[ Linux ]求一 iptables 脚本,遍历 lastb(登录失败),超过 3 次的就封它 IP
bronana · 2023-01-27 05:36:24 +08:00 · 3199 次点击这是一个创建于 657 天前的主题,其中的信息可能已经有所发展或是发生改变。
请支援我一脚本,fail2ban 不会用啊。
我在纳闷我的服务器总感觉很卡,原来是有暴力登录脚本一直在尝试登录我的服务器。
╭─root@VM-16-11-ubuntu ~
╰─# lastb | less
ctr ssh:notty 185.252.178.107 Fri Jan 27 05:17 - 05:17 (00:00)
ctr ssh:notty 185.252.178.107 Fri Jan 27 05:17 - 05:17 (00:00)
gujiongh ssh:notty 185.252.178.107 Fri Jan 27 05:17 - 05:17 (00:00)
gujiongh ssh:notty 185.252.178.107 Fri Jan 27 05:17 - 05:17 (00:00)
kian ssh:notty 185.252.178.107 Fri Jan 27 05:17 - 05:17 (00:00)
kian ssh:notty 185.252.178.107 Fri Jan 27 05:17 - 05:17 (00:00)
cuilingh ssh:notty 185.252.178.107 Fri Jan 27 05:16 - 05:16 (00:00)
cuilingh ssh:notty 185.252.178.107 Fri Jan 27 05:16 - 05:16 (00:00)
gilad ssh:notty 185.252.178.107 Fri Jan 27 05:16 - 05:16 (00:00)
gilad ssh:notty 185.252.178.107 Fri Jan 27 05:16 - 05:16 (00:00)
fds ssh:notty 185.252.178.107 Fri Jan 27 05:15 - 05:15 (00:00)
fds ssh:notty 185.252.178.107 Fri Jan 27 05:15 - 05:15 (00:00)
chengyan ssh:notty 185.252.178.107 Fri Jan 27 05:15 - 05:15 (00:00)
chengyan ssh:notty 185.252.178.107 Fri Jan 27 05:15 - 05:15 (00:00)
yixuanhu ssh:notty 185.252.178.107 Fri Jan 27 05:14 - 05:14 (00:00)
yixuanhu ssh:notty 185.252.178.107 Fri Jan 27 05:14 - 05:14 (00:00)
dsm ssh:notty 185.252.178.107 Fri Jan 27 05:14 - 05:14 (00:00)
dsm ssh:notty 185.252.178.107 Fri Jan 27 05:14 - 05:14 (00:00)
root ssh:notty 185.252.178.107 Fri Jan 27 05:13 - 05:13 (00:00)
wangl ssh:notty 185.252.178.107 Fri Jan 27 05:13 - 05:13 (00:00)
wangl ssh:notty 185.252.178.107 Fri Jan 27 05:13 - 05:13 (00:00)
root ssh:notty 185.252.178.107 Fri Jan 27 05:12 - 05:12 (00:00)
emmanuel ssh:notty 185.252.178.107 Fri Jan 27 05:12 - 05:12 (00:00)
emmanuel ssh:notty 185.252.178.107 Fri Jan 27 05:12 - 05:12 (00:00)
mdzhou ssh:notty 185.252.178.107 Fri Jan 27 05:12 - 05:12 (00:00)
mdzhou ssh:notty 185.252.178.107 Fri Jan 27 05:12 - 05:12 (00:00)
trenz ssh:notty 185.252.178.107 Fri Jan 27 03:19 - 03:19 (00:00)
lixi ssh:notty 185.252.178.107 Fri Jan 27 03:19 - 03:19 (00:00)
lixi ssh:notty 185.252.178.107 Fri Jan 27 03:19 - 03:19 (00:00)
....
root ssh:notty 211.115.91.20 Fri Jan 27 01:04 - 01:04 (00:00)
es ssh:notty 211.115.91.20 Thu Jan 26 23:36 - 23:36 (00:00)
es ssh:notty 211.115.91.20 Thu Jan 26 23:36 - 23:36 (00:00)
root ssh:notty 211.115.91.20 Thu Jan 26 05:25 - 05:25 (00:00)
...
