梦想之鹰的天空

天高任鸟飞......放飞....心情..........放飞.....梦想

日志

关于我

梦想之鹰

非淡泊无以明志非宁静无以致远

文章分类

自动封堵暴力破解ssh账号的入侵者

2011-05-11 16:52:09| 分类：程序设计 | 标签： |举报 |字号大中小订阅

下载LOFTER 我的照片书 |

无限发现他的ssh服务器有人企图暴力破解账号，我也自查了一下，发现我也一样受到了此类攻击，ssh中的相关log如下：

May 10 23:20:21 localhost sshd[9075]: Invalid user x from x.x.x.x

明显x.x.x.x在进行账号猜测。随即写了个ruby脚本，监控sshd的此类日志，并对连续输错用户名十次以上的IP用iptables进行封堵。

#!/usr/bin/ruby
#
class Daemon
def Daemon.start
exit!(0) if fork
Process::setsid
exit!(0) if fork
Dir::chdir("/")
File::umask(0)
STDIN.reopen("/dev/null")
STDOUT.reopen("/dev/null", "w")
STDERR.reopen("/dev/null", "w")
yield if block_given?
end
end
def block_ip(ip)
cmd = "iptables -A block_ip -s #{ip} -j DROP"
system(cmd)
end
def block_invalid(filename)
block_limit = 10
log_file = File.new(filename)
ips = Hash.new
blocked_ips = Hash.new
log_file.each do |line|
field = line.split
if field[5] == "Invalid"
ip = field[field.length - 1]
if ips.key?(ip)
ips[ip] += 1
else
ips[ip] = 1
end
if ips[ip] > block_limit and not blocked_ips.key?(ip)
blocked_ips[ip] = 1
block_ip(ip)
end
end
end
end
if system("iptables -nvL block_ip &>/dev/null")
system("iptables -F block_ip")
else
system("iptables -N block_ip")
system("iptables -I INPUT -j block_ip")
end
Daemon.start do
block_invalid("/var/lib/myips.fifo")
end

本质上，这就是一个简单的LIPS--基于日志的入侵防护系统。

评论这张

转发至微博

阅读(475)| 评论(0)

历史上的今天

this.p={  m:2,
              b:2,
              loftPermalink:'',
              id:'fks_095066081087089066086081085095087086084068085082087069',
              blogTitle:'自动封堵暴力破解ssh账号的入侵者',
              blogAbstract:'  <P\>无限发现他的ssh服务器有人企图暴力破解账号，我也自查了一下，发现我也一样受到了此类攻击，ssh中的相关log如下：  </P\><DIV\><BR\></DIV\>  <DIV\>  <DIV id=\"codeText\"\>  <OL style=\"PADDING-BOTTOM: 5px; MARGIN: 0px 1px 0px 0px; PADDING-LEFT: 0px; PADDING-RIGHT: 0px; PADDING-TOP: 5px;\"\>  <LI\>May 10 23:20:21 localhost sshd[9075]: Invalid user x from x.x.x.x</LI\></OL\></DIV\></DIV\>明显x.x.x.x在进行账号猜测。随即写了个ruby脚本，监控sshd的此类日志，并对连续输错用户名十次以上的IP用iptables进行封堵。  <DIV\><BR\></DIV\>  <DIV\>  <DIV id=\"codeText\"\>  <OL style=\"PADDING-BOTTOM: 5px; MARGIN: 0px 1px 0px 0px; PADDING-LEFT: 0px; PADDING-RIGHT: 0px; PADDING-TOP: 5px;\"\>  <LI\><SPAN style=\"COLOR: rgb(0,0,0);\"\>#</SPAN\></LI\></OL\></DIV\></DIV\>',
              blogTag:'',
              blogUrl:'blog/static/3057141620114114529700',
              isPublished:1,
              istop:false,
              type:0,
              modifyTime:0,
              publishTime:1305103929700,
              permalink:'blog/static/3057141620114114529700',
              commentCount:0,
              mainCommentCount:0,
              recommendCount:0,
              bsrk:-100,
              publisherId:0,
              recomBlogHome:false,
              currentRecomBlog:false,
              attachmentsFileIds:[],
              vote:{},
              groupInfo:{},
              friendstatus:'none',
              followstatus:'unFollow',
              pubSucc:'',
              visitorProvince:'',
              visitorCity:'',
              visitorNewUser:false,
              postAddInfo:{},
              mset:'000',
              mcon:'',
              srk:-100,
              remindgoodnightblog:false,
              isBlackVisitor:false,
              isShowYodaoAd:false,
              hostIntro:'非淡泊无以明志 非宁静无以致远',
              hmcon:'1',
              selfRecomBlogCount:'0',
              lofter_single:'<iframe width="140" height="560" style="overflow:hidden;" src="http://www.lofter.com/mailEntry.do?blogad=1&blog" frameBorder="0"></iframe>'
            }

