直接调用IPtables禁用IP地址.
This commit is contained in:
parent
014fb45b11
commit
86d7bf5780
2
Makefile
2
Makefile
@ -1,6 +1,6 @@
|
|||||||
CROSS_COMPILE ?=
|
CROSS_COMPILE ?=
|
||||||
CC := $(CROSS_COMPILE)gcc
|
CC := $(CROSS_COMPILE)gcc
|
||||||
CFLAGS += -g -Wall
|
CFLAGS += -O2 -g -Wall
|
||||||
|
|
||||||
OBG = rhost
|
OBG = rhost
|
||||||
|
|
||||||
|
|||||||
@ -2,11 +2,13 @@
|
|||||||
ssh防止暴力破解,适用Debian 8、9
|
ssh防止暴力破解,适用Debian 8、9
|
||||||
|
|
||||||
|
|
||||||
|
## Help Information
|
||||||
cd /root
|
cd /root
|
||||||
git clone https://github.com/niuyuling/denyhosts.git
|
git clone https://github.com/niuyuling/denyhosts.git
|
||||||
cd denyhosts
|
cd denyhosts
|
||||||
make clean; make
|
make clean; make
|
||||||
chmod a+x /root/denyhosts/denyhosts.sh
|
chmod a+x /root/denyhosts/denyhosts.sh
|
||||||
|
|
||||||
crontab 定时任务,像这样.
|
crontab 定时任务,像这样.
|
||||||
0 22 * * * /root/denyhosts/denyhosts.sh
|
0 22 * * * /root/denyhosts/denyhosts.sh
|
||||||
|
|
||||||
|
|||||||
10
denyhosts.sh
10
denyhosts.sh
@ -7,8 +7,7 @@
|
|||||||
#
|
#
|
||||||
|
|
||||||
function init() {
|
function init() {
|
||||||
num=20;
|
send_mail=0;
|
||||||
send_mail=1;
|
|
||||||
pwd_path="/root";
|
pwd_path="/root";
|
||||||
TIME=`date +"%Y%m%d%H%M"`;
|
TIME=`date +"%Y%m%d%H%M"`;
|
||||||
log_file="${pwd_path}/${TIME}.log";
|
log_file="${pwd_path}/${TIME}.log";
|
||||||
@ -31,13 +30,7 @@ function run()
|
|||||||
|
|
||||||
echo "System SSH authorization information:" &>> ${log_file}
|
echo "System SSH authorization information:" &>> ${log_file}
|
||||||
/root/denyhosts/rhost | awk '{a[$1]+=1;} END {for(i in a){print a[i]" "i;}}' &>> ${log_file}
|
/root/denyhosts/rhost | awk '{a[$1]+=1;} END {for(i in a){print a[i]" "i;}}' &>> ${log_file}
|
||||||
ip=$(echo $(/root/denyhosts/rhost | awk -v num=${num} '{a[$1]+=1;} END {for(i in a){if (a[i] >= num) {print i;}}}'))
|
|
||||||
|
|
||||||
|
|
||||||
ip_address=($ip)
|
|
||||||
for i in ${ip_address[@]} ; do
|
|
||||||
/sbin/iptables -I INPUT -s $i -j DROP
|
|
||||||
done
|
|
||||||
/sbin/iptables-save > /root/ipv4tables
|
/sbin/iptables-save > /root/ipv4tables
|
||||||
|
|
||||||
echo "" &>> ${log_file}
|
echo "" &>> ${log_file}
|
||||||
@ -59,5 +52,6 @@ exit 0;
|
|||||||
20190103
|
20190103
|
||||||
20190911
|
20190911
|
||||||
20191008
|
20191008
|
||||||
|
20210614
|
||||||
aixiao@aixiao.me
|
aixiao@aixiao.me
|
||||||
|
|
||||||
|
|||||||
72
rhost.c
72
rhost.c
@ -6,30 +6,36 @@
|
|||||||
#include <time.h>
|
#include <time.h>
|
||||||
|
|
||||||
#define BUFFER 270
|
#define BUFFER 270
|
||||||
|
#define LONG_BUFFER 1024*100
|
||||||
|
#define TOP_IP 20
|
||||||
|
#define AWK "| awk -v num=%d '{a[$1]+=1;} END {for(i in a){if (a[i] >= num) {print i;}}}' "
|
||||||
|
#define GE_10 "grep -E \"^$(date \"+%h\").$(date \"+%d\")\" /var/log/auth.log | grep failure | grep rhost"
|
||||||
|
#define LE_10 "grep -E \"^$(date \"+%h\")..$(date | awk '{print $3}')\" /var/log/auth.log | grep failure | grep rhost"
|
||||||
