[root@rhel8 shell]# cat auto_deny_ip.sh
#!/bin/bash
# auto drop ssh failded IP address
# by author tanbaobao 2020/06/10
# 定义变量
SEC_FILE=/var/log/secure
# 为截取secure文件恶意ip 远程登录22端口,大于等于4次就写入防火墙 禁止再登录服务器22端口。
# egrep -o "([0-9]{1,3}.){3}[0-9]{1,3}" 匹配IP. [0-9]表示任意一个数 {1,3}表示匹配1~3次
IP_ADDR=`tail -n 1000 /var/log/secure | grep "Failed password" | egrep -o "([0-9]{1,3}.){3}[0-9]{1,3}" |sort -nr | uniq -c | awk '$1>=4 {print $2}'`
IPTABLE_CONF=/etc/sysconfig/iptables
echo
cat << EOF
++++++++++++++++++++++++++++++ welcome to use ssh login drop failed ip ++++++++++++++++++++++++++++++
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
++++++++++++++++++++++++++++++-----------------------------------------++++++++++++++++++++++++++++++
EOF
for i in `echo $IP_ADDR`
do
# 查看iptables配置文件是否含有提取的IP信息
cat $IPTABLE_CONF | grep $i >/dev/null
if [ $? -ne 0 ];then
# 判断iptables配置文件中是否存在已拒绝的IP,不存在,则添加,存在,则不添加。sed a 表示在匹配行后加入
sed -i "/lo/a -A INPUT -s $i -m state --state NEW -n tcp -p tcp --dport 22 -j DROP" $IPTABLE_CONF
else
# 存在则打印提示信息
echo "This is $i is exist in iptables,Please exit ..."
fi
done
# 重启防火墙配置生效
# systemctl restart firewalld
# /etc/init.d/iptables restart
# 需要先保存下规则,不然重启会失败
iptables-save > /etc/sysconfig/iptables
systemctl restart iptables