Mar 20 06:57:42 test sshd(pam_unix)[16030]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=mail.ccps.tp.edu.tw
Mar 20 06:59:57 test sshd(pam_unix)[16565]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=mail.ccps.tp.edu.tw user=root
以上你列出來的應該是 /var/log/messages 內的訊息,我的程式要判斷的是 /var/log/secure,請確認一次你的 log 檔的位置。
你可以輸入下列指令看有沒有訊息跑出來:
cat /var/log/secure | grep sshd.*Failed
如果要看有沒有成功的話,是不是去 iptables -L -n 看有沒有被封的 ip?
是的,然後 root 會收到一封信,告訴你哪個 IP 被擋掉了。
小弟對於您寫的程式只有把 #的部份刪掉 除了第一行之外
因為中文全變亂碼了
剩下的只有改 1*60*60 改為 1*60
次數改為3
其他都沒有改
那應該也是會去抓 /var/log/secure 的東西吧?
因為那個 /var/log/secure 只能顯示 ip 沒有顯示 domain name
所以小弟才用 /var/log/message 的畫面讓大家比較方便知道是誰在TRY
然後小弟照您的cat /var/log/secure | grep sshd.*Failed指令下
發現跑出大長串東西類似
Mar 22 00:57:43 test sshd[6236]: Failed password for root from ::ffff:155.230.181.110 port 1696 ssh2
只不過就是用 /sbin/iptables -L 怎麼看都看不到有被擋的ip產生?
不知道是哪裏錯了?
# vi /usr/bin/block_ssh.pl
前面是行號
1 #!/usr/bin/perl
2 $log_file = "/var/log/secure";
3 $time_range = 1 * 60 * 60;
4 $drop_count = 10;
5 $mail = 'root@localhost';
6 $sendmail = "/usr/sbin/sendmail";
7 use Time::Local;
8
9 $ip = $ARGV[0];
10 $daemon = $ARGV[1];
11 $count = 0;
12
13 %month = (
14 Jan => 0,
15 Feb => 1,
16 Mar => 2,
17 Apr => 3,
18 May => 4,
19 Jun => 5,
20 Jul => 6,
21 Aug => 7,
22 Sep => 8,
23 Oct => 9,
24 Nov => 10,
25 Dec => 11
26 );
27
28 $time = time();
29 ($second,$minute,$hour,$day,$month,$year) = localtime($time);
30
31 @list = `cat $log_file | grep "sshd.*Failed password.* $ip "`;
32 for(my $i = $#list; $i >= 0; $i--){
33 my($log_month,$log_day,$log_time) = split(/ +/,$list[$i]);
34 my($log_hour,$log_minute,$log_second) = split(/:/,$log_time);
35 if($log_month > $month){
36 $log_year = $year - 1;
37 }else{
38 $log_year = $year;
39 }
40 $log_time = timelocal($log_second,$log_minute,$log_hour,$log_day ,$month{$log_month},$log_year);
41 if($time < $log_time + $time_range ){
42 $count++;
43 }else{
44 last;
45 }
46 }
47
48 if($count > $drop_count){
49 `iptables -A INPUT -p tcp -s $ip --dport 22 -j DROP`;
50 if($mail){
51 $hostname = `hostname`;
52 $month++;
53 $year += 1900;
54 chomp($hostname);
55 open(MAIL, "| $sendmail -t") || die "Can't open $sendmai l !\n";
56 print MAIL qq|To: $mail\n|;
57 print MAIL qq|Subject: [$hostname].. $ip\n|;
58 print MAIL qq|Content-Transfer-Encoding: 8bit\n|;
59 print MAIL qq|Content-type: text/plain\; charset=Big5\n\ n|;
60 print MAIL "\n..: $year-$month-$day $hour:$minute:$secon d\n----\n... \"$ip\" ... SSH ......... $count .......... IP.\n\n";
61 print MAIL @list;
62 close(MAIL);
63 }
64 }
65
66 exit;
# ls -al /usr/bin/block_ssh.pl-rwxr-xr-x 1 root root 1529 Mar 22 01:05 /usr/bin/block_ssh.pl
# vi /etc/hosts.allow 7 sshd : ALL : spawn (/usr/bin/block_ssh.pl %c %d)
# vi /var/log/secure還是發現被 211.219.11.22 連攻半個多小時 共 243次
333 Mar 22 12:05:32 test sshd[10163]: Did not receive identification strin g from ::ffff:211.219.11.22
575 Mar 22 12:42:09 test sshd[11530]: Failed password for invalid user fot ograf from ::ffff:211.219.11.22 port 3672 ssh2
# /sbin/iptables -LChain INPUT (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT ipv6-crypt-- anywhere anywhere
ACCEPT ipv6-auth-- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
再用 iptables 去查還是沒有被擋起來?
不知道是哪裏沒設好呢?
會不會是跟 mail 沒設好有關係?
小弟亂try不知道 .pl的檔是不是要裝什麼才能正常使用?
還是預設就可以用了?
# sh /usr/bin/block_ssh.pl
/usr/bin/block_ssh.pl: line 2: =: command not found
/usr/bin/block_ssh.pl: line 3: =: command not found
/usr/bin/block_ssh.pl: line 4: =: command not found
/usr/bin/block_ssh.pl: line 5: =: command not found
/usr/bin/block_ssh.pl: line 6: =: command not found
/usr/bin/block_ssh.pl: line 7: use: command not found
/usr/bin/block_ssh.pl: line 9: =: command not found
/usr/bin/block_ssh.pl: line 10: =: command not found
/usr/bin/block_ssh.pl: line 11: =: command not found
/usr/bin/block_ssh.pl: line 13: syntax error near unexpected token `('
/usr/bin/block_ssh.pl: line 13: `%month = ('
謝謝!