SSH access control, blocking the IP when logging in repeatedly to prevent brute force cracking

One 、 System ：CentOS 6.3 64 position

Two 、 Method ： Read /var/log/secure, Find keywords Failed, for example （ notes ： In this paper, the IP The address has been deleted ）：

Sep 17 09:08:09 localhost sshd[29087]: Failed password for root from 13.7.3.6 port 44367 ssh2 Sep 17 09:08:20 localhost sshd[29087]: Failed password for root from 13.7.3.6 port 44367 ssh2 Sep 17 09:10:02 localhost sshd[29223]: Failed password for root from 13.7.3.6 port 56482 ssh2 Sep 17 09:10:14 localhost sshd[29223]: Failed password for root from 13.7.3.6 port 56482 ssh2

Extract from these lines IP Address , If the number reaches 5 Second, the IP writes /etc/hosts.deny in .

3、 ... and 、 step ：

1、 First, always allow IP fill /etc/hosts.allow , It's important ！ such as ： sshd:19.16.18.1:allow sshd:19.16.18.2:allow

2、 Script /root/secure_ssh.sh

#! /bin/bash cat /var/log/secure|awk '/Failed/{print $(NF-3)}'|sort|uniq -c|awk '{print $2"="$1;}' > /root/black.txt DEFINE="5" for i in `cat  /root/black.txt` do 　　IP=`echo $i |awk -F= '{print $1}'` 　　NUM=`echo $i|awk -F= '{print $2}'` 　　if [ $NUM -gt $DEFINE ];then   　　grep $IP /etc/hosts.deny > /dev/null       if [ $? -gt 0 ];then           echo "sshd:$IP:deny" >> /etc/hosts.deny       fi     fi done

3、 take secure_ssh.sh Script put in cron Planning tasks , Every time 1 Once per minute . # crontab -e */1 * * * *  sh /root/secure_ssh.sh

Four 、 test ：

1、 Open two terminal windows , One ssh Even on The server , The other connects with the wrong password The server A few times .

Soon , The server It has been recorded in the blacklist file ： [[email protected] ~]# $ cat /root/black.txt 13.26.21.27=3

I want to see others The server Upper hosts.deny [[email protected] ~]# cat /etc/hosts.deny sshd:13.7.3.6:deny sshd:92.4.0.4:deny sshd:94.10.4.2:deny sshd:94.4.1.6:deny sshd:11.64.11.5:deny

2、 Continue from another terminal window “ violence ” Connect The server .

Look at the blacklist file on the server ： [[email protected] ~]# cat black.txt 13.26.21.27=6

Look at the server hosts.deny [[email protected] ~]# cat /etc/hosts.deny sshd:13.7.3.6:deny sshd:92.4.0.4:deny sshd:94.10.4.2:deny sshd:94.4.1.6:deny sshd:11.64.11.5:deny sshd:13.26.21.27:deny

IP Has been added to the server hosts.deny, Connect to the server with the correct password , Be rejected ： $ ssh [email protected] -p 2333 ssh_exchange_identification: Connection closed by remote host

notes ： 1. Scripts are written for colleagues .

2. The server sshd Port changed to 2333, The fact proved that , After changing the port , violence Crack Of ssh The number of connections decreased sharply .