root ssh:notty 220.174.25.172 Tue Jan 24 23:19 - 23:19 (00:00)
root ssh:notty 220.174.25.172 Tue Jan 24 23:18 - 23:18 (00:00)
root ssh:notty 220.174.25.172 Tue Jan 24 23:18 - 23:18 (00:00)
root ssh:notty 220.174.25.172 Tue Jan 24 23:18 - 23:18 (00:00)
root ssh:notty 220.174.25.172 Tue Jan 24 23:18 - 23:18 (00:00)
root ssh:notty 220.174.25.172 Tue Jan 24 23:18 - 23:18 (00:00)
root ssh:notty 220.174.25.172 Tue Jan 24 23:18 - 23:18 (00:00)
root ssh:notty 220.174.25.172 Tue Jan 24 23:18 - 23:18 (00:00)
root ssh:notty 220.174.25.172 Tue Jan 24 23:18 - 23:18 (00:00)
root ssh:notty 220.174.25.172 Tue Jan 24 23:18 - 23:18 (00:00)
root ssh:notty 220.174.25.172 Tue Jan 24 23:18 - 23:18 (00:00)
root ssh:notty 220.174.25.172 Tue Jan 24 23:18 - 23:18 (00:00)
root ssh:notty 220.174.25.172 Tue Jan 24 23:18 - 23:18 (00:00)
root ssh:notty 220.174.25.172 Tue Jan 24 23:18 - 23:18 (00:00)
root ssh:notty 220.174.25.172 Tue Jan 24 23:18 - 23:18 (00:00)
root ssh:notty 220.174.25.172 Tue Jan 24 23:18 - 23:18 (00:00)
root ssh:notty 220.174.25.172 Tue Jan 24 23:18 - 23:18 (00:00)
root ssh:notty 220.174.25.172 Tue Jan 24 23:18 - 23:18 (00:00)
root ssh:notty 220.174.25.172 Tue Jan 24 23:18 - 23:18 (00:00)
root ssh:notty 220.174.25.172 Tue Jan 24 23:18 - 23:18 (00:00)
root ssh:notty 220.174.25.172 Tue Jan 24 23:18 - 23:18 (00:00)
root ssh:notty 220.174.25.172 Tue Jan 24 23:17 - 23:17 (00:00)
...
---还有很多其它 ip---
这个脚本我想可以设置,每 X 分钟执行一次这个脚本吧。 我数了一下,最多的时候一分钟登录我 23 次(虽然它失败了),照这频率,5 分钟也足够它试 100 次了。 如果被别人尝试登录服务器,对服务器也是一种损失啊,敲这 log 记录,都 18M 了。。
╭─root@VM-16-11-ubuntu ~
╰─# ll /var/log/btmp
Permissions Size User Date Modified Name
.rw-rw---- 18M root 27 Jan 05:17 /var/log/btmp
可以看到上面的最后 Modified 是在 05:17 ,因为我搜了一个 ban ip 的命令,好像确实管用了
iptables -I INPUT -s 185.252.178.107 -j DROP
 |
1
sNullp 2023-01-27 05:37:10 +08:00 via iPhone
最容易的方法是学习 fail2ban
|
 |
2
bronana OP @sNullp #1
``` ╭─root@VM-16-11-ubuntu ~ ╰─# history | grep -i fail2ban 1439 apt install -y fail2ban 1440 cd /etc/fail2ban 1443 cp fail2ban.conf fail2ban.local 1445 vim fail2ban.local 1646 fail2ban fail2ban-client status 1647 which fail2ban 1648 fail2ban fail2ban-client status 1649 fail2ban 1652 apt install fail2ban 1653 systemctl status fail2ban 1655 sudo cp /etc/fail2ban/jail.{conf,local}\n 1656 nano /etc/fail2ban/jail.local 1657 vim /etc/fail2ban/jail.local 1658 systemctl status fail2ban 1659 systemctl stop fail2ban 1660 systemctl status fail2ban 1661 systemctl start fail2ban 1662 systemctl status fail2ban 1663 systemctl restart fail2ban 1664 fail2ban-client status sshd\n 1667 fail2ban-client status sshd\n 1670 vim /etc/fail2ban/jail.local 1671 systemctl enable fail2ban 1672 vim /etc/fail2ban/jail.local ``` 学了没学懂 |
|
3
sNullp 2023-01-27 05:55:10 +08:00 via iPhone
debian 上默认装好就能 ban ssh ,不知道后面那些的目的是啥?
