自动更新Linux黑名单
偶然查看自己的登录日志,发现“总有刁民想害朕”,之前就曾经发帖说过服务器总被尝试恶意访问,解决思路也比较简单粗暴——封IP。
下面是用lastb
命令查看服务器的登录错误日志。
ftpuser ssh:notty 133.130.103.212 Tue Sep 14 01:37 - 01:37 (00:00)
ftpuser ssh:notty 133.130.103.212 Tue Sep 14 01:37 - 01:37 (00:00)
rl ssh:notty 81.182.254.124 Tue Sep 14 01:36 - 01:36 (00:00)
rl ssh:notty 81.182.254.124 Tue Sep 14 01:36 - 01:36 (00:00)
test1 ssh:notty 133.130.103.212 Tue Sep 14 01:36 - 01:36 (00:00)
test1 ssh:notty 133.130.103.212 Tue Sep 14 01:36 - 01:36 (00:00)
catadmin ssh:notty 133.130.103.212 Tue Sep 14 01:34 - 01:34 (00:00)
catadmin ssh:notty 133.130.103.212 Tue Sep 14 01:34 - 01:34 (00:00)
root ssh:notty 81.182.254.124 Tue Sep 14 01:34 - 01:34 (00:00)
mail ssh:notty 133.130.103.212 Tue Sep 14 01:33 - 01:33 (00:00)
santana ssh:notty 81.182.254.124 Tue Sep 14 01:33 - 01:33 (00:00)
santana ssh:notty 81.182.254.124 Tue Sep 14 01:33 - 01:33 (00:00)
gew ssh:notty 133.130.103.212 Tue Sep 14 01:32 - 01:32 (00:00)
gew ssh:notty 133.130.103.212 Tue Sep 14 01:32 - 01:32 (00:00)
root ssh:notty 81.182.254.124 Tue Sep 14 01:31 - 01:31 (00:00)
ubuntu ssh:notty 133.130.103.212 Tue Sep 14 01:31 - 01:31 (00:00)
ubuntu ssh:notty 133.130.103.212 Tue Sep 14 01:31 - 01:31 (00:00)
mysql ssh:notty 81.182.254.124 Tue Sep 14 01:30 - 01:30 (00:00)
mysql ssh:notty 81.182.254.124 Tue Sep 14 01:30 - 01:30 (00:00)
yl ssh:notty 133.130.103.212 Tue Sep 14 01:30 - 01:30 (00:00)
yl ssh:notty 133.130.103.212 Tue Sep 14 01:30 - 01:30 (00:00)
donald ssh:notty 81.182.254.124 Tue Sep 14 01:28 - 01:28 (00:00)
donald ssh:notty 81.182.254.124 Tue Sep 14 01:28 - 01:28 (00:00)
wangqj ssh:notty 133.130.103.212 Tue Sep 14 01:28 - 01:28 (00:00)
wangqj ssh:notty 133.130.103.212 Tue Sep 14 01:28 - 01:28 (00:00)
sp ssh:notty 133.130.103.212 Tue Sep 14 01:27 - 01:27 (00:00)
sp ssh:notty 133.130.103.212 Tue Sep 14 01:27 - 01:27 (00:00)
tom ssh:notty 81.182.254.124 Tue Sep 14 01:27 - 01:27 (00:00)
tom ssh:notty 81.182.254.124 Tue Sep 14 01:27 - 01:27 (00:00)
root ssh:notty 112.5.178.33 Tue Sep 14 01:27 - 01:27 (00:00)
miner ssh:notty 133.130.103.212 Tue Sep 14 01:26 - 01:26 (00:00)
miner ssh:notty 133.130.103.212 Tue Sep 14 01:26 - 01:26 (00:00)
root ssh:notty 81.182.254.124 Tue Sep 14 01:25 - 01:25 (00:00)
admin2 ssh:notty 133.130.103.212 Tue Sep 14 01:25 - 01:25 (00:00)
admin2 ssh:notty 133.130.103.212 Tue Sep 14 01:25 - 01:25 (00:00)
xyh ssh:notty 81.182.254.124 Tue Sep 14 01:24 - 01:24 (00:00)
xyh ssh:notty 81.182.254.124 Tue Sep 14 01:24 - 01:24 (00:00)
