zoukankan      html  css  js  c++  java

  • Ubuntu通过iptables防止ssh暴力破解

    步骤

    • 安装iptables-persistent用于保存iptables规则
    • 配置iptables规则
    • 实时更新iptables规则以拦截IP访问

    安装iptables-persistent

    sudo aptitude install iptables-persistent

    配置iptables规则

    # 先查看网卡的名称,修改脚本中的$EXTIF变量
ip addr

sudo mkdir -p /usr/local/feng/iptables/

cat << 'EOF' | sudo tee /usr/local/feng/iptables/iptables.rule
#!/bin/bash

EXTIF="ens4"

INIF=""

INNET=""

export EXTIF INIF INNET

# 设置核心的网络功能:

echo "1" > /proc/sys/net/ipv4/tcp_syncookies

echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# 清除规则,设定预设政策以及开放lo与相关的设定值

PATH=/sbin:/usr/sbin:/bin:/usr/bin:/usr/local/sbin:/usr/local/bin; export PATH

iptables -F ; iptables -X ; iptables -Z

iptables -P INPUT DROP

iptables -P OUTPUT ACCEPT

iptables -P FORWARD ACCEPT

iptables -A INPUT -i lo -j ACCEPT

iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# 启动额外的防火墙script(如果有)

if [ -f /usr/local/feng/iptables/iptables.allow ]; then

sh /usr/local/feng/iptables/iptables.allow

fi

AICMP="0 3 3/4 4 11 12 14 16 18"

for tyicmp in $AICMP

do

iptables -A INPUT -i $EXTIF -p icmp --icmp-type $tyicmp -j ACCEPT

done

iptables -A INPUT -p TCP -i $EXTIF --dport 22 --sport 1024:65534 -j ACCEPT
iptables -A INPUT -p TCP -i $EXTIF --dport 80 --sport 1024:65534 -j ACCEPT 
iptables -A INPUT -p TCP -i $EXTIF --dport 443 --sport 1024:65534 -j ACCEPT
iptables -A INPUT -p TCP -i $EXTIF --dport 2333 --sport 1024:65534 -j ACCEPT

# ubuntu
/usr/sbin/netfilter-persistent save

# 不这么保存,在重启后失效
iptables-save > /usr/local/feng/iptables/rule.temp
iptables-restore < /usr/local/feng/iptables/rule.temp
rm /usr/local/feng/iptables/rule.temp
EOF

## 执行脚本
sudo bash /usr/local/feng/iptables/iptables.rule

    实时更新iptables

    编写脚本

    cat << 'EOF' | sudo tee /usr/local/feng/iptables/secure_iptables.sh
tail /var/log/auth.log -n 10000 |awk '/Failed/{print $(NF-3)}'|sort|uniq -c|awk '{print $2"="$1;}' | sort -g -t '=' -k2 > /tmp/black.txt #尝试登录的次数和ip
DEFINE="3"  #单个ip尝试登录最大值

for i in `cat /tmp/black.txt`
do
    IP=`echo $i |awk -F= '{print $1}'`
    NUM=`echo $i|awk -F= '{print $2}'`
    if [ $NUM -gt $DEFINE ]; then
        grep $IP /etc/hosts.deny > /dev/null
        if [ $? -gt 0 ]; then
            iptables-save | grep "-j DROP" | grep $IP > /dev/null
            if [ $? -gt 0 ];then
                if [ ! "$IP" == "127.0.0.1" ]; then
                    echo "iptables -A INPUT -s $IP -j DROP" >> /usr/local/feng/iptables/iptables.deny
                fi
            fi
        fi
    fi
done
if [ -f /usr/local/feng/iptables/iptables.deny ]; then
    sh /usr/local/feng/iptables/iptables.deny
    rm /usr/local/feng/iptables/iptables.deny
    # 不这么保存,在重启后失效
    iptables-save > /usr/local/feng/iptables/rule.temp
    iptables-restore < /usr/local/feng/iptables/rule.temp
    rm /usr/local/feng/iptables/rule.temp
fi
EOF

    配置crontab

    设置每30分钟执行一次。频次不宜过高,容易影响其他服务。

    # 涉及防火墙,需要root权限
echo "30 * * * * root bash /usr/local/feng/iptables/secure_iptables.sh" | sudo tee -a /etc/crontab

    查看被拦截IP

    # 通过iptables
sudo iptables-save

# 查看iptables.deny文件
sudo cat /usr/local/feng/iptables/iptables.deny

    释放被拦截IP

    # 设置IP变量
IP=112.27.168.236

# 把IP从iptables.deny移除
sudo sed -i "/${IP}/d" /usr/local/feng/iptables/iptables.deny

# 把IP从auth.log移除
sudo sed -i "/${IP}/d" /var/log/auth.log

# 更新iptables规则
sudo bash /usr/local/feng/iptables/iptables.rule

# 检查防火墙规则,检查auth.log文件
sudo iptables-save | grep $IP
cat /var/log/auth.log|awk '/Failed/{print $(NF-3)}'|sort|uniq -c|awk '{print $2"="$1;}' | grep ${IP}

# 由于 rsyslogd 的登录文件(auth.log)只要“被编辑过”就无法继续记录,需要重启rsyslog服务
sudo systemctl restart rsyslog.service
  • 相关阅读:
    Epoll技术深入学习
    nginx
    epoll案例
    Linux网络编程初步
    链表快速排序(已通过ACM在线评测)
    C++内存管理
    c++11并发语法初步
    数据库与SQL优化笔记(一)
    C++面向对象模型(虚表与虚表指针)
    c++的一些杂项
  • 原文地址:https://www.cnblogs.com/testopsfeng/p/13224549.html
Copyright © 2011-2022 走看看