[ Linux ]求一 iptables 脚本，遍历 lastb(登录失败)，超过 3 次的就封它 IP

Distributions

中文资源站

This topic created in 1202 days ago, the information mentioned may be changed or developed.

请支援我一脚本，fail2ban 不会用啊。我在纳闷我的服务器总感觉很卡，原来是有暴力登录脚本一直在尝试登录我的服务器。

─root@VM-16-11-ubuntu ~ ─# lastb | less ctr ssh:notty 185.252.178.107 Fri Jan 27 05:17 - 05:17 (00:00) ctr ssh:notty 185.252.178.107 Fri Jan 27 05:17 - 05:17 (00:00) gujiongh ssh:notty 185.252.178.107 Fri Jan 27 05:17 - 05:17 (00:00) gujiongh ssh:notty 185.252.178.107 Fri Jan 27 05:17 - 05:17 (00:00) kian ssh:notty 185.252.178.107 Fri Jan 27 05:17 - 05:17 (00:00) kian ssh:notty 185.252.178.107 Fri Jan 27 05:17 - 05:17 (00:00) cuilingh ssh:notty 185.252.178.107 Fri Jan 27 05:16 - 05:16 (00:00) cuilingh ssh:notty 185.252.178.107 Fri Jan 27 05:16 - 05:16 (00:00) gilad ssh:notty 185.252.178.107 Fri Jan 27 05:16 - 05:16 (00:00) gilad ssh:notty 185.252.178.107 Fri Jan 27 05:16 - 05:16 (00:00) fds ssh:notty 185.252.178.107 Fri Jan 27 05:15 - 05:15 (00:00) fds ssh:notty 185.252.178.107 Fri Jan 27 05:15 - 05:15 (00:00) chengyan ssh:notty 185.252.178.107 Fri Jan 27 05:15 - 05:15 (00:00) chengyan ssh:notty 185.252.178.107 Fri Jan 27 05:15 - 05:15 (00:00) yixuanhu ssh:notty 185.252.178.107 Fri Jan 27 05:14 - 05:14 (00:00) yixuanhu ssh:notty 185.252.178.107 Fri Jan 27 05:14 - 05:14 (00:00) dsm ssh:notty 185.252.178.107 Fri Jan 27 05:14 - 05:14 (00:00) dsm ssh:notty 185.252.178.107 Fri Jan 27 05:14 - 05:14 (00:00) root ssh:notty 185.252.178.107 Fri Jan 27 05:13 - 05:13 (00:00) wangl ssh:notty 185.252.178.107 Fri Jan 27 05:13 - 05:13 (00:00) wangl ssh:notty 185.252.178.107 Fri Jan 27 05:13 - 05:13 (00:00) root ssh:notty 185.252.178.107 Fri Jan 27 05:12 - 05:12 (00:00) emmanuel ssh:notty 185.252.178.107 Fri Jan 27 05:12 - 05:12 (00:00) emmanuel ssh:notty 185.252.178.107 Fri Jan 27 05:12 - 05:12 (00:00) mdzhou ssh:notty 185.252.178.107 Fri Jan 27 05:12 - 05:12 (00:00) mdzhou ssh:notty 185.252.178.107 Fri Jan 27 05:12 - 05:12 (00:00) trenz ssh:notty 185.252.178.107 Fri Jan 27 03:19 - 03:19 (00:00) lixi ssh:notty 185.252.178.107 Fri Jan 27 03:19 - 03:19 (00:00) lixi ssh:notty 185.252.178.107 Fri Jan 27 03:19 - 03:19 (00:00) .... root ssh:notty 211.115.91.20 Fri Jan 27 01:04 - 01:04 (00:00) es ssh:notty 211.115.91.20 Thu Jan 26 23:36 - 23:36 (00:00) es ssh:notty 211.115.91.20 Thu Jan 26 23:36 - 23:36 (00:00) root ssh:notty 211.115.91.20 Thu Jan 26 05:25 - 05:25 (00:00) ... root ssh:notty 220.174.25.172 Tue Jan 24 23:19 - 23:19 (00:00) root ssh:notty 220.174.25.17 Tue Jan 24 23:18 - 23:18 (00:00) root ssh:notty 220.174.25.172 Tue Jan 24 23:18 - 23:18 (00:00) root ssh:notty 220.174.25.172 Tue Jan 24 23:18 - 23:18 (00:00) root ssh:notty 220.174.25.172 Tue Jan 24 23:18 - 23:18 (00:00) root ssh:notty 220.174.25.172 Tue Jan 24 23:18 - 23:18 (00:00) root ssh:notty 220.174.25.172 Tue Jan 24 23:18 - 23:18 (00:00) root ssh:notty 220.174.25.172 Tue Jan 24 23:18 - 23:18 (00:00) root ssh:notty 220.174.25.172 Tue Jan 24 23:18 - 23:18 (00:00) root ssh:notty 220.174.25.172 Tue Jan 24 23:18 - 23:18 (00:00) root ssh:notty 220.174.25.172 Tue Jan 24 23:18 - 23:18 (00:00) root ssh:notty 220.174.25.172 Tue Jan 24 23:18 - 23:18 (00:00) root ssh:notty 220.174.25.172 Tue Jan 24 23:18 - 23:18 (00:00) root ssh:notty 220.174.25.172 Tue Jan 24 23:18 - 23:18 (00:00) root ssh:notty 220.174.25.172 Tue Jan 24 23:18 - 23:18 (00:00) root ssh:notty 220.174.25.172 Tue Jan 24 23:18 - 23:18 (00:00) root ssh:notty 220.174.25.172 Tue Jan 24 23:18 - 23:18 (00:00) root ssh:notty 220.174.25.172 Tue Jan 24 23:18 - 23:18 (00:00) root ssh:notty 220.174.25.172 Tue Jan 24 23:18 - 23:18 (00:00) root ssh:notty 220.174.25.172 Tue Jan 24 23:18 - 23:18 (00:00) root ssh:notty 220.174.25.172 Tue Jan 24 23:18 - 23:18 (00:00) root ssh:notty 220.174.25.172 Tue Jan 24 23:17 - 23:17 (00:00) ... ---还有很多其它 ip---

