[ Linux ]求一 iptables 脚,遍历 lastb(登录失败),超过 3 次的就封它 IP
bronana 2023-01-27 05:36:24 +08:00 3772 次点击这是一个创建于 1064 天前的主题,其中的信息可能已经有所发展或是发生改变。
请支援我一脚本,fail2ban 不会用啊。 我在纳闷我的服务器总感觉很卡,原来是有暴力登录脚本一直在尝试登录我的服务器。
─root@VM-16-11-ubuntu ~ ─# lastb | less ctr ssh:notty 185.252.178.107 Fri Jan 27 05:17 - 05:17 (00:00) ctr ssh:notty 185.252.178.107 Fri Jan 27 05:17 - 05:17 (00:00) gujiongh ssh:notty 185.252.178.107 Fri Jan 27 05:17 - 05:17 (00:00) gujiongh ssh:notty 185.252.178.107 Fri Jan 27 05:17 - 05:17 (00:00) kian ssh:notty 185.252.178.107 Fri Jan 27 05:17 - 05:17 (00:00) kian ssh:notty 185.252.178.107 Fri Jan 27 05:17 - 05:17 (00:00) cuilingh ssh:notty 185.252.178.107 Fri Jan 27 05:16 - 05:16 (00:00) cuilingh ssh:notty 185.252.178.107 Fri Jan 27 05:16 - 05:16 (00:00) gilad ssh:notty 185.252.178.107 Fri Jan 27 05:16 - 05:16 (00:00) gilad ssh:notty 185.252.178.107 Fri Jan 27 05:16 - 05:16 (00:00) fds ssh:notty 185.252.178.107 Fri Jan 27 05:15 - 05:15 (00:00) fds ssh:notty 185.252.178.107 Fri Jan 27 05:15 - 05:15 (00:00) chengyan ssh:notty 185.252.178.107 Fri Jan 27 05:15 - 05:15 (00:00) chengyan ssh:notty 185.252.178.107 Fri Jan 27 05:15 - 05:15 (00:00) yixuanhu ssh:notty 185.252.178.107 Fri Jan 27 05:14 - 05:14 (00:00) yixuanhu ssh:notty 185.252.178.107 Fri Jan 27 05:14 - 05:14 (00:00) dsm ssh:notty 185.252.178.107 Fri Jan 27 05:14 - 05:14 (00:00) dsm ssh:notty 185.252.178.107 Fri Jan 27 05:14 - 05:14 (00:00) root ssh:notty 185.252.178.107 Fri Jan 27 05:13 - 05:13 (00:00) wangl ssh:notty 185.252.178.107 Fri Jan 27 05:13 - 05:13 (00:00) wangl ssh:notty 185.252.178.107 Fri Jan 27 05:13 - 05:13 (00:00) root ssh:notty 185.252.178.107 Fri Jan 27 05:12 - 05:12 (00:00) emmanuel ssh:notty 185.252.178.107 Fri Jan 27 05:12 - 05:12 (00:00) emmanuel ssh:notty 185.252.178.107 Fri Jan 27 05:12 - 05:12 (00:00) mdzhou ssh:notty 185.252.178.107 Fri Jan 27 05:12 - 05:12 (00:00) mdzhou ssh:notty 185.252.178.107 Fri Jan 27 05:12 - 05:12 (00:00) trenz ssh:notty 185.252.178.107 Fri Jan 27 03:19 - 03:19 (00:00) lixi ssh:notty 185.252.178.107 Fri Jan 27 03:19 - 03:19 (00:00) lixi ssh:notty 185.252.178.107 Fri Jan 27 03:19 - 03:19 (00:00) .... root ssh:notty 211.115.91.20 Fri Jan 27 01:04 - 01:04 (00:00) es ssh:notty 211.115.91.20 Thu Jan 26 23:36 - 23:36 (00:00) es ssh:notty 211.115.91.20 Thu Jan 26 23:36 - 23:36 (00:00) root ssh:notty 211.115.91.20 Thu Jan 26 05:25 - 05:25 (00:00) ... root ssh:notty 220.174.25.172 Tue Jan 24 23:19 - 23:19 (00:00) root ssh:notty 220.174.25.172 Tue Jan 24 23:18 - 23:18 (00:00) root ssh:notty 220.174.25.172 Tue Jan 24 23:18 - 23:18 (00:00) root ssh:notty 220.174.25.172 Tue Jan 24 23:18 - 23:18 (00:00) root