例题:自动化禁止恶意IP访问
应用场景:防止恶意IP尝试ssh登录。---暴力破解密码
脚本说明:将密码输入错误超过4次的IP地址通过iptables防火墙阻止访问。
目录
【1】首先ssh登录之后,产生的日志文件是哪个,模拟暴力破解密码会有什么提示,我们约定输错密码超过4次算暴力破解
【3】在生产环境中我们经常使用iptables,所以我们使用iptables封堵IP
3.多次执行脚本之后,通过查看iptables列表,发现V1版本有bug:相同的IP和端口多次封堵
[【1】从iptables -L -n 命令行入手](#【1】从iptables -L -n 命令行入手)
【2】从防火墙保存文件/etc/sysconfig/iptables入手
1.脚本分析:
【1】首先ssh登录之后,产生的日志文件是哪个,模拟暴力破解密码会有什么提示,我们约定输错密码超过4次算暴力破解
bash
[root@node11 ~]# mkdir -p /server/scripts
[root@node11 scripts]# tail /var/log/secure
Nov 12 02:12:10 node11 sshd[1504]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
Nov 12 02:12:12 node11 sshd[1504]: Failed password for root from 192.168.111.13 port 38136 ssh2
Nov 12 02:12:13 node11 sshd[1499]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
Nov 12 02:12:14 node11 sshd[1499]: Failed password for root from 192.168.111.12 port 52866 ssh2
由代码可知,产生日志的文件是/var/log/secure,提示为Failed password
【2】我们如何容日志中取出暴力破解密码的客户端IP
bash
1.这是我们取出登录过这台服务器的客户端IP
[root@node11 scripts]# awk '/Failed password/ {IP[$(NF-3)]++} END {for (k in IP) print IP[k],k }' /var/log/secure
5 192.168.111.21
6 192.168.111.12
6 192.168.111.13
1 192.168.111.50
2.这是我们取出输错密码超过4次的客户端IP
[root@node11 scripts]# awk '/Failed password/ {IP[$(NF-3)]++} END {for (k in IP) if (IP[k]>4) print k }' /var/log/secure
192.168.111.21
192.168.111.12
192.168.111.13
【3】在生产环境中我们经常使用iptables,所以我们使用iptables封堵IP
准备:
bash
[root@node11 scripts]# yum whatprovides iptables # 查看iptables命令是由哪个软件包提供
[root@node11 scripts]# yum install -y iptables-services
[root@node11 scripts]# systemctl start iptables.service # 启动之后,会出现默认规则
[root@node11 scripts]# iptables -L -n # 列出当前iptables防火墙规则中的所有规则
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-
...
[root@node11 scripts]# iptables -F # 清除iptables防火墙规则中的所有规则
[root@node11 scripts]# iptables -L -n # 再次进行查看
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
iptables封堵IP:
bash
[root@node11 scripts]# iptables -I INPUT -s 192.168.111.13 -p tcp --dport 22 -j DROP
[root@node11 scripts]# service iptables save # 保存规则
[root@node11 scripts]# iptables -L -n # 再次查看,看看是否保存
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP tcp -- 192.168.111.13 0.0.0.0/0 tcp dpt:22
......
[root@node11 scripts]# more /etc/sysconfig/iptables # 也可以查看文件
# Generated by iptables-save v1.4.21 on Sun Nov 12 02:55:39 2023
*filter
:INPUT ACCEPT [266:16148]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [156:12788]
-A INPUT -s 192.168.111.13/32 -p tcp -m tcp --dport 22 -j DROP
COMMIT
# Completed on Sun Nov 12 02:55:39 2023
因为要不断的测试脚本,所以我们每操作完一项,就可以清除iptables防火墙规则中的所有规则,方便我们下次进行测试。
2.脚本:
bash
[root@node11 scripts]# vim deny_ip_v1.sh
#!/bin/bash
awk '/Failed password/ {IP[$(NF-3)]++} END {for (k in IP) if (IP[k]>4) print k }' /var/log/secure > deny_ip
while read line
do
iptables -I INPUT -s $line -p tcp --dport 22 -j DROP
done < deny_ip
service iptables save
rm -rf deny_ip
进行测试:
bash
[root@node11 scripts]# sh deny_ip_v1.sh
[root@node11 scripts]# iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP tcp -- 192.168.111.13 0.0.0.0/0 tcp dpt:22
DROP tcp -- 192.168.111.12 0.0.0.0/0 tcp dpt:22
DROP tcp -- 192.168.111.21 0.0.0.0/0 tcp dpt:22
......
