直接调用IPtables禁用IP地址.
This commit is contained in:
parent
014fb45b11
commit
86d7bf5780
2
Makefile
2
Makefile
@ -1,6 +1,6 @@
|
||||
CROSS_COMPILE ?=
|
||||
CC := $(CROSS_COMPILE)gcc
|
||||
CFLAGS += -g -Wall
|
||||
CFLAGS += -O2 -g -Wall
|
||||
|
||||
OBG = rhost
|
||||
|
||||
|
@ -2,11 +2,13 @@
|
||||
ssh防止暴力破解,适用Debian 8、9
|
||||
|
||||
|
||||
## Help Information
|
||||
cd /root
|
||||
git clone https://github.com/niuyuling/denyhosts.git
|
||||
cd denyhosts
|
||||
make clean; make
|
||||
chmod a+x /root/denyhosts/denyhosts.sh
|
||||
|
||||
crontab 定时任务,像这样.
|
||||
0 22 * * * /root/denyhosts/denyhosts.sh
|
||||
|
||||
|
12
denyhosts.sh
12
denyhosts.sh
@ -7,8 +7,7 @@
|
||||
#
|
||||
|
||||
function init() {
|
||||
num=20;
|
||||
send_mail=1;
|
||||
send_mail=0;
|
||||
pwd_path="/root";
|
||||
TIME=`date +"%Y%m%d%H%M"`;
|
||||
log_file="${pwd_path}/${TIME}.log";
|
||||
@ -31,13 +30,7 @@ function run()
|
||||
|
||||
echo "System SSH authorization information:" &>> ${log_file}
|
||||
/root/denyhosts/rhost | awk '{a[$1]+=1;} END {for(i in a){print a[i]" "i;}}' &>> ${log_file}
|
||||
ip=$(echo $(/root/denyhosts/rhost | awk -v num=${num} '{a[$1]+=1;} END {for(i in a){if (a[i] >= num) {print i;}}}'))
|
||||
|
||||
|
||||
ip_address=($ip)
|
||||
for i in ${ip_address[@]} ; do
|
||||
/sbin/iptables -I INPUT -s $i -j DROP
|
||||
done
|
||||
|
||||
/sbin/iptables-save > /root/ipv4tables
|
||||
|
||||
echo "" &>> ${log_file}
|
||||
@ -59,5 +52,6 @@ exit 0;
|
||||
20190103
|
||||
20190911
|
||||
20191008
|
||||
20210614
|
||||
aixiao@aixiao.me
|
||||
|
||||
|
76
rhost.c
76
rhost.c
@ -6,42 +6,74 @@
|
||||
#include <time.h>
|
||||
|
||||
#define BUFFER 270
|
||||
#define LONG_BUFFER 1024*100
|
||||
#define TOP_IP 20
|
||||
#define AWK "| awk -v num=%d '{a[$1]+=1;} END {for(i in a){if (a[i] >= num) {print i;}}}' "
|
||||
#define GE_10 "grep -E \"^$(date \"+%h\").$(date \"+%d\")\" /var/log/auth.log | grep failure | grep rhost"
|
||||
#define LE_10 "grep -E \"^$(date \"+%h\")..$(date | awk '{print $3}')\" /var/log/auth.log | grep failure | grep rhost"
|
||||
#define IPTABLES "/sbin/iptables -I INPUT -s %s -j DROP"
|
||||
|
||||
int main(int argc, char *argv[])
|
||||
int main(int argc, char *argv[], char **env)
|
||||
{
|
||||
FILE *fp;
|
||||
char *temp;
|
||||
char buffer[BUFFER];
|
||||
time_t timep;
|
||||
struct tm *p;
|
||||
time(&timep);
|
||||
p = localtime(&timep);
|
||||
char p1[2];
|
||||
FILE *fp, *fc;
|
||||
char p[2], splice_command[LONG_BUFFER], command[LONG_BUFFER], *temp, buffer[BUFFER], awk[BUFFER], iptables[BUFFER];
|
||||
|
||||
if (p->tm_mday >= 10) {
|
||||
if ((fp =
|
||||
popen
|
||||
("grep -E \"^$(date \"+%h\").$(date \"+%d\")\" /var/log/auth.log | grep failure | grep rhost",
|
||||
"r")) == NULL) {
|
||||
time_t timep;
|
||||
struct tm *tp;
|
||||
time(&timep);
|
||||
tp = localtime(&timep);
|
||||
memset(splice_command, 0, LONG_BUFFER);
|
||||
memset(command, 0, LONG_BUFFER);
|
||||
memset(buffer, 0, BUFFER);
|
||||
memset(awk, 0, BUFFER);
|
||||
memset(iptables, 0, BUFFER);
|
||||
fp = NULL;
|
||||
fc = NULL;
|
||||
|
||||
if (tp->tm_mday >= 10) {
|
||||
if ((fp = popen(GE_10, "r")) == NULL) {
|
||||
return 1;
|
||||
}
|
||||
} else {
|
||||
if ((fp =
|
||||
popen
|
||||
("grep -E \"^$(date \"+%h\")..$(date | awk '{print $3}')\" /var/log/auth.log | grep failure | grep rhost",
|
||||
"r")) == NULL) {
|
||||
if ((fp = popen(LE_10, "r")) == NULL) {
|
||||
return 1;
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
while (fgets(buffer, BUFFER, fp) != NULL) {
|
||||
temp = strstr(buffer, "rhost");
|
||||
sscanf(temp, "rhost=%s", temp);
|
||||
|
||||
if (atoi(strncpy(p1, temp, 1)) > 0)
|
||||
printf("%s\n", temp);
|
||||
if (atoi(strncpy(p, temp, 1)) > 0) {
|
||||
strcat(splice_command, temp);
|
||||
strcat(splice_command, "\n");
|
||||
}
|
||||
}
|
||||
printf("%s", splice_command); // 测试没问题
|
||||
|
||||
// 拼接命令
|
||||
sprintf(awk, AWK, TOP_IP);
|
||||
strcpy(command, "echo \"");
|
||||
strcat(command, splice_command);
|
||||
strcat(command, "\"");
|
||||
strcat(command, awk);
|
||||
//printf("%s", command); // 测试没问题
|
||||
if ((fp = popen(command, "r")) == NULL) { // 执行命令
|
||||
perror("popen");
|
||||
return 1;
|
||||
}
|
||||
while (fgets(buffer, BUFFER, fp) != NULL) {
|
||||
buffer[strlen(buffer) - 1] = '\0'; // 去除回车
|
||||
sprintf(iptables, IPTABLES, buffer);
|
||||
if ((fc = popen(iptables, "r")) == NULL) {
|
||||
perror("popen");
|
||||
return 1;
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
pclose(fp);
|
||||
pclose(fc);
|
||||
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user