:03:00 localhost sshd[10428]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root" Jun 5 13:03:02 localhost sshd[10428]: Failed password for root from 192.168.10.1 port 64400 ssh2 Jun 5 13:03:06 localhost sshd[10428]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root" Jun 5 13:03:08 localhost sshd[10428]: Failed password for root from 192.168.10.1 port 64400 ssh2 Jun 5 13:03:14 localhost sshd[10428]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met --More-- -
過濾其它ip,只看登錄失敗的ip地址
[root@localhost ~]# grep "Failed password" /var/log/secure Jun 5 13:03:02 localhost sshd[10428]: Failed password for root from 192.168.10.1 port 64400 ssh2 Jun 5 13:03:08 localhost sshd[10428]: Failed password for root from 192.168.10.1 port 64400 ssh2 Jun 5 13:03:16 localhost sshd[10428]: Failed password for root from 192.168.10.1 port 64400 ssh2 Jun 5 13:03:27 localhost sshd[10431]: Failed password for root from 192.168.10.1 port 64438 ssh2 Jun 5 13:15:33 localhost sshd[10442]: Failed password for root from 192.168.10.10 port 49796 ssh2 Jun 5 13:15:38 localhost sshd[10442]: Failed password for root from 192.168.10.10 port 49796 ssh2 Jun 5 13:15:38 localhost sshd[10442]: Failed password for root from 192.168.10.10 port 49796 ssh2 Jun 5 13:15:46 localhost sshd[10444]: Failed password for root from 192.168.10.10 port 49798 ssh2 Jun 5 13:15:50 localhost sshd[10444]: Failed password for root from 192.168.10.10 port 49798 ssh2 Jun 5 13:15:53 localhost sshd[10444]: Failed password for root from 192.168.10.10 port 49798 ssh2 Jun 5 13:15:59 localhost sshd[10446]: Failed password for root from 192.168.10.10 port 49800 ssh2 Jun 5 13:16:00 localhost sshd[10446]: Failed password for root from 192.168.10.10 port 49800 ssh2 Jun 5 13:16:02 localhost sshd[10446]: Failed password for root from 192.168.10.10 port 49800 ssh2 [root@localhost ~]#
-
列印登錄失敗的ip
[root@localhost ~]# grep "Failed password" /var/log/secure |awk '{print$(NF-3)}' 192.168.10.1 192.168.10.1 192.168.10.1 192.168.10.1 192.168.10.10 192.168.10.10 192.168.10.10 192.168.10.10 192.168.10.10 192.168.10.10 192.168.10.10 192.168.10.10 192.168.10.10 [root@localhost ~]# -
進行排序,統計次數
[root@localhost ~]# grep "Failed password" /var/log/secure |awk '{print$(NF-3)}'|sort|uniq -c|sort -nr 9 192.168.10.10 4 192.168.10.1 [root@localhost ~]# -
匹配惡意登錄次數大于5次的ip
[root@localhost ~]# grep "Failed password" /var/log/secure |awk '{print$(NF-3)}'|sort|uniq -c|sort -nr|awk '{if ($1>=5) print $2}' 192.168.10.10 [root@localhost ~]# -
對匹配出來的做一個for回圈,然后寫入防火墻檔案
[root@localhost ~]# for i in $(grep "Failed password" /var/log/secure|awk '{print $(NF-3)}'|sort|uniq -c|sort -nr|awk '{if($1>=5) print $2}');do sed -i "/lo/a -A INPUT -s $i -j DROP" /etc/sysconfig/iptables ;done
總結
運維安全在實際生產環境中有著很重要的地位,我們面對黑客瘋狂掃描試探的時候,我就需要見流量封殺IP,如何快速封殺IP角色需要我們掌握數量掌握linux命令,特別是awk,sed,在我們腳本中很常用,一定要掌握好,
創作不易,點個贊,留個愛心吧
轉載請註明出處,本文鏈接:https://www.uj5u.com/qita/286220.html
標籤:其他