[ Linux ]求一 iptables 脚本,遍历 lastb(登录失败),超过 3 次的就封它 IP

2023-01-27 05:36:24 +08:00
 bronana

请支援我一脚本,fail2ban 不会用啊。 我在纳闷我的服务器总感觉很卡,原来是有暴力登录脚本一直在尝试登录我的服务器。

╭─root@VM-16-11-ubuntu ~ 
╰─# lastb | less
ctr      ssh:notty    185.252.178.107  Fri Jan 27 05:17 - 05:17  (00:00)
ctr      ssh:notty    185.252.178.107  Fri Jan 27 05:17 - 05:17  (00:00)
gujiongh ssh:notty    185.252.178.107  Fri Jan 27 05:17 - 05:17  (00:00)
gujiongh ssh:notty    185.252.178.107  Fri Jan 27 05:17 - 05:17  (00:00)
kian     ssh:notty    185.252.178.107  Fri Jan 27 05:17 - 05:17  (00:00)
kian     ssh:notty    185.252.178.107  Fri Jan 27 05:17 - 05:17  (00:00)
cuilingh ssh:notty    185.252.178.107  Fri Jan 27 05:16 - 05:16  (00:00)
cuilingh ssh:notty    185.252.178.107  Fri Jan 27 05:16 - 05:16  (00:00)
gilad    ssh:notty    185.252.178.107  Fri Jan 27 05:16 - 05:16  (00:00)
gilad    ssh:notty    185.252.178.107  Fri Jan 27 05:16 - 05:16  (00:00)
fds      ssh:notty    185.252.178.107  Fri Jan 27 05:15 - 05:15  (00:00)
fds      ssh:notty    185.252.178.107  Fri Jan 27 05:15 - 05:15  (00:00)
chengyan ssh:notty    185.252.178.107  Fri Jan 27 05:15 - 05:15  (00:00)
chengyan ssh:notty    185.252.178.107  Fri Jan 27 05:15 - 05:15  (00:00)
yixuanhu ssh:notty    185.252.178.107  Fri Jan 27 05:14 - 05:14  (00:00)
yixuanhu ssh:notty    185.252.178.107  Fri Jan 27 05:14 - 05:14  (00:00)
dsm      ssh:notty    185.252.178.107  Fri Jan 27 05:14 - 05:14  (00:00)
dsm      ssh:notty    185.252.178.107  Fri Jan 27 05:14 - 05:14  (00:00)
root     ssh:notty    185.252.178.107  Fri Jan 27 05:13 - 05:13  (00:00)
wangl    ssh:notty    185.252.178.107  Fri Jan 27 05:13 - 05:13  (00:00)
wangl    ssh:notty    185.252.178.107  Fri Jan 27 05:13 - 05:13  (00:00)
root     ssh:notty    185.252.178.107  Fri Jan 27 05:12 - 05:12  (00:00)
emmanuel ssh:notty    185.252.178.107  Fri Jan 27 05:12 - 05:12  (00:00)
emmanuel ssh:notty    185.252.178.107  Fri Jan 27 05:12 - 05:12  (00:00)
mdzhou   ssh:notty    185.252.178.107  Fri Jan 27 05:12 - 05:12  (00:00)
mdzhou   ssh:notty    185.252.178.107  Fri Jan 27 05:12 - 05:12  (00:00)
trenz    ssh:notty    185.252.178.107  Fri Jan 27 03:19 - 03:19  (00:00)
lixi     ssh:notty    185.252.178.107  Fri Jan 27 03:19 - 03:19  (00:00)
lixi     ssh:notty    185.252.178.107  Fri Jan 27 03:19 - 03:19  (00:00)
....
root     ssh:notty    211.115.91.20    Fri Jan 27 01:04 - 01:04  (00:00)
es       ssh:notty    211.115.91.20    Thu Jan 26 23:36 - 23:36  (00:00)
es       ssh:notty    211.115.91.20    Thu Jan 26 23:36 - 23:36  (00:00)
root     ssh:notty    211.115.91.20    Thu Jan 26 05:25 - 05:25  (00:00)
...
root     ssh:notty    220.174.25.172   Tue Jan 24 23:19 - 23:19  (00:00)
root     ssh:notty    220.174.25.172   Tue Jan 24 23:18 - 23:18  (00:00)
root     ssh:notty    220.174.25.172   Tue Jan 24 23:18 - 23:18  (00:00)
root     ssh:notty    220.174.25.172   Tue Jan 24 23:18 - 23:18  (00:00)
root     ssh:notty    220.174.25.172   Tue Jan 24 23:18 - 23:18  (00:00)
root     ssh:notty    220.174.25.172   Tue Jan 24 23:18 - 23:18  (00:00)
root     ssh:notty    220.174.25.172   Tue Jan 24 23:18 - 23:18  (00:00)
root     ssh:notty    220.174.25.172   Tue Jan 24 23:18 - 23:18  (00:00)
root     ssh:notty    220.174.25.172   Tue Jan 24 23:18 - 23:18  (00:00)
root     ssh:notty    220.174.25.172   Tue Jan 24 23:18 - 23:18  (00:00)
root     ssh:notty    220.174.25.172   Tue Jan 24 23:18 - 23:18  (00:00)
root     ssh:notty    220.174.25.172   Tue Jan 24 23:18 - 23:18  (00:00)
root     ssh:notty    220.174.25.172   Tue Jan 24 23:18 - 23:18  (00:00)
root     ssh:notty    220.174.25.172   Tue Jan 24 23:18 - 23:18  (00:00)
root     ssh:notty    220.174.25.172   Tue Jan 24 23:18 - 23:18  (00:00)
root     ssh:notty    220.174.25.172   Tue Jan 24 23:18 - 23:18  (00:00)
root     ssh:notty    220.174.25.172   Tue Jan 24 23:18 - 23:18  (00:00)
root     ssh:notty    220.174.25.172   Tue Jan 24 23:18 - 23:18  (00:00)
root     ssh:notty    220.174.25.172   Tue Jan 24 23:18 - 23:18  (00:00)
root     ssh:notty    220.174.25.172   Tue Jan 24 23:18 - 23:18  (00:00)
root     ssh:notty    220.174.25.172   Tue Jan 24 23:18 - 23:18  (00:00)
root     ssh:notty    220.174.25.172   Tue Jan 24 23:17 - 23:17  (00:00)
...
---还有很多其它 ip---

