shell脚本防ssh/vsftpd暴力破解

#!/bin/bashLIMIT=10LOGFILE="/var/log/block_ssh.log"TIME=$(date '+%b %e %H')BLOCK_IP=$(grep "$TIME" /var/log/secure|grep Failed|awk '{print $(NF-3)}'|sort|uniq -c|awk '$1>'$LIMIT'{print $1":"$2}')for i in $BLOCK_IPdo     IP=$(echo $i|awk -F: '{print $2}')     TIMES=$(echo $i|awk -F: '{print $1}')     iptables-save|grep INPUT|grep DROP|grep $IP>/dev/null          if [ $? -gt 0 ];then          iptables -D INPUT -s $IP -j DROP          iptables -A INPUT -s $IP -j DROP          NOW=$(date '+%Y-%m-%d %H:%M')          echo -e "$NOW : $TIMES times $IP">>${LOGFILE}     fi     done 

FREBSD 系统下，脚本如下：

#!/bin/sh   SCANIP=`grep "Failed" /var/log/auth.log | awk '{print $(NF-3)}' | sort | uniq -c | awk '{print $1"="$2;}'`   for i in $SCANIP   do      NUMBER=`echo $i | awk -F= '{print $1}'`       SCANIP=`echo $i | awk -F= '{print $2}'`       echo "$NUMBER($SCANIP)"      if [ $NUMBER -gt 10 ] && [ -z "`/sbin/ipfw show | grep $SCANIP`" ]       then           /sbin/ipfw add 1 deny ip from $SCANIP to me 22          echo "`date` $SCANIP($NUMBER)" >> /var/log/scanip.log       fi   done  

Vsftpd服务可以参考命令：

awk '/'"FAIL LOGIN: Client"'/ {print $12}' /var/log/vsftpd.log | uniq -c | sort -k1n | awk -F'["]' '{print $1$2}' | awk '{if ($1 >=20) print $2}'  

下面用C语言实现上面的代码：

#include <sys/types.h>#include <unistd.h>#include <stdlib.h>#include <stdio.h>#include <string.h>#include <sys/stat.h>#include <time.h>#include <stdarg.h>#define SSH_LOG_PATH "/var/log/block_ssh.log"#define SSH_SECURE_FILE "/var/log/secure"#define SSH_MAX_LOG_FILE_SIZE (10*1024*1024)#define SSH_LIMIT 10#define SSH_BUF_SIZE 1024#define SSH_BLOCK_IP "grep \"%s\" %s | grep \"Failed\" | awk \'{print $(NF-3)}\' | sort | uniq -c | awk \'$1 > %d {print $1\":\"$2}\'"#define SSH_IPTABLES_SAVE "iptables-save | grep INPUT |grep DROP | grep \"%s\" >/dev/null 2>&1"#define SSH_IPTABLES_D "iptables -D INPUT -s \"%s\" -j DROP"#define SSH_IPTABLES_A "iptables -A INPUT -s \"%s\" -j DROP"static FILE * ssh_logHander = NULL;int init_ssh_log(){    ssh_logHander = fopen(SSH_LOG_PATH,"a");    if(!ssh_logHander){        return -1;    }    return 0;}void ssh_log(char *p_fmt,...){    char date[SSH_BUF_SIZE] = {'\0'};    time_t now;    struct tm ptm;    char tmp[SSH_BUF_SIZE] = {'\0'};    struct stat buf;    va_list ap;    if(!ssh_logHander){        return;    }    time(&now);    if(localtime_r(&now,&ptm)){        strftime(date,sizeof(date),"%F %T",&ptm);        fprintf(ssh_logHander,"[ %s ]",date);        va_start(ap,p_fmt);        vfprintf(ssh_logHander,p_fmt,ap);        va_end(ap);        fflush(ssh_logHander);    }    if(stat(tmp,&buf) == 0){        if(buf.st_size > SSH_MAX_LOG_FILE_SIZE){            fclose(ssh_logHander);            ssh_logHander = fopen(SSH_LOG_PATH,"w+");        }    }}int check_systrm_result(char *cmd){    int result = -1;    if(!cmd){        return result;    }    result = system(cmd);    if((result != -1) && WIFEXITED(result) && (WEXITSTATUS(result) == 0)){        return 0;    }    return -1;}int main(){    FILE *p_stream;    FILE *p_log;    char time_buf[1024] = {'\0'};    char block_ipbuf[1024] = {'\0'};    char cmd_line[1024] = {'\0'};    char *p_times,*p_ip;    init_ssh_log();    p_stream = popen("date \'+%b %e %H\'","r");    fgets(time_buf,SSH_BUF_SIZE - 1,p_stream);    printf("time_buf is %s\n",time_buf);    pclose(p_stream);    sprintf(block_ipbuf,SSH_BLOCK_IP,time_buf,SSH_SECURE_FILE,SSH_LIMIT);    printf("block_ipbuf is %s\n",block_ipbuf);    p_stream = popen(block_ipbuf,"r");    while(fgets(cmd_line,SSH_BUF_SIZE,p_stream) != NULL){        printf("cmd_line is %s\n",cmd_line);        p_times = cmd_line;        p_ip = strchr(p_times,':');        if(p_ip == NULL){            memset(cmd_line,0,SSH_BUF_SIZE);            continue;        }        *p_ip++ = '\0';        p_ip[strlen(p_ip)-1] = '\0';        printf("p_times :%d,p_ip is %s \n",atoi(p_times),p_ip);        memset(block_ipbuf,0,SSH_BUF_SIZE);        sprintf(block_ipbuf,SSH_IPTABLES_SAVE,p_ip);        printf("block_ipbuf is %s\n",block_ipbuf);        if(check_systrm_result(block_ipbuf)){            memset(block_ipbuf,0,SSH_BUF_SIZE);            sprintf(block_ipbuf,SSH_IPTABLES_D,p_ip);            printf("block_ipbuf is %s\n",block_ipbuf);            check_systrm_result(block_ipbuf);            memset(block_ipbuf,0,SSH_BUF_SIZE);            sprintf(block_ipbuf,SSH_IPTABLES_A,p_ip);            printf("block_ipbuf is %s\n",block_ipbuf);            check_systrm_result(block_ipbuf);            ssh_log(" : %d times ip %s unauthorized access\n",atoi(p_times),p_ip);        }        memset(cmd_line,0,SSH_BUF_SIZE);    }    pclose(p_stream);}

参考资料：

http://www.92csz.com/11/1094.html