直接调用IPtables禁用IP地址.

This commit is contained in:
aixiao 2021-07-11 10:10:55 +08:00
parent 014fb45b11
commit 86d7bf5780
6 changed files with 60 additions and 32 deletions

View File

@ -1,6 +1,6 @@
CROSS_COMPILE ?= CROSS_COMPILE ?=
CC := $(CROSS_COMPILE)gcc CC := $(CROSS_COMPILE)gcc
CFLAGS += -g -Wall CFLAGS += -O2 -g -Wall
OBG = rhost OBG = rhost

View File

@ -2,11 +2,13 @@
ssh防止暴力破解,适用Debian 8、9 ssh防止暴力破解,适用Debian 8、9
## Help Information
cd /root cd /root
git clone https://github.com/niuyuling/denyhosts.git git clone https://github.com/niuyuling/denyhosts.git
cd denyhosts cd denyhosts
make clean; make make clean; make
chmod a+x /root/denyhosts/denyhosts.sh chmod a+x /root/denyhosts/denyhosts.sh
crontab 定时任务,像这样. crontab 定时任务,像这样.
0 22 * * * /root/denyhosts/denyhosts.sh 0 22 * * * /root/denyhosts/denyhosts.sh

View File

@ -7,8 +7,7 @@
# #
function init() { function init() {
num=20; send_mail=0;
send_mail=1;
pwd_path="/root"; pwd_path="/root";
TIME=`date +"%Y%m%d%H%M"`; TIME=`date +"%Y%m%d%H%M"`;
log_file="${pwd_path}/${TIME}.log"; log_file="${pwd_path}/${TIME}.log";
@ -31,13 +30,7 @@ function run()
echo "System SSH authorization information:" &>> ${log_file} echo "System SSH authorization information:" &>> ${log_file}
/root/denyhosts/rhost | awk '{a[$1]+=1;} END {for(i in a){print a[i]" "i;}}' &>> ${log_file} /root/denyhosts/rhost | awk '{a[$1]+=1;} END {for(i in a){print a[i]" "i;}}' &>> ${log_file}
ip=$(echo $(/root/denyhosts/rhost | awk -v num=${num} '{a[$1]+=1;} END {for(i in a){if (a[i] >= num) {print i;}}}'))
ip_address=($ip)
for i in ${ip_address[@]} ; do
/sbin/iptables -I INPUT -s $i -j DROP
done
/sbin/iptables-save > /root/ipv4tables /sbin/iptables-save > /root/ipv4tables
echo "" &>> ${log_file} echo "" &>> ${log_file}
@ -59,5 +52,6 @@ exit 0;
20190103 20190103
20190911 20190911
20191008 20191008
20210614
aixiao@aixiao.me aixiao@aixiao.me

BIN
rhost

Binary file not shown.

76
rhost.c
View File

@ -6,42 +6,74 @@
#include <time.h> #include <time.h>
#define BUFFER 270 #define BUFFER 270
#define LONG_BUFFER 1024*100
#define TOP_IP 20
#define AWK "| awk -v num=%d '{a[$1]+=1;} END {for(i in a){if (a[i] >= num) {print i;}}}' "
#define GE_10 "grep -E \"^$(date \"+%h\").$(date \"+%d\")\" /var/log/auth.log | grep failure | grep rhost"
#define LE_10 "grep -E \"^$(date \"+%h\")..$(date | awk '{print $3}')\" /var/log/auth.log | grep failure | grep rhost"
#define IPTABLES "/sbin/iptables -I INPUT -s %s -j DROP"
int main(int argc, char *argv[]) int main(int argc, char *argv[], char **env)
{ {
FILE *fp; FILE *fp, *fc;
char *temp; char p[2], splice_command[LONG_BUFFER], command[LONG_BUFFER], *temp, buffer[BUFFER], awk[BUFFER], iptables[BUFFER];
char buffer[BUFFER];
time_t timep;
struct tm *p;
time(&timep);
p = localtime(&timep);
char p1[2];
if (p->tm_mday >= 10) { time_t timep;
if ((fp = struct tm *tp;
popen time(&timep);
("grep -E \"^$(date \"+%h\").$(date \"+%d\")\" /var/log/auth.log | grep failure | grep rhost", tp = localtime(&timep);
"r")) == NULL) { memset(splice_command, 0, LONG_BUFFER);
memset(command, 0, LONG_BUFFER);
memset(buffer, 0, BUFFER);
memset(awk, 0, BUFFER);
memset(iptables, 0, BUFFER);
fp = NULL;
fc = NULL;
if (tp->tm_mday >= 10) {
if ((fp = popen(GE_10, "r")) == NULL) {
return 1; return 1;
} }
} else { } else {
if ((fp = if ((fp = popen(LE_10, "r")) == NULL) {
popen
("grep -E \"^$(date \"+%h\")..$(date | awk '{print $3}')\" /var/log/auth.log | grep failure | grep rhost",
"r")) == NULL) {
return 1; return 1;
} }
} }
while (fgets(buffer, BUFFER, fp) != NULL) { while (fgets(buffer, BUFFER, fp) != NULL) {
temp = strstr(buffer, "rhost"); temp = strstr(buffer, "rhost");
sscanf(temp, "rhost=%s", temp); sscanf(temp, "rhost=%s", temp);
if (atoi(strncpy(p, temp, 1)) > 0) {
if (atoi(strncpy(p1, temp, 1)) > 0) strcat(splice_command, temp);
printf("%s\n", temp); strcat(splice_command, "\n");
}
}
printf("%s", splice_command); // 测试没问题
// 拼接命令
sprintf(awk, AWK, TOP_IP);
strcpy(command, "echo \"");
strcat(command, splice_command);
strcat(command, "\"");
strcat(command, awk);
//printf("%s", command); // 测试没问题
if ((fp = popen(command, "r")) == NULL) { // 执行命令
perror("popen");
return 1;
}
while (fgets(buffer, BUFFER, fp) != NULL) {
buffer[strlen(buffer) - 1] = '\0'; // 去除回车
sprintf(iptables, IPTABLES, buffer);
if ((fc = popen(iptables, "r")) == NULL) {
perror("popen");
return 1;
}
} }
pclose(fp); pclose(fp);
pclose(fc);
return 0; return 0;
} }

BIN
rhost.o

Binary file not shown.