|
#define IPTABLES "/sbin/iptables -I INPUT -s %s -j DROP"
|
||||||
|
|
||||||
int main(int argc, char *argv[])
|
int main(int argc, char *argv[], char **env)
|
||||||
{
|
{
|
||||||
FILE *fp;
|
FILE *fp, *fc;
|
||||||
char *temp;
|
char p[2], splice_command[LONG_BUFFER], command[LONG_BUFFER], *temp, buffer[BUFFER], awk[BUFFER], iptables[BUFFER];
|
||||||
char buffer[BUFFER];
|
|
||||||
time_t timep;
|
|
||||||
struct tm *p;
|
|
||||||
time(&timep);
|
|
||||||
p = localtime(&timep);
|
|
||||||
char p1[2];
|
|
||||||
|
|
||||||
if (p->tm_mday >= 10) {
|
time_t timep;
|
||||||
if ((fp =
|
struct tm *tp;
|
||||||
popen
|
time(&timep);
|
||||||
("grep -E \"^$(date \"+%h\").$(date \"+%d\")\" /var/log/auth.log | grep failure | grep rhost",
|
tp = localtime(&timep);
|
||||||
"r")) == NULL) {
|
memset(splice_command, 0, LONG_BUFFER);
|
||||||
|
memset(command, 0, LONG_BUFFER);
|
||||||
|
memset(buffer, 0, BUFFER);
|
||||||
|
memset(awk, 0, BUFFER);
|
||||||
|
memset(iptables, 0, BUFFER);
|
||||||
|
fp = NULL;
|
||||||
|
fc = NULL;
|
||||||
|
|
||||||
|
if (tp->tm_mday >= 10) {
|
||||||
|
if ((fp = popen(GE_10, "r")) == NULL) {
|
||||||
return 1;
|
return 1;
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
if ((fp =
|
if ((fp = popen(LE_10, "r")) == NULL) {
|
||||||
popen
|
|
||||||
("grep -E \"^$(date \"+%h\")..$(date | awk '{print $3}')\" /var/log/auth.log | grep failure | grep rhost",
|
|
||||||
"r")) == NULL) {
|
|
||||||
return 1;
|
return 1;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -37,11 +43,37 @@ int main(int argc, char *argv[])
|
|||||||
while (fgets(buffer, BUFFER, fp) != NULL) {
|
while (fgets(buffer, BUFFER, fp) != NULL) {
|
||||||
temp = strstr(buffer, "rhost");
|
temp = strstr(buffer, "rhost");
|
||||||
sscanf(temp, "rhost=%s", temp);
|
sscanf(temp, "rhost=%s", temp);
|
||||||
|
if (atoi(strncpy(p, temp, 1)) > 0) {
|
||||||
|
strcat(splice_command, temp);
|
||||||
|
strcat(splice_command, "\n");
|
||||||
|
}
|
||||||
|
}
|
||||||
|
printf("%s", splice_command); // 测试没问题
|
||||||
|
|
||||||
|
// 拼接命令
|
||||||
|
sprintf(awk, AWK, TOP_IP);
|
||||||
|
strcpy(command, "echo \"");
|
||||||
|
strcat(command, splice_command);
|
||||||
|
strcat(command, "\"");
|
||||||
|
strcat(command, awk);
|
||||||
|
//printf("%s", command); // 测试没问题
|
||||||
|
if ((fp = popen(command, "r")) == NULL) { // 执行命令
|
||||||
|
perror("popen");
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
while (fgets(buffer, BUFFER, fp) != NULL) {
|
||||||
|
buffer[strlen(buffer) - 1] = '\0'; // 去除回车
|
||||||
|
sprintf(iptables, IPTABLES, buffer);
|
||||||
|
if ((fc = popen(iptables, "r")) == NULL) {
|
||||||
|
perror("popen");
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
|
||||||
if (atoi(strncpy(p1, temp, 1)) > 0)
|
|
||||||
printf("%s\n", temp);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
pclose(fp);
|
pclose(fp);
|
||||||
|
pclose(fc);
|
||||||
|
|
||||||
|
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user