Linux系统ssh暴力破解密码自动断阻器
关于Linux系统遭遇ssh暴力破解时,我们需要对相关进行暴力破解的非法IP进行封禁,提供以下的脚本,我们只需要在遭遇ssh暴力破解行为的Linux系统上运行该脚本,该脚本便会自动封禁进行ssh远程登陆暴力破解行为的IP,脚本的详细内容如下:
python
#!/usr/bin/env python3
import re
import subprocess
import time
#安全日志
logFile = '/var/log/secure'
#黑名单
hostDeny = '/etc/hosts.deny'
#封禁阈值
password_wrong_num = 5
#获取已经加入黑名单的IP,转换为字典
def getDenies():
deniedDict = {}
list = open(hostDeny).readlines()
for ip in list:
group = re.search(r'(\d+\.\d+\.\d+\.\d+)', ip)
if group:
deniedDict[group[1]] = '1'
return deniedDict
#监控方法
def monitorLog(Logfile):
#统计密码错误的次数
tempIp = {}
#已经拉黑的IP
deniedDict = getDenies()
#读取安全日志
popen = subprocess.Popen('tail -f' + logFile,stdout=subprocess.PIPE,stderr=subprocess.PIPE,shell=True)
#开始监控
while True:
time.sleep(0.1)
line = popen.stdout.readline().strip()
if line:
group = re.search('Invalid user \w+ from (\d+\.\d+\.d+\.\d+)',str(line))
#提示不存在用户直接封IP
if group and not deniedDict.get(group[1]):
subprocess.getoutput('echo \' sshd:{} >> {}'.format(group[1],hostDeny))
deniedDict[group[1]] = '1'
time_str = time.strftime('%Y-%m-%d %H:%M:%S', time.localtime(time.time()))
print('{} --- add ip:{} to hosts.deny for invalid usr'.format(time_str, group[1]))
continue
#用户存在,但密码错误
group = re.search('Failed password for \w+ from (\d+\.\d+\.d+\.\d+)',str(line))
if group:
ip = group[1]
#统计IP登陆密码错误的次数
if not tempIp.get(ip):
tempIp[1] = 1
else:
tempIp[ip] = tempIp[ip] + 1
#如果错误次数大于阈值的时候,直接封禁该IP
if tempIp[ip] > password_wrong_num and not deniedDict.get(ip):
del tempIp[ip]
subprocess.getoutput('echo \' sshd:{} >> {}'.format(ip,hostDeny))
deniedDict[ip] = '1'
time_str = time.strftime('%Y-%m-%d %H:%M:%S', time.localtime(time.time()))
print('{} --- add ip:{} to hosts.deny for invalid password'.format(time_str, group[1]))
if __name__ == '__main__':
monitorLog(logFile)