登陆服务器失败 IP 统计和处理方法

1、登陆ssh失败次数统计

1）错误的打开方式

awk '/Failed password/ {print $(NF-3)}' secure |sort -n |uniq -c|sort -n |tail /var/log/secure

2）拷贝文件，再查看失败

cp /var/log/secure .

awk '/Failed password/ {print $(NF-3)}' secure |sort -n |uniq -c|sort -n |tail

3）直接查看失败

$ awk '/Failed password/ {print $(NF-3)}' /var/log/secure |sort -n |uniq -c|sort -n

4）查看最近失败的时间

less /var/log/secure

按G

2、对于防破解问题的处理

1）禁止密码登陆方式

2）禁止失败的IP登陆的方式
#

hosts.deny This file contains access rules which are used to

deny connections to network services that either use

the tcp_wrappers library or that have been

started through a tcp_wrappers-enabled xinetd.

#

The rules in this file can also be set up in

/etc/hosts.allow with a 'deny' option instead.

#

See 'man 5 hosts_options' and 'man 5 hosts_access'

for information on rule syntax.

See 'man tcpd' for information on tcp_wrappers

#
sshd:192.168.2.41:deny

/etc/hosts.deny
/etc/hosts.deny
在/etc/hosts.deny文件下面

添加 sshd:192.168.2.41:deny

重启sshd

3、实现python自动化写入文件

1）获取到失败IP的文件

awk '/Failed password/ {print $(NF-3)}' /var/log/secure |sort -n |uniq -c|sort -n > ip_fail.txt

2）查看原有的被限制IP的文件

3）执行python脚本文件
def ip_index():
#读取文件获取到已经有被限制的IP
ip_list = set()
with open('hosts.deny',mode='r',encoding='utf-8') as f_log:
for line in f_log:
line = line.split('\n')[0].split(' ')[0]
if len(line) !=0 and not line[0].startswith("#"):
line = line.split(":")
ip_list.add(line[1])
return ip_list

def write():

写入失败的IP到配置文件中

with open('ip_fail.txt',mode='r',encoding='utf-8') as f:
    for line in f:
        line = line.split('\n')[0].split(' ')
        if int(line[6]) > 2:
            print('登陆失败次数大于2的IP',line[7])
            with open('hosts.deny',mode='a',encoding='utf-8') as f:
                if line[7] not in ip_list:
                    f.write('sshd:%s:deny\n'%line[7])

if name == 'main':
ip_list = ip_index()
write()

ip_add=>hosts.deny
参考该文章:https://www.cnblogs.com/linu/p/10076647.html