查看fail2ban日志代替lastb查看登录失败记录
2015-10-11 17:00
495 查看
之前我曾经用shell脚本提取lastb登录失败超过指定次数的IP加入到iptables,来禁止这些IP登录主机,达到防止恶意攻击的目的。后来为了给主机提供更全面的防护,又安装了fail2ban。 今天早上我收到fail2ban发过来的报警邮件提示我禁止了一个IP登录,IP是219.235.4.22。我登录主机,输入last命令后,结果是这样的
更多Linux方面的资料请访问:http://www.aminglinux.com/bbs/?fromuid=4297
root ssh:notty host-219-235-4-2 Thu Apr 23 19:32 - 19:32 (00:00) root ssh:notty host-219-235-4-2 Thu Apr 23 19:32 - 19:32 (00:00) root ssh:notty host-219-235-4-2 Thu Apr 23 19:32 - 19:32 (00:00) root ssh:notty host-219-235-4-2 Thu Apr 23 19:32 - 19:32 (00:00) root ssh:notty host-219-235-4-2 Thu Apr 23 19:32 - 19:32 (00:00) root ssh:notty 61.160.247.150 Thu Apr 23 02:18 - 02:18 (00:00) root ssh:notty 61.160.247.150 Thu Apr 23 02:18 - 02:18 (00:00) root ssh:notty 61.160.247.150 Thu Apr 23 02:18 - 02:18 (00:00)前面多了一个host,而且IP的分隔是用“-”,最后一位的IP地址无法显示出来。我马上想到了查看fail2ban的日志,该日志默认是/var/log/secure输入命令:
grep 'Failed password for root from' /var/log/secure|grep '219.235.4.22'执行结果为:
Apr 23 19:32:27 localhost sshd[17856]: Failed password for root from 219.235.4.22 port 4993 ssh2 Apr 23 19:32:30 localhost sshd[17856]: Failed password for root from 219.235.4.22 port 4993 ssh2 Apr 23 19:32:31 localhost sshd[17856]: Failed password for root from 219.235.4.22 port 4993 ssh2 Apr 23 19:32:34 localhost sshd[17856]: Failed password for root from 219.235.4.22 port 4993 ssh2 Apr 23 19:32:36 localhost sshd[17856]: Failed password for root from 219.235.4.22 port 4993 ssh2这时IP地址还有对方的端口都显示出来了,比lastb要详细的多。这时我就把之前写的脚本修改了一下,直接读取/var/log/secure :
#!/bin/bash bad_ip=` grep 'Failed password for root from' /var/log/secure|awk '{print $11,$1,$2}'|sort|uniq -c|awk '$1>4 {print $2}'|xargs` for ip in $bad_ip; do in_iptables=`iptables -nvL|grep $ip |wc -l` if [ $in_iptables -eq 0 ]; then iptables -I INPUT -s $ip -j REJECT service iptables save fi done执行一下,成功!
更多Linux方面的资料请访问:http://www.aminglinux.com/bbs/?fromuid=4297
相关文章推荐
- 使用fail2ban防止ssh恶意攻止
- ZOJ.3175 Number of Containers【数学问题】 2015/10/11
- (vcpu-0)vcpu-0:VEREIFY vmcore/vmm/main/physMem_monitor.c.1123日志文件位于“E:OS X\vmware.log”
- main函数(本文较老,仅作参考)
- STL中的模板类pair
- hdu4770 暴力状压 Lights Against Dudely (2013 Asia Hangzhou Regional Contest problem A)
- Rails读书笔记第三章
- 【人工智能】农夫过河问题
- httpd: Could not reliably determine the server's fully qualified domain name
- LEETCODE-Factorial Trailing Zeroes
- LeetCode-Contains Duplicate III
- RAID
- 【人工智能】八皇后问题-启发式求解
- Container With Most Water
- Rails读书笔记第二章
- Rails读书笔记第一章
- NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9802)
- LeetCode-Contains Duplicate III
- use `free` to check available memory
- LeetCode-Contains Duplicate II