V2EX = way to explore
V2EX 是一个关于分享和探索的地方
现在注册
已注册用户请  登录
Distributions
Ubuntu
Fedora
CentOS
中文资源站
网易开源镜像站
bronana
V2EX  ›  Linux

[ Linux ]求一 iptables 脚本,遍历 lastb(登录失败),超过 3 次的就封它 IP

  •  
  •   bronana · 2023-01-27 05:36:24 +08:00 · 2924 次点击
    这是一个创建于 426 天前的主题,其中的信息可能已经有所发展或是发生改变。

    请支援我一脚本,fail2ban 不会用啊。 我在纳闷我的服务器总感觉很卡,原来是有暴力登录脚本一直在尝试登录我的服务器。

    ╭─root@VM-16-11-ubuntu ~ 
    ╰─# lastb | less
    ctr      ssh:notty    185.252.178.107  Fri Jan 27 05:17 - 05:17  (00:00)
    ctr      ssh:notty    185.252.178.107  Fri Jan 27 05:17 - 05:17  (00:00)
    gujiongh ssh:notty    185.252.178.107  Fri Jan 27 05:17 - 05:17  (00:00)
    gujiongh ssh:notty    185.252.178.107  Fri Jan 27 05:17 - 05:17  (00:00)
    kian     ssh:notty    185.252.178.107  Fri Jan 27 05:17 - 05:17  (00:00)
    kian     ssh:notty    185.252.178.107  Fri Jan 27 05:17 - 05:17  (00:00)
    cuilingh ssh:notty    185.252.178.107  Fri Jan 27 05:16 - 05:16  (00:00)
    cuilingh ssh:notty    185.252.178.107  Fri Jan 27 05:16 - 05:16  (00:00)
    gilad    ssh:notty    185.252.178.107  Fri Jan 27 05:16 - 05:16  (00:00)
    gilad    ssh:notty    185.252.178.107  Fri Jan 27 05:16 - 05:16  (00:00)
    fds      ssh:notty    185.252.178.107  Fri Jan 27 05:15 - 05:15  (00:00)
    fds      ssh:notty    185.252.178.107  Fri Jan 27 05:15 - 05:15  (00:00)
    chengyan ssh:notty    185.252.178.107  Fri Jan 27 05:15 - 05:15  (00:00)
    chengyan ssh:notty    185.252.178.107  Fri Jan 27 05:15 - 05:15  (00:00)
    yixuanhu ssh:notty    185.252.178.107  Fri Jan 27 05:14 - 05:14  (00:00)
    yixuanhu ssh:notty    185.252.178.107  Fri Jan 27 05:14 - 05:14  (00:00)
    dsm      ssh:notty    185.252.178.107  Fri Jan 27 05:14 - 05:14  (00:00)
    dsm      ssh:notty    185.252.178.107  Fri Jan 27 05:14 - 05:14  (00:00)
    root     ssh:notty    185.252.178.107  Fri Jan 27 05:13 - 05:13  (00:00)
    wangl    ssh:notty    185.252.178.107  Fri Jan 27 05:13 - 05:13  (00:00)
    wangl    ssh:notty    185.252.178.107  Fri Jan 27 05:13 - 05:13  (00:00)
    root     ssh:notty    185.252.178.107  Fri Jan 27 05:12 - 05:12  (00:00)
    emmanuel ssh:notty    185.252.178.107  Fri Jan 27 05:12 - 05:12  (00:00)
    emmanuel ssh:notty    185.252.178.107  Fri Jan 27 05:12 - 05:12  (00:00)
    mdzhou   ssh:notty    185.252.178.107  Fri Jan 27 05:12 - 05:12  (00:00)
    mdzhou   ssh:notty    185.252.178.107  Fri Jan 27 05:12 - 05:12  (00:00)
    trenz    ssh:notty    185.252.178.107  Fri Jan 27 03:19 - 03:19  (00:00)
    lixi     ssh:notty    185.252.178.107  Fri Jan 27 03:19 - 03:19  (00:00)
    lixi     ssh:notty    185.252.178.107  Fri Jan 27 03:19 - 03:19  (00:00)
    ....
    root     ssh:notty    211.115.91.20    Fri Jan 27 01:04 - 01:04  (00:00)
    es       ssh:notty    211.115.91.20    Thu Jan 26 23:36 - 23:36  (00:00)
    es       ssh:notty    211.115.91.20    Thu Jan 26 23:36 - 23:36  (00:00)
    root     ssh:notty    211.115.91.20    Thu Jan 26 05:25 - 05:25  (00:00)
    ...
    root     ssh:notty    220.174.25.172   Tue Jan 24 23:19 - 23:19  (00:00)
    root     ssh:notty    220.174.25.172   Tue Jan 24 23:18 - 23:18  (00:00)
    root     ssh:notty    220.174.25.172   Tue Jan 24 23:18 - 23:18  (00:00)
    root     ssh:notty    220.174.25.172   Tue Jan 24 23:18 - 23:18  (00:00)
    root     ssh:notty    220.174.25.172   Tue Jan 24 23:18 - 23:18  (00:00)
    root     ssh:notty    220.174.25.172   Tue Jan 24 23:18 - 23:18  (00:00)
    root     ssh:notty    220.174.25.172   Tue Jan 24 23:18 - 23:18  (00:00)
    root     ssh:notty    220.174.25.172   Tue Jan 24 23:18 - 23:18  (00:00)
    root     ssh:notty    220.174.25.172   Tue Jan 24 23:18 - 23:18  (00:00)
    root     ssh:notty    220.174.25.172   Tue Jan 24 23:18 - 23:18  (00:00)
    root     ssh:notty    220.174.25.172   Tue Jan 24 23:18 - 23:18  (00:00)
    root     ssh:notty    220.174.25.172   Tue Jan 24 23:18 - 23:18  (00:00)
    root     ssh:notty    220.174.25.172   Tue Jan 24 23:18 - 23:18  (00:00)
    root     ssh:notty    220.174.25.172   Tue Jan 24 23:18 - 23:18  (00:00)
    root     ssh:notty    220.174.25.172   Tue Jan 24 23:18 - 23:18  (00:00)
    root     ssh:notty    220.174.25.172   Tue Jan 24 23:18 - 23:18  (00:00)
    root     ssh:notty    220.174.25.172   Tue Jan 24 23:18 - 23:18  (00:00)
    root     ssh:notty    220.174.25.172   Tue Jan 24 23:18 - 23:18  (00:00)
    root     ssh:notty    220.174.25.172   Tue Jan 24 23:18 - 23:18  (00:00)
    root     ssh:notty    220.174.25.172   Tue Jan 24 23:18 - 23:18  (00:00)
    root     ssh:notty    220.174.25.172   Tue Jan 24 23:18 - 23:18  (00:00)
    root     ssh:notty    220.174.25.172   Tue Jan 24 23:17 - 23:17  (00:00)
    ...
    ---还有很多其它 ip---
    