这个脚本我想可以设置，每 X 分钟执行一次这个脚本吧。我数了一下，最多的时候一分钟登录我 23 次(虽然它失败了)，照这频率，5 分钟也足够它试 100 次了。如果被别人尝试登录服务器，对服务器也是一种损失啊，敲这 log 记录，都 18M 了。。

─root@VM-16-11-ubuntu ~ ─# ll /var/log/btmp Permissions Size User Date Modified Name .rw-rw---- 18M root 27 Jan 05:17 /var/log/btmp

可以看到上面的最后 Modified 是在 05:17 ，因为我搜了一个 ban ip 的命令，好像确实管用了

iptables -I INPUT -s 185.252.178.107 -j DROP

19 replies 2023-01-31 18:26:20 +08:00

sNullp

Jan 27, 2023 via iPhone

最容易的方法是学习 fail2ban

bronana

Jan 27, 2023

@sNullp #1
```
─root@VM-16-11-ubuntu ~
─# history | grep -i fail2ban
1439 apt install -y fail2ban
1440 cd /etc/fail2ban
1443 cp fail2ban.conf fail2ban.local
1445 vim fail2ban.local
1646 fail2ban fail2ban-client status
1647 which fail2ban
1648 fail2ban fail2ban-client status
1649 fail2ban
1652 apt install fail2ban
1653 systemctl status fail2ban
1655 sudo cp /etc/fail2ban/jail.{conf,local}\n
1656 nano /etc/fail2ban/jail.local
1657 vim /etc/fail2ban/jail.local
1658 systemctl status fail2ban
1659 systemctl stop fail2ban
1660 systemctl status fail2ban
1661 systemctl start fail2ban
1662 systemctl status fail2ban
1663 systemctl restart fail2ban
1664 fail2ban-client status sshd\n
1667 fail2ban-client status sshd\n
1670 vim /etc/fail2ban/jail.local
1671 systemctl enable fail2ban
1672 vim /etc/fail2ban/jail.local
```
学了没学懂

sNullp

Jan 27, 2023 via iPhone

debian 上默认装好就能 ban ssh ，不知道后面那些的目的是啥？

bronana

Jan 27, 2023

@sNullp #3 尝试过配置，不知道哪里没整对，fail2ban 没生效。

realpg

PRO

Jan 27, 2023

fail2ban 我记得并不需要配置
难道你用的是 centos……

feng0vx

Jan 27, 2023 via iPhone

cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
在 jail.local 文件中设置自己需要的配置
对于 Ubuntu/Debian 系统，ssh-iptables 段类似：