[root@node11 scripts]# sh deny_ip_v1.sh # 再次执行脚本
[root@node11 scripts]# iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP tcp -- 192.168.111.13 0.0.0.0/0 tcp dpt:22
DROP tcp -- 192.168.111.12 0.0.0.0/0 tcp dpt:22
DROP tcp -- 192.168.111.21 0.0.0.0/0 tcp dpt:22
DROP tcp -- 192.168.111.13 0.0.0.0/0 tcp dpt:22
DROP tcp -- 192.168.111.12 0.0.0.0/0 tcp dpt:22
DROP tcp -- 192.168.111.21 0.0.0.0/0 tcp dpt:22
......
3.多次执行脚本之后,通过查看iptables列表,发现V1版本有bug:相同的IP和端口多次封堵
解决思路:让封堵的IP和端口不再封堵
4..如何获取已经封堵IP
【1】从iptables -L -n 命令行入手
bash
[root@node11 scripts]# iptables -L -n | tr -s " " | awk -F"[ :]" '$1=="DROP" && $NF=22 {print $4}'
192.168.111.13
192.168.111.12
192.168.111.21
192.168.111.13
192.168.111.12
192.168.111.21
【2】从防火墙保存文件/etc/sysconfig/iptables入手
bash
[root@node11 scripts]# awk -F"[ /]" '$11=22 && $NF=="DROP" {print $4}' /etc/sysconfig/iptables
192.168.111.13
192.168.111.12
192.168.111.21
192.168.111.13
192.168.111.12
192.168.111.21
5.改进脚本
【1】利用临时文件解决bug
bash
[root@node11 scripts]# vim deny_ip_v2.sh
#!/bin/bash
awk '/Failed password/ {IP[$(NF-3)]++} END {for (k in IP) if (IP[k]>4) print k }' /var/log/secure > deny_ip
iptables -L -n | tr -s " " | awk -F"[ :]" '$1=="DROP" && $NF=22 {print $4}' > block_ip
while read line
do
if ! grep -qw $line block_ip
then
iptables -I INPUT -s $line -p tcp --dport 22 -j DROP
fi
done < deny_ip
service iptables save
rm -rf deny_ip block_ip
【2】使用临时变量来解决bug
bash
[root@node11 scripts]# vim deny_ip_v3.sh
#!/bin/bash
awk '/Failed password/ {IP[$(NF-3)]++} END {for (k in IP) if (IP[k]>4) print k }' /var/log/secure > deny_ip
block_ip=$(iptables -L -n | tr -s " " | awk -F"[ :]" '$1=="DROP" && $NF=22 {print $4}')
while read line
do
if ! echo $block_ip | grep -qw $line
then
iptables -I INPUT -s $line -p tcp --dport 22 -j DROP
fi
done < deny_ip
service iptables save
rm -rf deny_ip
unset block_ip
【3】使用临时数组来解决bug
bash
[root@node11 scripts]# vim deny_ip_v4.sh
#!/bin/bash
awk '/Failed password/ {IP[$(NF-3)]++} END {for (k in IP) if (IP[k]>4) print k }' /var/log/secure > deny_ip
block_ip=($(iptables -L -n | tr -s " " | awk -F"[ :]" '$1=="DROP" && $NF=22 {print $4}'))
while read line
do
if ! echo ${block_ip[@]} | grep -qw $line
then
iptables -I INPUT -s $line -p tcp --dport 22 -j DROP
fi
done < deny_ip
service iptables save
rm -rf deny_ip
unset block_ip
6.测试结果:
bash
[root@node11 scripts]# sh deny_ip_v2.sh
[root@node11 scripts]# iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP tcp -- 192.168.111.13 0.0.0.0/0 tcp dpt:22
DROP tcp -- 192.168.111.12 0.0.0.0/0 tcp dpt:22
DROP tcp -- 192.168.111.21 0.0.0.0/0 tcp dpt:22
......
[root@node11 scripts]# sh deny_ip_v2.sh # 再次执行
[root@node11 scripts]# iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP tcp -- 192.168.111.13 0.0.0.0/0 tcp dpt:22
DROP tcp -- 192.168.111.12 0.0.0.0/0 tcp dpt:22
DROP tcp -- 192.168.111.21 0.0.0.0/0 tcp dpt:22
......
生产环境中会结合计划任务进行