{list a as x}
    {if !!x}
    <div class="iblock nbw-fce nbw-f40">
      <a class="fc03 noul" target="_blank" hidefocus="true" href="http://blog.163.com/${x.visitorName}/">
      {if x.visitorName==visitor.userName}
      <img alt="${x.visitorNickname|escape}" onerror="this.src=location.f40" class="cwd bdwa bdc0" src="${fn1(x.visitorName)}&r=${visitor.imageUpdateTime}"/>
      {else}
      <img alt="${x.visitorNickname|escape}" onerror="this.src=location.f40" class="cwd bdwa bdc0" src="${fn1(x.visitorName)}"/>
      {/if}
      </a>
      <div class="cwd vname thide">
        {if x.moveFrom=='wap'}
          <a class="noul pnt" target="_blank" href="http://blog.163.com/services/wapblog.html?frompersonalbloghome"><span title="来自网易手机博客" class="iblock wapIcon"> </span></a>
        {elseif x.moveFrom=='iphone'}
          <a class="noul pnt" target="_blank"><span title="来自iPhone客户端" class="iblock iphoneIcon"> </span></a>
        {elseif x.moveFrom=='android'}
          <a class="noul pnt" target="_blank"><span title="来自Android客户端" class="iblock androidIcon"> </span></a>
        {elseif x.moveFrom=='mobile'}
          <a class="noul pnt" target="_blank" href="http://blog.163.com/services/emsblog.html?frompersonalbloghome"><span title="来自网易短信写博" class="iblock wapIcon"> </span></a>
        {/if}
        <a class="fc03 m2a"  target="_blank" hidefocus="true" href="http://blog.163.com/${x.visitorName}/">
          ${fn(x.visitorNickname,8)|escape}
        </a>
      </div>
    </div>
    {/if}
    {/list}

<#--最新日志，群博日志--> <#--推荐日志-->

<p class="fc06">推荐过这篇日志的人：</p>
    <div>
      {list a as x}
      {if !!x}
      <div class="iblock nbw-fce nbw-f40">
        <a class="fc03 noul" target="_blank" hidefocus="true" href="http://blog.163.com/${x.recommenderName}/">
        <img alt="${x.recommenderNickname|escape}" onerror="this.src=location.f40" class="cwd bdwa bdc0" src="${fn1(x.recommenderName)}"/>
        </a>
        <div class="cwd thide">
          <a class="fc03 m2a" target="_blank" hidefocus="true" href="http://blog.163.com/${x.recommenderName}/">
            ${fn(x.recommenderNickname,6)|escape}
          </a>
        </div>
      </div>
      {/if}
      {/list}
    </div>
    {if !!b&&b.length>0}
    <p  class="fc06">他们还推荐了：</p>
    <ul>
    {list b as y}
      {if !!y}
        <li class="rrb"><span class="iblock">·</span><a class="fc03 m2a" target="_blank" href="http://blog.163.com/${y.recommendBlogPermalink}/?from=blog/static/3057141620114114529700">${y.recommendBlogTitle|escape}</a></li>
      {/if}
    {/list}
    </ul>
    {/if}

<#--引用记录--> <#--博主推荐--> <#--随机阅读--> <#--首页推荐--> <#--历史上的今天--> <#--被推荐日志--> <#--上一篇，下一篇--> <#-- 热度 -->

{list a as x}
    {if !!x}
    <div class="hotItem iblock nbw-fce nbw-f40">
      <a class="fc03 noul" target="_blank" hidefocus="true" href="http://blog.163.com/${x.publisherUsername}/">
      {if x.publisherUsername==visitor.userName}
      <img alt="${x.publisherNickname|escape}" onerror="this.src=location.f40" class="cwd bdwa bdc0" src="${fn1(x.publisherUsername)}&r=${visitor.imageUpdateTime}"/>
      {else}
      <img alt="${x.publisherNickname|escape}" onerror="this.src=location.f40" class="cwd bdwa bdc0" src="${fn1(x.publisherUsername)}"/>
      {/if}
      </a>
      <div class="cwd vname thide">
        <a class="fc03 m2a"  target="_blank" hidefocus="true" href="http://blog.163.com/${x.publisherUsername}/">
          ${fn(x.publisherNickname,8)|escape}
        </a>
      </div>
      <a class="f-myLikeIcons hottype {if x.type==1} js-liketype{elseif x.type==2} js-reblogtype{elseif x.type==3} js-sharetype{else}{/if}" target="_blank" hidefocus="true" href="http://blog.163.com/${x.publisherUsername}/"> </a>
    </div>
    {/if}
    {/list}

<#-- 网易新闻广告 --> <#--右边模块结构--> <#--评论模块结构--> <#--引用模块结构--> <#--博主发起的投票-->

页脚

我的照片书 - 手机博客 - 下载LOFTER APP - 订阅此博客

梦想之鹰的天空

导航

日志

自动封堵暴力破解ssh账号的入侵者

历史上的今天

最近读者

热度

评论

页脚