[ssh]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3

检查 sshd 服务的状态 /ban 的 ip
sudo fail2ban-client status sshd

删除已被限制 IP
sudo fail2ban-client set sshd unbanip 23.34.45.xx

foam

Jan 27, 2023 via Android

歪个楼。不到 1 qps ，机器怎么会卡。这个验证几乎不用 cpu ，报文也没多少字节，所以带宽几乎不消耗。是还有其他原因导致你提到的“卡”吧

MindMindMax

Jan 27, 2023

#!/bin/bash

# This script will traverse the lastb log and block IPs that have more than 3 failed login attempts.

# Flush existing rules
iptables -F

# Set default policy to drop all incoming traffic
iptables -P INPUT DROP

# Allow established connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow loopback traffic
iptables -A INPUT -i lo -j ACCEPT

# Traverse the lastb log and block IPs with more than 3 failed login attempts
lastb | awk '{print $3}' | sort | uniq -c | awk '$1 > 3 {print $2}' | while read ip; do iptables -A INPUT -s $ip -j DROP; done

westoy

Jan 27, 2023

爆破 SSH 不可能让你觉得卡的，关掉 sshd 的 dns 反查看看

其实把 SSH 换到个两三万的端口，基本就不会有人爆破了，也不会折腾什么屏蔽了.....

julyclyde

Jan 28, 2023

简单点就别管它
增加 iptables 规则会导致内核负担加重的

十几年前我这么干过，三千多条规则的时候卡的 web 服务都没法工作了

Damn

Jan 28, 2023

@julyclyde ipset 它不香么？

sanduo

Jan 28, 2023

@bronana 你的 fail2ban 配置文件是什么？

julyclyde

Jan 28, 2023

@Damn 古代没有 ipset 功能吧
2008 年 linux 内核才 2.4

sanduo

Jan 28, 2023

我这里是 ubuntu ，使用自带的 UFW 进行防火墙管理，新增了一个 sshd 的配置文件：/etc/fail2ban/jail.d/sshd.local ，配置内容如下，供参考：
[sshd]
enabled = true
filter = sshd
banaction = ufw
maxretry = 5
findtime = 600
bantime = 2w
ignoreip = 127.0.0.1/8

iceecream

Jan 28, 2023

6 楼方法好使，
9 楼方法也可以试试。

yuepu

Jan 28, 2023

/etc/hosts.deny 也许有用

datocp

Jan 28, 2023

ipset destroy banned_hosts
ipset -N banned_hosts hash:net timeout 180
iptables -I INPUT 3 -i $UDEV -m set --match-set banned_hosts src -j DROP
iptables -I INPUT 4 -i $UDEV -p udp -m multiport --dports 80,161,1863,5060 -j SET --add-set banned_hosts src
iptables -I INPUT 5 -i $UDEV -p tcp -m multiport --dports 20,23,25,110,135,137:139,161,445,1080,2323,3128,3306,3389 -j SET --add-set banned_hosts src
#iptables -I INPUT 3 -i $UDEV -m recent --update --name hack --rsource -j DROP
#iptables -I INPUT 4 -i $UDEV -p udp -m multiport --dports 80,161,1863,5060 -m conntrack --ctstate NEW -m recent --set --name hack --rsource -j DROP
#iptables -I INPUT 5 -i $UDEV -p tcp -m multiport --dports 20,23,25,53,110,135,137:139,161,445,1080,2323,3128,3306,3389 -m conntrack --ctstate NEW -m recent --set --name hack --rsource -j DROP

julyclyde

Jan 29, 2023

@yuepu 正常情况下 hosts.deny 应该是没用的。现在没几个程序支持 tcpwrapper 功能了

lovelylain

Jan 31, 2023 via Android

@sNullp frp 内网穿透的，fail2ban 就不适合了吧？有什么好方案避免弱密码被爆破吗