jenkins ssh:notty 133.130.103.212 Tue Sep 14 01:24 - 01:24 (00:00)
jenkins ssh:notty 133.130.103.212 Tue Sep 14 01:24 - 01:24 (00:00)
admin ssh:notty 81.182.254.124 Tue Sep 14 01:23 - 01:23 (00:00)
admin ssh:notty 81.182.254.124 Tue Sep 14 01:23 - 01:23 (00:00)
louis ssh:notty 133.130.103.212 Tue Sep 14 01:22 - 01:22 (00:00)
louis ssh:notty 133.130.103.212 Tue Sep 14 01:22 - 01:22 (00:00)
mqu ssh:notty 133.130.103.212 Tue Sep 14 01:21 - 01:21 (00:00)
mqu ssh:notty 133.130.103.212 Tue Sep 14 01:21 - 01:21 (00:00)
grant ssh:notty 81.182.254.124 Tue Sep 14 01:21 - 01:21 (00:00)
grant ssh:notty 81.182.254.124 Tue Sep 14 01:21 - 01:21 (00:00)
imobilis ssh:notty 133.130.103.212 Tue Sep 14 01:20 - 01:20 (00:00)
imobilis ssh:notty 133.130.103.212 Tue Sep 14 01:20 - 01:20 (00:00)
root ssh:notty 81.182.254.124 Tue Sep 14 01:20 - 01:20 (00:00)
pni ssh:notty 133.130.103.212 Tue Sep 14 01:19 - 01:19 (00:00)
pni ssh:notty 133.130.103.212 Tue Sep 14 01:19 - 01:19 (00:00)
mgarcia ssh:notty 81.182.254.124 Tue Sep 14 01:18 - 01:18 (00:00)
mgarcia ssh:notty 81.182.254.124 Tue Sep 14 01:18 - 01:18 (00:00)
root ssh:notty 133.130.103.212 Tue Sep 14 01:18 - 01:18 (00:00)
diane ssh:notty 81.182.254.124 Tue Sep 14 01:17 - 01:17 (00:00)
diane ssh:notty 81.182.254.124 Tue Sep 14 01:17 - 01:17 (00:00)
gk ssh:notty 133.130.103.212 Tue Sep 14 01:16 - 01:16 (00:00)
gk ssh:notty 133.130.103.212 Tue Sep 14 01:16 - 01:16 (00:00)
infinity ssh:notty 81.182.254.124 Tue Sep 14 01:15 - 01:15 (00:00)
infinity ssh:notty 81.182.254.124 Tue Sep 14 01:15 - 01:15 (00:00)
dba ssh:notty 133.130.103.212 Tue Sep 14 01:15 - 01:15 (00:00)
dba ssh:notty 133.130.103.212 Tue Sep 14 01:15 - 01:15 (00:00)
gaojian ssh:notty 81.182.254.124 Tue Sep 14 01:14 - 01:14 (00:00)
gaojian ssh:notty 81.182.254.124 Tue Sep 14 01:14 - 01:14 (00:00)
pdx ssh:notty 133.130.103.212 Tue Sep 14 01:10 - 01:10 (00:00)
pdx ssh:notty 133.130.103.212 Tue Sep 14 01:10 - 01:10 (00:00)
sa ssh:notty 81.182.254.124 Tue Sep 14 01:10 - 01:10 (00:00)
sa ssh:notty 81.182.254.124 Tue Sep 14 01:10 - 01:10 (00:00)
btmp begins Tue Sep 14 01:10:19 2022
可以看到某些IP正在不怀好意的尝试登陆我的服务器,为此我们需要定时从登入系统失败日志中取得这些恶意IP并加入黑名单中。简单写了一个自动更新黑名单的脚本,脚本的处理逻辑如下:
- 利用
sort
命令搭配uniq
命令来取得每一个IP的登陆次数 - 将尝试登陆次数超过10的IP地址即视为恶意IP,并将其加入到黑名单当中
这样的处理逻辑也可以应用在nginx黑名单的设置中,缓解我们的服务器被恶意攻击的情况。
您需要回复才能显示此处隐藏内容。
同时,为了避免服务器被恶意破解的情况发生,可以考虑对服务器进行下面的处理:
- 修改自己的 ssh 端口,修改为5位数的最好
- 禁止 root 用户的登录,可以新建一个用户,这样就算被破解了也可以阻挡一些越权操作
- 如果自己的IP固定的话,可以设置一个白名单,只允许从自己的IP登录,其它的IP一律不允许登录。
如果你认为这篇文章还不错,可以考虑 为作者充电 ⚡️