每天登录服务器查看日志发现有很多猜测SSH登录的IP,有没有什么办法来防止这种无休止的猜测攻击.下面介绍通过pf防火墙来封堵恶意猜测登陆ssh的IP的方法
第一步:在pf防火墙的配文件:/etc/pf.conf中加入以下内容:
table persist
table persist
block quick from
block quick from
pass quick inet proto tcp from any to any port 22 keep state (max-src-conn 3, max-src-conn-rate 2/1,overload flush global)
pass quick inet proto tcp from any to any port ftp keep state (max-src-conn 11, max-src-conn-rate 20/10,overload flush global)
首先是添加了pf防火墙的两个表:SSHbruteforce,FTPbruteforce,默认是禁止两个表中的IP,最后是付合条件的IP,分别加入到两个表中。
第二步:对于阻擋一日後,即清除IP紀錄,先裝套件/usr/ports/security/expiretable
# /usr/local/sbin/expiretable -v -d -t 24h SSHbruteforce
# /usr/local/sbin/expiretable -v -d -t 24h FTPbruteforce,
把以上内容加入到/etc/rc.local,freebsd6.2中,没有rc.local这个文件,可以自己创建。
第三步:我们记录一下这些被封堵的IP地址:
#!/bin/sh
log_file="/var/log/bad_guy.log"
date >> $log_file
echo " SSH:" >> $log_file
/sbin/pfctl -t SSHbruteforce -T show >> $log_file
echo " FTP:" >> $log_file
/sbin/pfctl -t FTPbruteforce -T show >> $log_file
下边写些自己的扩展:
1。先提取auth.log中的invalid user ip,并且记录下来:
date >/log/ip.txt
echo "############################" >>/log/ip.txt
echo "Login authentication failed IP:" >>/log/ip.txt
echo "############################" >>/log/ip.txt
cat /var/log/auth.log | grep Invalid >/log/auth.log
awk ‘{print $10}‘ /log/auth.log >/log/ipadd.txt
sort /log/ipadd.txt |uniq >>/log/ip.txt
sort /log/ipadd.txt |uniq >>/log/ipadd.txt
rm /log/auth.log
#rm /log/ipadd.txt
echo "############################" >>/log/ip.txt
echo "" >>/log/ip.txt
echo "all of IP address:" >>/log/ip.txt
cat /log/ip.txt|grep ^\[0-9]|wc -l >>/log/ip.txt
把脚本加入到crontab中,每五分钟统计一次,把IP写入记录中。
2。通过以下这个简单的shell,把统计整理的IP,加入到pf防火墙的SSHbruteforce表中,
sort /log/ipadd.txt |uniq >>/log/iplog.txt
cat /log/iplog.txt|while read aa
do
/sbin/pfctl -t SSHbruteforce -T add $aa
done
把以上脚本也加入到crontab中,每五分钟执行一次,把统计到的IP加入到pf防火墙中并禁用。
或者把1.2中两个脚本合到一起写如下:
date >/log/ip.txt
echo "############################" >>/log/ip.txt
echo "Login authentication failed IP:" >>/log/ip.txt
echo "############################" >>/log/ip.txt
cat /var/log/auth.log | grep Invalid >/log/auth.log
awk ‘{print $10}‘ /log/auth.log | sort | uniq >>/log/ip.txt
#sort /log/ipadd.txt |uniq >>/log/ipadd.txt
#rm /log/auth.log
rm /log/ipadd.txt
echo "############################" >>/log/ip.txt
echo "" >>/log/ip.txt
echo "all of IP address:" >>/log/ip.txt
cat /log/ip.txt|grep ^\[0-9]|wc -l >>/log/ip.txt
#add ip to pf
awk ‘{print $10}‘ /log/auth.log | sort | uniq >/log/iplog.txt
cat /log/iplog.txt|while read aa
do
/sbin/pfctl -t SSHbruteforce -T add $aa
done
这样就基本上实现了。这些被封的IP,通过安装的套件expiretable,来定时清除。我们在日志中也就可以看到,我们正确的用户,终使密码输入错误也不会被封了IP,而那些错误的用户IP,就被禁用了。默认我的机器禁止root用户登陆。