    这个脚本我想可以设置,每 X 分钟执行一次这个脚本吧。 我数了一下,最多的时候一分钟登录我 23 次(虽然它失败了),照这频率,5 分钟也足够它试 100 次了。 如果被别人尝试登录服务器,对服务器也是一种损失啊,敲这 log 记录,都 18M 了。。

    ╭─root@VM-16-11-ubuntu ~ 
    ╰─# ll /var/log/btmp
    Permissions Size User Date Modified Name
    .rw-rw----   18M root 27 Jan 05:17  /var/log/btmp
    

    可以看到上面的最后 Modified 是在 05:17 ,因为我搜了一个 ban ip 的命令,好像确实管用了

    iptables -I INPUT -s 185.252.178.107 -j DROP
    
    19 条回复    2023-01-31 18:26:20 +08:00
    sNullp
        1
    sNullp  
       2023-01-27 05:37:10 +08:00 via iPhone
    最容易的方法是学习 fail2ban
    bronana
        2
    bronana  
    OP
       2023-01-27 05:42:48 +08:00
    @sNullp #1
    ```
    ╭─root@VM-16-11-ubuntu ~
    ╰─# history | grep -i fail2ban
    1439 apt install -y fail2ban
    1440 cd /etc/fail2ban
    1443 cp fail2ban.conf fail2ban.local
    1445 vim fail2ban.local
    1646 fail2ban fail2ban-client status
    1647 which fail2ban
    1648 fail2ban fail2ban-client status
    1649 fail2ban
    1652 apt install fail2ban
    1653 systemctl status fail2ban
    1655 sudo cp /etc/fail2ban/jail.{conf,local}\n
    1656 nano /etc/fail2ban/jail.local
    1657 vim /etc/fail2ban/jail.local
    1658 systemctl status fail2ban
    1659 systemctl stop fail2ban
    1660 systemctl status fail2ban
    1661 systemctl start fail2ban
    1662 systemctl status fail2ban
    1663 systemctl restart fail2ban
    1664 fail2ban-client status sshd\n
    1667 fail2ban-client status sshd\n
    1670 vim /etc/fail2ban/jail.local
    1671 systemctl enable fail2ban
    1672 vim /etc/fail2ban/jail.local
    ```
    学了没学懂
    sNullp
        3
    sNullp  
       2023-01-27 05:55:10 +08:00 via iPhone
    debian 上默认装好就能 ban ssh ,不知道后面那些的目的是啥?
    bronana
        4
    bronana  
    OP
       2023-01-27 05:59:04 +08:00
    @sNullp #3 尝试过配置,不知道哪里没整对,fail2ban 没生效。
    realpg
        5
    realpg  
       2023-01-27 08:07:26 +08:00
    fail2ban 我记得并不需要配置
    难道你用的是 centos……
    feng0vx
        6
    feng0vx  
       2023-01-27 08:46:19 +08:00 via iPhone
    cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
    在 jail.local 文件中设置自己需要的配置
    对于 Ubuntu/Debian 系统,ssh-iptables 段类似:

    [ssh]
    enabled = true
    port = ssh
    filter = sshd
    logpath = /var/log/auth.log
    maxretry = 3