ssh:notty 220.174.25.172 Tue Jan 24 23:18 - 23:18 (00:00) root ssh:notty 220.174.25.172 Tue Jan 24 23:18 - 23:18 (00:00) root ssh:notty 220.174.25.172 Tue Jan 24 23:18 - 23:18 (00:00) root ssh:notty 220.174.25.172 Tue Jan 24 23:18 - 23:18 (00:00) root ssh:notty 220.174.25.172 Tue Jan 24 23:18 - 23:18 (00:00) root ssh:notty 220.174.25.172 Tue Jan 24 23:18 - 23:18 (00:00) root ssh:notty 220.174.25.172 Tue Jan 24 23:18 - 23:18 (00:00) root ssh:notty 220.174.25.172 Tue Jan 24 23:18 - 23:18 (00:00) root ssh:notty 220.174.25.172 Tue Jan 24 23:18 - 23:18 (00:00) root ssh:notty 220.174.25.172 Tue Jan 24 23:18 - 23:18 (00:00) root ssh:notty 220.174.25.172 Tue Jan 24 23:18 - 23:18 (00:00) root ssh:notty 220.174.25.172 Tue Jan 24 23:18 - 23:18 (00:00) root ssh:notty 220.174.25.172 Tue Jan 24 23:18 - 23:18 (00:00) root ssh:notty 220.174.25.172 Tue Jan 24 23:18 - 23:18 (00:00) root ssh:notty 220.174.25.172 Tue Jan 24 23:18 - 23:18 (00:00) root ssh:notty 220.174.25.172 Tue Jan 24 23:18 - 23:18 (00:00) root ssh:notty 220.174.25.172 Tue Jan 24 23:18 - 23:18 (00:00) root ssh:notty 220.174.25.172 Tue Jan 24 23:17 - 23:17 (00:00) ... ---还有很多其它 ip--- 这个脚本我想可以设置,每 X 分钟执行一次这个脚本吧。 我数了一下,最多的时候一分钟登录我 23 次(虽然它失败了),照这频率,5 分钟也足够它试 100 次了。 如果被别人尝试登录服务器,对服务器也是一种损失啊,敲这 log 记录,都 18M 了。。
─root@VM-16-11-ubuntu ~ ─# ll /var/log/btmp Permissions Size User Date Modified Name .rw-rw---- 18M root 27 Jan 05:17 /var/log/btmp 可以看到上面的最后 Modified 是在 05:17 ,因为我搜了一个 ban ip 的命令,好像确实管用了
iptables -I INPUT -s 185.252.178.107 -j DROP  | 1 sNullp 2023-01-27 05:37:10 +08:00 via iPhone 最容易的方法是学习 fail2ban |
 | 2 bronana OP @sNullp #1 ``` ─root@VM-16-11-ubuntu ~ ─# history | grep -i fail2ban 1439 apt install -y fail2ban 1440 cd /etc/fail2ban 1443 cp fail2ban.conf fail2ban.local 1445 vim fail2ban.local 1646 fail2ban fail2ban-client satus 1647 which fail2ban 1648 fail2ban fail2ban-client status 1649 fail2ban 1652 apt install fail2ban 1653 systemctl status fail2ban 1655 sudo cp /etc/fail2ban/jail.{conf,local}\n 1656 nano /etc/fail2ban/jail.local 1657 vim /etc/fail2ban/jail.local 1658 systemctl status fail2ban 1659 systemctl stop fail2ban 1660 systemctl status fail2ban 1661 systemctl start fail2ban 1662 systemctl status fail2ban 1663 systemctl restart fail2ban 1664 fail2ban-client status sshd\n 1667 fail2ban-client status sshd\n 1670 vim /etc/fail2ban/jail.local 1671 systemctl enable fail2ban 1672 vim /etc/fail2ban/jail.local ``` 学了没学懂 |
| 3 sNullp 2023-01-27 05:55:10 +08:00 via iPhone debian 上默认装好就能 ban ssh ,不知道后面那些的目的是啥? |
 | 5 realpg PRO fail2ban 我记得并不需要配置 难道你用的是 centos…… |