这个脚本我想可以设置,每 X 分钟执行一次这个脚本吧。 我数了一下,最多的时候一分钟登录我 23 次(虽然它失败了),照这频率,5 分钟也足够它试 100 次了。 如果被别人尝试登录服务器,对服务器也是一种损失啊,敲这 log 记录,都 18M 了。。

╭─root@VM-16-11-ubuntu ~ 
╰─# ll /var/log/btmp
Permissions Size User Date Modified Name
.rw-rw----   18M root 27 Jan 05:17  /var/log/btmp

可以看到上面的最后 Modified 是在 05:17 ,因为我搜了一个 ban ip 的命令,好像确实管用了

iptables -I INPUT -s 185.252.178.107 -j DROP
3211 次点击
所在节点    Linux
19 条回复
sNullp
2023-01-27 05:37:10 +08:00
最容易的方法是学习 fail2ban
bronana
2023-01-27 05:42:48 +08:00
@sNullp #1
```
╭─root@VM-16-11-ubuntu ~
╰─# history | grep -i fail2ban
1439 apt install -y fail2ban
1440 cd /etc/fail2ban
1443 cp fail2ban.conf fail2ban.local
1445 vim fail2ban.local
1646 fail2ban fail2ban-client status
1647 which fail2ban
1648 fail2ban fail2ban-client status
1649 fail2ban
1652 apt install fail2ban
1653 systemctl status fail2ban
1655 sudo cp /etc/fail2ban/jail.{conf,local}\n
1656 nano /etc/fail2ban/jail.local
1657 vim /etc/fail2ban/jail.local
1658 systemctl status fail2ban
1659 systemctl stop fail2ban
1660 systemctl status fail2ban
1661 systemctl start fail2ban
1662 systemctl status fail2ban
1663 systemctl restart fail2ban
1664 fail2ban-client status sshd\n
1667 fail2ban-client status sshd\n
1670 vim /etc/fail2ban/jail.local
1671 systemctl enable fail2ban
1672 vim /etc/fail2ban/jail.local
```
学了没学懂
sNullp
2023-01-27 05:55:10 +08:00
debian 上默认装好就能 ban ssh ,不知道后面那些的目的是啥?
bronana
2023-01-27 05:59:04 +08:00
@sNullp #3 尝试过配置,不知道哪里没整对,fail2ban 没生效。
realpg
2023-01-27 08:07:26 +08:00
fail2ban 我记得并不需要配置
难道你用的是 centos……
feng0vx
2023-01-27 08:46:19 +08:00
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
在 jail.local 文件中设置自己需要的配置
对于 Ubuntu/Debian 系统,ssh-iptables 段类似:

[ssh]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3

检查 sshd 服务的状态 /ban 的 ip
sudo fail2ban-client status sshd

删除已被限制 IP
sudo fail2ban-client set sshd unbanip 23.34.45.xx
foam
2023-01-27 10:40:42 +08:00
歪个楼。不到 1 qps ,机器怎么会卡 。这个验证几乎不用 cpu ,报文也没多少字节,所以带宽几乎不消耗。是还有其他原因导致你提到的“卡”吧
MindMindMax
2023-01-27 14:17:40 +08:00
#!/bin/bash

# This script will traverse the lastb log and block IPs that have more than 3 failed login attempts.

# Flush existing rules
iptables -F

# Set default policy to drop all incoming traffic
iptables -P INPUT DROP

# Allow established connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow loopback traffic
iptables -A INPUT -i lo -j ACCEPT

# Traverse the lastb log and block IPs with more than 3 failed login attempts
lastb | awk '{print $3}' | sort | uniq -c | awk '$1 > 3 {print $2}' | while read ip; do iptables -A INPUT -s $ip -j DROP; done
westoy
2023-01-27 14:39:56 +08:00
爆破 SSH 不可能让你觉得卡的, 关掉 sshd 的 dns 反查看看

其实把 SSH 换到个两三万的端口,基本就不会有人爆破了, 也不会折腾什么屏蔽了.....
julyclyde
2023-01-28 09:02:46 +08:00
简单点就别管它
增加 iptables 规则会导致内核负担加重的

十几年前我这么干过,三千多条规则的时候卡的 web 服务都没法工作了
Damn
2023-01-28 10:17:41 +08:00
@julyclyde ipset 它不香么?
sanduo
2023-01-28 10:19:11 +08:00
@bronana 你的 fail2ban 配置文件是什么?
julyclyde
2023-01-28 10:21:11 +08:00
@Damn 古代没有 ipset 功能吧
2008 年 linux 内核才 2.4
sanduo
2023-01-28 10:22:04 +08:00
我这里是 ubuntu ,使用自带的 UFW 进行防火墙管理,新增了一个 sshd 的配置文件:/etc/fail2ban/jail.d/sshd.local ,配置内容如下,供参考:
[sshd]
enabled = true
filter = sshd
banaction = ufw
maxretry = 5
findtime = 600
bantime = 2w
ignoreip = 127.0.0.1/8
iceecream
2023-01-28 14:01:47 +08:00
6 楼方法好使,
9 楼方法也可以试试。
yuepu
2023-01-28 17:31:03 +08:00
/etc/hosts.deny 也许有用
datocp
2023-01-28 22:51:41 +08:00
ipset destroy banned_hosts
ipset -N banned_hosts hash:net timeout 180
iptables -I INPUT 3 -i $UDEV -m set --match-set banned_hosts src -j DROP
iptables -I INPUT 4 -i $UDEV -p udp -m multiport --dports 80,161,1863,5060 -j SET --add-set banned_hosts src
iptables -I INPUT 5 -i $UDEV -p tcp -m multiport --dports 20,23,25,110,135,137:139,161,445,1080,2323,3128,3306,3389 -j SET --add-set banned_hosts src
#iptables -I INPUT 3 -i $UDEV -m recent --update --name hack --rsource -j DROP
#iptables -I INPUT 4 -i $UDEV -p udp -m multiport --dports 80,161,1863,5060 -m conntrack --ctstate NEW -m recent --set --name hack --rsource -j DROP
#iptables -I INPUT 5 -i $UDEV -p tcp -m multiport --dports 20,23,25,53,110,135,137:139,161,445,1080,2323,3128,3306,3389 -m conntrack --ctstate NEW -m recent --set --name hack --rsource -j DROP
julyclyde
2023-01-29 09:01:13 +08:00
@yuepu 正常情况下 hosts.deny 应该是没用的。现在没几个程序支持 tcpwrapper 功能了
lovelylain
2023-01-31 18:26:20 +08:00
@sNullp frp 内网穿透的,fail2ban 就不适合了吧?有什么好方案避免弱密码被爆破吗

这是一个专为移动设备优化的页面(即为了让你能够在 Google 搜索结果里秒开这个页面),如果你希望参与 V2EX 社区的讨论,你可以继续到 V2EX 上打开本讨论主题的完整版本。

https://www.v2ex.com/t/910797

V2EX 是创意工作者们的社区,是一个分享自己正在做的有趣事物、交流想法,可以遇见新朋友甚至新机会的地方。

V2EX is a community of developers, designers and creative people.

© 2021 V2EX