    检查 sshd 服务的状态 /ban 的 ip
    sudo fail2ban-client status sshd

    删除已被限制 IP
    sudo fail2ban-client set sshd unbanip 23.34.45.xx
    foam
        7
    foam  
       2023-01-27 10:40:42 +08:00 via Android
    歪个楼。不到 1 qps ,机器怎么会卡 。这个验证几乎不用 cpu ,报文也没多少字节,所以带宽几乎不消耗。是还有其他原因导致你提到的“卡”吧
    MindMindMax
        8
    MindMindMax  
       2023-01-27 14:17:40 +08:00
    #!/bin/bash

    # This script will traverse the lastb log and block IPs that have more than 3 failed login attempts.

    # Flush existing rules
    iptables -F

    # Set default policy to drop all incoming traffic
    iptables -P INPUT DROP

    # Allow established connections
    iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

    # Allow loopback traffic
    iptables -A INPUT -i lo -j ACCEPT

    # Traverse the lastb log and block IPs with more than 3 failed login attempts
    lastb | awk '{print $3}' | sort | uniq -c | awk '$1 > 3 {print $2}' | while read ip; do iptables -A INPUT -s $ip -j DROP; done
    westoy
        9
    westoy  
       2023-01-27 14:39:56 +08:00
    爆破 SSH 不可能让你觉得卡的, 关掉 sshd 的 dns 反查看看

    其实把 SSH 换到个两三万的端口,基本就不会有人爆破了, 也不会折腾什么屏蔽了.....
    julyclyde
        10
    julyclyde  
       2023-01-28 09:02:46 +08:00
    简单点就别管它
    增加 iptables 规则会导致内核负担加重的

    十几年前我这么干过,三千多条规则的时候卡的 web 服务都没法工作了
    Damn
        11
    Damn  
       2023-01-28 10:17:41 +08:00
    @julyclyde ipset 它不香么?
    sanduo
        12
    sanduo  
       2023-01-28 10:19:11 +08:00
    @bronana 你的 fail2ban 配置文件是什么?
    julyclyde
        13
    julyclyde  
       2023-01-28 10:21:11 +08:00
    @Damn 古代没有 ipset 功能吧
    2008 年 linux 内核才 2.4
    sanduo
        14
    sanduo  
       2023-01-28 10:22:04 +08:00
    我这里是 ubuntu ,使用自带的 UFW 进行防火墙管理,新增了一个 sshd 的配置文件:/etc/fail2ban/jail.d/sshd.local ,配置内容如下,供参考:
    [sshd]
    enabled = true
    filter = sshd
    banaction = ufw
    maxretry = 5
    findtime = 600
    bantime = 2w
    ignoreip = 127.0.0.1/8
    iceecream
        15
    iceecream  
       2023-01-28 14:01:47 +08:00
    6 楼方法好使,
    9 楼方法也可以试试。
    yuepu
        16
    yuepu  
       2023-01-28 17:31:03 +08:00
    /etc/hosts.deny 也许有用
    datocp
        17
    datocp  
       2023-01-28 22:51:41 +08:00
    ipset destroy banned_hosts
    ipset -N banned_hosts hash:net timeout 180
    iptables -I INPUT 3 -i $UDEV -m set --match-set banned_hosts src -j DROP
    iptables -I INPUT 4 -i $UDEV -p udp -m multiport --dports 80,161,1863,5060 -j SET --add-set banned_hosts src
    iptables -I INPUT 5 -i $UDEV -p tcp -m multiport --dports 20,23,25,110,135,137:139,161,445,1080,2323,3128,3306,3389 -j SET --add-set banned_hosts src
    #iptables -I INPUT 3 -i $UDEV -m recent --update --name hack --rsource -j DROP
    #iptables -I INPUT 4 -i $UDEV -p udp -m multiport --dports 80,161,1863,5060 -m conntrack --ctstate NEW -m recent --set --name hack --rsource -j DROP
    #iptables -I INPUT 5 -i $UDEV -p tcp -m multiport --dports 20,23,25,53,110,135,137:139,161,445,1080,2323,3128,3306,3389 -m conntrack --ctstate NEW -m recent --set --name hack --rsource -j DROP
    julyclyde
        18
    julyclyde  
       2023-01-29 09:01:13 +08:00
    @yuepu 正常情况下 hosts.deny 应该是没用的。现在没几个程序支持 tcpwrapper 功能了
    lovelylain
        19
    lovelylain  
       2023-01-31 18:26:20 +08:00 via Android
    @sNullp frp 内网穿透的,fail2ban 就不适合了吧?有什么好方案避免弱密码被爆破吗
    关于   ·   帮助文档   ·   博客   ·   API   ·   FAQ   ·   我们的愿景   ·   实用小工具   ·   1199 人在线   最高记录 6543   ·     Select Language
    创意工作者们的社区
    World is powered by solitude
    VERSION: 3.9.8.5 · 27ms · UTC 18:13 · PVG 02:13 · LAX 11:13 · JFK 14:13
    Developed with CodeLauncher
    ♥ Do have faith in what you're doing.