 | 6 feng0vx 2023-01-27 08:46:19 +08:00 via iPhone cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local 在 jail.local 文件中设置自己需要的配置 对于 Ubuntu/Debian 系统,ssh-iptables 段类似: [ssh] enabled = true port = ssh filter = sshd logpath = /var/log/auth.log maxretry = 3 检查 sshd 服务的状态 /ban 的 ip sudo fail2ban-client status sshd 删除已被限制 IP sudo fail2ban-client set sshd unbanip 23.34.45.xx |
 | 7 foam 2023-01-27 10:40:42 +08:00 via Android 歪个楼。不到 1 qps ,机器怎么会卡 。这个验证几乎不用 cpu ,报文也没多少字节,所以带宽几乎不消耗。是还有其他原因导致你提到的“卡”吧 |
 | 8 MindMindMax 2023-01-27 14:17:40 +08:00 #!/bin/bash # This script will traverse the lastb log and block IPs that have more than 3 failed login attempts. # Flush existing rules iptables -F # Set default policy to drop all incoming traffic iptables -P INPUT DROP # Allow established connections iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Allow loopback traffic iptables -A INPUT -i lo -j ACCEPT # Traverse the lastb log and block IPs with more than 3 failed login attempts lastb | awk '{print $3}' | sort | uniq -c | awk '$1 > 3 {print $2}' | while read ip; do iptables -A INPUT -s $ip -j DROP; done |
 | 9 westoy 2023-01-27 14:39:56 +08:00 爆破 SSH 不可能让你觉得卡的, 关掉 sshd 的 dns 反查看看 其实把 SSH 换到个两三万的端口,基本就不会有人爆破了, 也不会折腾什么屏蔽了..... |
 | 10 julyclyde 2023-01-28 09:02:46 +08:00 简单点就别管它 增加 iptables 规则会导致内核负担加重的 十几年前我这么干过,三千多条规则的时候卡的 web 服务都没法工作了 |
 | 14 sanduo 2023-01-28 10:22:04 +08:00 我这里是 ubuntu ,使用自带的 UFW 进行防火墙管理,新增了一个 sshd 的配置文件:/etc/fail2ban/jail.d/sshd.local ,配置内容如下,供参考: [sshd] enabled = true filter = sshd banaction = ufw maxretry = 5 findtime = 600 bantime = 2w ignoreip = 127.0.0.1/8 |
 | 15 iceecream 2023-01-28 14:01:47 +08:00 6 楼方法好使, 9 楼方法也可以试试。 |
 | 16 yuepu 2023-01-28 17:31:03 +08:00 /etc/hosts.deny 也许有用 |
 | 17 datocp 2023-01-28 22:51:41 +08:00 ipset destroy banned_hosts ipset -N banned_hosts hash:net timeout 180 iptables -I INPUT 3 -i $UDEV -m set --match-set banned_hosts src -j DROP iptables -I INPUT 4 -i $UDEV -p udp -m multiport --dports 80,161,1863,5060 -j SET --add-set banned_hosts src iptables -I INPUT 5 -i $UDEV -p tcp -m multiport --dports 20,23,25,110,135,137:139,161,445,1080,2323,3128,3306,3389 -j SET --add-set banned_hosts src #iptables -I INPUT 3 -i $UDEV -m recent --update --name hack --rsource -j DROP #iptables -I INPUT 4 -i $UDEV -p udp -m multiport --dports 80,161,1863,5060 -m conntrack --ctstate NEW -m recent --set --name hack --rsource -j DROP #iptables -I INPUT 5 -i $UDEV -p tcp -m multiport --dports 20,23,25,53,110,135,137:139,161,445,1080,2323,3128,3306,3389 -m conntrack --ctstate NEW -m recent --set --name hack --rsource -j DROP |
 | 19 lovelylain 2023-01-31 18:26:20 +08:00 via Android @sNullp frp 内网穿透的,fail2ban 就不适合了吧?有什么好方案避免弱密码被爆破吗 |
Select Language