zoukankan      html  css  js  c++  java

  • openwrt中防暴力破解shell的脚本

    原文:http://www.right.com.cn/forum/thread-124429-1-1.html

    原理:1. snort做入侵检测是很好,但是太大太复杂,我们需要轻量化的操作。当对方进行SSH 端口的穷举攻击的时候,dropbear会在系统log中记录下特定信息如:


    Login attempt for nonexistent user
    Bad password attempt for

    通过后台crontab当特定时间段内检测到一定频率的攻击,则将此IP所有数据包全部DROP忽略。

    2. 安装:
    1)复制脚本DropBrute.sh 到任意目录如 /etc/ 下,授予执行权限如0755. 在crontab(LUCI WEB -->system - scheduled task)中加入一行,每隔一段时间执行:
    */10 * * * * /etc/DropBrute.sh 2>&1 >> /tmp/DropBrute.log
    关于如何配置定期任务cron: http://en.wikipedia.org/wiki/Cron

    本例是10分钟执行一次扫描log

    3. 脚本配置:
    见脚本中说明,如看不懂英文请补习英语。

    20170321更新:
    a)好久以来一直以为这个代码能好好的干活,不过最近调试其它脚本时发现iptables里并没有DropBrute该有的Drop IP,这很不科学,所以仔细看了代码,发现当中有几个需要修改的地方:
    1、today=`date -'%a %b %d`
    2、日志中记录登陆失败的表达首字母为大写,如LoginBad
    b)还有一点要注意的:要把下面三行添加到/etc/firewall.user里面去
    iptables -N DropBrute
    iptables -I input_rule -i br-wan -p tcp --dport 22 -j DropBrute
    iptables -I input_rule -i br-wan -p tcp --dport 22 -m state --state NEW -m limit --limit 6/min --limit-burst 6 -j ACCEPT

    (下面主修改后的正确代码,修改的地方就不说明了)

    #!/bin/sh
    #
    # DropBrute.sh @20130516
    #
    # minimalist OpenWRT/dropbear ssh brute force attack banning script
    #
    # Installation steps:
    #
    # 1) Optionally edit the variables in the header of this script to customise
    #    for your environment
    #
    # 2) Insert a reference for this rule in your firewall script before you
    #    accept ssh, something like:
    #
    #    iptables -N DropBrute
    #    iptables -I input_rule -i br-wan -p tcp --dport 22 -j DropBrute
    #    iptables -I input_rule -i br-wan -p tcp --dport 22 -m state --state NEW -m limit --limit 6/min --limit-burst 6 -j ACCEPT
    #
    # 3) Run the script periodically out of cron:
    #
    #    echo '*/10 * * * * /usr/sbin/DropBrute.sh 2>&1 >> /tmp/DropBrute.log' >> /etc/crontabs/root
    #
    # 4) If cron is not enabled, you'll also need to run the following:
    #
    #    /etc/init.d/cron enable && /etc/init.d/cron start
    #
    #
    # To whitelist hosts or networks, simply add a manual entry to the lease
    # file with a leasetime of -1.  This can be done with the following syntax:
    #
    #    echo -1 192.168.1.0/24 >> /tmp/DropBrute.leases
    #
    # A static, or non-expiring blacklist of a host or network can also be
    # added, just use a lease time of 0.  This can be done with the following syntax:
    #
    #    echo 0 1.2.3.0/24 >> /tmp/DropBrute.leases

    # How many bad attempts before banning. Only the log entries from the
    # current day are checked.
    allowedAttempts=5

    # How long IPs are banned for after the current day ends.
    # default is 1 days
    secondsToBan=$((7*60*60*24))

    # the "lease" file - defaults to /tmp which does not persist across reboots
    leaseFile=/tmp/DropBrute.leases

    # This is the iptables chain that drop commands will go into.
    # you will need to put a reference in your firewall rules for this
    iptChain=DropBrute

    # the IP Tables drop rule
    iptDropRule='-j DROP'

    # the IP Tables whitelist rule
    iptWhiteRule='-j RETURN'

    # You can put default leasefile entries in the following space.
    # Syntax is simply "leasetime _space_ IP_or_network".  A leasetime of -1 is a
    # whitelist entry, and a leastime of 0 is a permanent blacklist entry.
    [ -f $leaseFile ] || cat <<__EOF__>>$leaseFile
    -1 192.168.0.0/24
    -1 192.168.1.0/24
    __EOF__

    # End of user customizable variables (unless you know better )

    ipt='/usr/sbin/iptables'

    [ `date +'%s'` -lt 1320000000 ] && echo System date not set, aborting. && exit -1
    $ipt -N $iptChain >&/dev/null

    today=`date +'%a %b %d'`
    now=`date +'%s'`
    nowPlus=$((now + secondsToBan))

    echo Running DropBrute on `date` ($now)

    # find new badIPs
    for badIP in `logread|egrep "^$today"|fgrep dropbear|egrep 'Login attempt for nonexistent user'|'Bad password attempt for'|sed 's/^.*from //'|sed 's/:.*$//'|sort -u` ; do
      found=`logread|egrep "^$today"|fgrep dropbear|egrep 'Login attempt for nonexistent user'|'Bad password attempt for'|sed 's/^.*from //'|sed 's/:.*$//'|fgrep $badIP|wc -l`
      if [ $found -gt $allowedAttempts ] ; then
        if [ `egrep $badIP$ $leaseFile|wc -l` -gt 0 ] ; then
           [ `egrep $badIP$ $leaseFile|cut -f1 -d ` -gt 0 ] && sed -i 's/^.* '$badIP$/$nowPlus $badIP/ $leaseFile
        else
           echo $nowPlus $badIP >> $leaseFile
        fi
      fi
    done

    # now parse the leaseFile
    while read lease ; do
      leaseTime=`echo $lease|cut -f1 -d `
      leaseIP=`echo $lease|cut -f2 -d `
      if [ $leaseTime -lt 0 ] ; then
        if [ `$ipt -S $leaseChain|egrep $leaseIP/32 | $leaseIP |fgrep -- "$iptWhiteRule"| wc -l` -lt 1 ] ; then
          echo Adding new whitelist rule for $leaseIP
          $ipt -I $iptChain -s $leaseIP $iptWhiteRule
        fi
      elif [ $leaseTime -ge 1 -a $now -gt $leaseTime ] ; then
        echo Expiring lease for $leaseIP
        $ipt -D $iptChain -s $leaseIP $iptDropRule
        sed -i /$leaseIP/d $leaseFile
      elif [ $leaseTime -ge 0 -a `$ipt -S $leaseChain|egrep $leaseIP/32 | $leaseIP |wc -l` -lt 1 ] ; then
        echo Adding new rule for $leaseIP
        $ipt -A $iptChain -s $leaseIP $iptDropRule
      fi
    done < $leaseFile
  • 相关阅读:
    doraemon的python 从计算机基础到面向对象的笔记(加面试题)
    doraemon的python 单例模式和日志操作(我的笔记整合起来就是一份完成的python学习资料)
    Mybatis系列教材 (十七)- 相关概念
    Mybatis系列教材 (十六)- 注解
    Mybatis系列教材 (十五)- 注解
    Mybatis系列教材 (十四)- 注解
    Mybatis系列教材 (十三)- 注解
    Mybatis系列教材 (十二)- 注解
    Mybatis系列教材 (十一)- 动态SQL
    Mybatis系列教材 (十)- 动态SQL
  • 原文地址:https://www.cnblogs.com/d9394/p/10611694.html
Copyright © 2011-2022 走看看