|
 |
5
realpg 2023-01-27 08:07:26 +08:00
fail2ban 我记得并不需要配置
难道你用的是 centos…… |
 |
6
feng0vx 2023-01-27 08:46:19 +08:00 via iPhone
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
在 jail.local 文件中设置自己需要的配置 对于 Ubuntu/Debian 系统,ssh-iptables 段类似: [ssh] enabled = true port = ssh filter = sshd logpath = /var/log/auth.log maxretry = 3 检查 sshd 服务的状态 /ban 的 ip sudo fail2ban-client status sshd 删除已被限制 IP sudo fail2ban-client set sshd unbanip 23.34.45.xx |
 |
7
foam 2023-01-27 10:40:42 +08:00 via Android
歪个楼。不到 1 qps ,机器怎么会卡 。这个验证几乎不用 cpu ,报文也没多少字节,所以带宽几乎不消耗。是还有其他原因导致你提到的“卡”吧
|
 |
8
MindMindMax 2023-01-27 14:17:40 +08:00
#!/bin/bash
# This script will traverse the lastb log and block IPs that have more than 3 failed login attempts. # Flush existing rules iptables -F # Set default policy to drop all incoming traffic iptables -P INPUT DROP # Allow established connections iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Allow loopback traffic iptables -A INPUT -i lo -j ACCEPT # Traverse the lastb log and block IPs with more than 3 failed login attempts lastb | awk '{print $3}' | sort | uniq -c | awk '$1 > 3 {print $2}' | while read ip; do iptables -A INPUT -s $ip -j DROP; done |
 |
9
westoy 2023-01-27 14:39:56 +08:00
爆破 SSH 不可能让你觉得卡的, 关掉 sshd 的 dns 反查看看
其实把 SSH 换到个两三万的端口,基本就不会有人爆破了, 也不会折腾什么屏蔽了..... |
 |
10
julyclyde 2023-01-28 09:02:46 +08:00
简单点就别管它
增加 iptables 规则会导致内核负担加重的 十几年前我这么干过,三千多条规则的时候卡的 web 服务都没法工作了 |
 |
14
sanduo 2023-01-28 10:22:04 +08:00
我这里是 ubuntu ,使用自带的 UFW 进行防火墙管理,新增了一个 sshd 的配置文件:/etc/fail2ban/jail.d/sshd.local ,配置内容如下,供参考:
[sshd] enabled = true filter = sshd banaction = ufw maxretry = 5 findtime = 600 bantime = 2w ignoreip = 127.0.0.1/8 |
 |
15
iceecream 2023-01-28 14:01:47 +08:00
6 楼方法好使,
9 楼方法也可以试试。 |
 |
16
yuepu 2023-01-28 17:31:03 +08:00
/etc/hosts.deny 也许有用
|
 |
17
datocp 2023-01-28 22:51:41 +08:00
ipset destroy banned_hosts
ipset -N banned_hosts hash:net timeout 180 iptables -I INPUT 3 -i $UDEV -m set --match-set banned_hosts src -j DROP iptables -I INPUT 4 -i $UDEV -p udp -m multiport --dports 80,161,1863,5060 -j SET --add-set banned_hosts src iptables -I INPUT 5 -i $UDEV -p tcp -m multiport --dports 20,23,25,110,135,137:139,161,445,1080,2323,3128,3306,3389 -j SET --add-set banned_hosts src #iptables -I INPUT 3 -i $UDEV -m recent --update --name hack --rsource -j DROP #iptables -I INPUT 4 -i $UDEV -p udp -m multiport --dports 80,161,1863,5060 -m conntrack --ctstate NEW -m recent --set --name hack --rsource -j DROP #iptables -I INPUT 5 -i $UDEV -p tcp -m multiport --dports 20,23,25,53,110,135,137:139,161,445,1080,2323,3128,3306,3389 -m conntrack --ctstate NEW -m recent --set --name hack --rsource -j DROP |
 |
19
lovelylain 2023-01-31 18:26:20 +08:00 via Android
@sNullp frp 内网穿透的,fail2ban 就不适合了吧?有什么好方案避免弱密码被爆破吗
|
Select Language