diff --git a/Makefile b/Makefile index b28e241..4f1f793 100644 --- a/Makefile +++ b/Makefile @@ -1,6 +1,6 @@ CROSS_COMPILE ?= CC := $(CROSS_COMPILE)gcc -CFLAGS += -g -Wall +CFLAGS += -O2 -g -Wall OBG = rhost diff --git a/README.md b/README.md index 6314e30..60d4639 100644 --- a/README.md +++ b/README.md @@ -2,11 +2,13 @@ ssh防止暴力破解,适用Debian 8、9 +## Help Information cd /root git clone https://github.com/niuyuling/denyhosts.git cd denyhosts make clean; make chmod a+x /root/denyhosts/denyhosts.sh + crontab 定时任务,像这样. 0 22 * * * /root/denyhosts/denyhosts.sh diff --git a/denyhosts.sh b/denyhosts.sh index 057a344..35b66a2 100644 --- a/denyhosts.sh +++ b/denyhosts.sh @@ -7,8 +7,7 @@ # function init() { - num=20; - send_mail=1; + send_mail=0; pwd_path="/root"; TIME=`date +"%Y%m%d%H%M"`; log_file="${pwd_path}/${TIME}.log"; @@ -31,13 +30,7 @@ function run() echo "System SSH authorization information:" &>> ${log_file} /root/denyhosts/rhost | awk '{a[$1]+=1;} END {for(i in a){print a[i]" "i;}}' &>> ${log_file} - ip=$(echo $(/root/denyhosts/rhost | awk -v num=${num} '{a[$1]+=1;} END {for(i in a){if (a[i] >= num) {print i;}}}')) - - - ip_address=($ip) - for i in ${ip_address[@]} ; do - /sbin/iptables -I INPUT -s $i -j DROP - done + /sbin/iptables-save > /root/ipv4tables echo "" &>> ${log_file} @@ -59,5 +52,6 @@ exit 0; 20190103 20190911 20191008 +20210614 aixiao@aixiao.me diff --git a/rhost b/rhost index 7c397cd..0d124a5 100644 Binary files a/rhost and b/rhost differ diff --git a/rhost.c b/rhost.c index 85ecd1d..e845422 100644 --- a/rhost.c +++ b/rhost.c @@ -6,42 +6,74 @@ #include #define BUFFER 270 +#define LONG_BUFFER 1024*100 +#define TOP_IP 20 +#define AWK "| awk -v num=%d '{a[$1]+=1;} END {for(i in a){if (a[i] >= num) {print i;}}}' " +#define GE_10 "grep -E \"^$(date \"+%h\").$(date \"+%d\")\" /var/log/auth.log | grep failure | grep rhost" +#define LE_10 "grep -E \"^$(date \"+%h\")..$(date | awk '{print $3}')\" /var/log/auth.log | grep failure | grep rhost" +#define IPTABLES "/sbin/iptables -I INPUT -s %s -j DROP" -int main(int argc, char *argv[]) +int main(int argc, char *argv[], char **env) { - FILE *fp; - char *temp; - char buffer[BUFFER]; - time_t timep; - struct tm *p; - time(&timep); - p = localtime(&timep); - char p1[2]; + FILE *fp, *fc; + char p[2], splice_command[LONG_BUFFER], command[LONG_BUFFER], *temp, buffer[BUFFER], awk[BUFFER], iptables[BUFFER]; - if (p->tm_mday >= 10) { - if ((fp = - popen - ("grep -E \"^$(date \"+%h\").$(date \"+%d\")\" /var/log/auth.log | grep failure | grep rhost", - "r")) == NULL) { + time_t timep; + struct tm *tp; + time(&timep); + tp = localtime(&timep); + memset(splice_command, 0, LONG_BUFFER); + memset(command, 0, LONG_BUFFER); + memset(buffer, 0, BUFFER); + memset(awk, 0, BUFFER); + memset(iptables, 0, BUFFER); + fp = NULL; + fc = NULL; + + if (tp->tm_mday >= 10) { + if ((fp = popen(GE_10, "r")) == NULL) { return 1; } } else { - if ((fp = - popen - ("grep -E \"^$(date \"+%h\")..$(date | awk '{print $3}')\" /var/log/auth.log | grep failure | grep rhost", - "r")) == NULL) { + if ((fp = popen(LE_10, "r")) == NULL) { return 1; } } - + while (fgets(buffer, BUFFER, fp) != NULL) { temp = strstr(buffer, "rhost"); sscanf(temp, "rhost=%s", temp); - - if (atoi(strncpy(p1, temp, 1)) > 0) - printf("%s\n", temp); + if (atoi(strncpy(p, temp, 1)) > 0) { + strcat(splice_command, temp); + strcat(splice_command, "\n"); + } + } + printf("%s", splice_command); // 测试没问题 + + // 拼接命令 + sprintf(awk, AWK, TOP_IP); + strcpy(command, "echo \""); + strcat(command, splice_command); + strcat(command, "\""); + strcat(command, awk); + //printf("%s", command); // 测试没问题 + if ((fp = popen(command, "r")) == NULL) { // 执行命令 + perror("popen"); + return 1; + } + while (fgets(buffer, BUFFER, fp) != NULL) { + buffer[strlen(buffer) - 1] = '\0'; // 去除回车 + sprintf(iptables, IPTABLES, buffer); + if ((fc = popen(iptables, "r")) == NULL) { + perror("popen"); + return 1; + } + } pclose(fp); + pclose(fc); + + return 0; } diff --git a/rhost.o b/rhost.o index 76e9a4d..652b2dc 100644 Binary files a/rhost.o and b/rhost.o differ