Linux - Ubuntu automatically blacklists IP addresses that fail to log in multiple times through SSH through shell script

1: Introduction to login related documents

Introduction to the three file logs of ubuntu:
1: / var/run/utmp: records the information of the currently logged in user. By default, who and w record the information of the currently logged in user, and uptime records the system startup time;

2: / var/log/wtmp: records the user information currently logging in and logging in to the system in history. It is viewed by the last command by default;

3: / var/log/btmp: records the failed login attempt information, which is viewed by the lastb command by default.

ubuntu to view failed login records, you only need to

sudo lastb
#perhaps
sudo lastb -n 30 #View the latest top 30

2: View failed login records

The server I bought has been useless, idle and unmanaged. Although the port is changed, the ssh login permission of root is prohibited. However, as long as others are not lazy, it is easy to scan the port with tools. No, someone has scanned it and is trying to brutally crack the login in the form of running Dictionary (good guys, they have gone from a to m).

ubuntu@VM-20-6-ubuntu:~$ sudo lastb -n 20
maven    ssh:notty    138.68.86.65     Tue Nov 23 12:58 - 12:58  (00:00)
maven    ssh:notty    138.68.86.65     Tue Nov 23 12:58 - 12:58  (00:00)
maxiao   ssh:notty    138.68.86.65     Tue Nov 23 12:58 - 12:58  (00:00)
maxiao   ssh:notty    138.68.86.65     Tue Nov 23 12:58 - 12:58  (00:00)
maundy   ssh:notty    138.68.86.65     Tue Nov 23 12:58 - 12:58  (00:00)
max      ssh:notty    138.68.86.65     Tue Nov 23 12:57 - 12:57  (00:00)
mawenche ssh:notty    138.68.86.65     Tue Nov 23 12:57 - 12:57  (00:00)
maundy   ssh:notty    138.68.86.65     Tue Nov 23 12:57 - 12:57  (00:00)
max      ssh:notty    138.68.86.65     Tue Nov 23 12:57 - 12:57  (00:00)
max      ssh:notty    138.68.86.65     Tue Nov 23 12:57 - 12:57  (00:00)
mawenche ssh:notty    138.68.86.65     Tue Nov 23 12:57 - 12:57  (00:00)
maverick ssh:notty    138.68.86.65     Tue Nov 23 12:57 - 12:57  (00:00)
mawenche ssh:notty    138.68.86.65     Tue Nov 23 12:57 - 12:57  (00:00)
max      ssh:notty    138.68.86.65     Tue Nov 23 12:57 - 12:57  (00:00)
maverick ssh:notty    138.68.86.65     Tue Nov 23 12:57 - 12:57  (00:00)
mawenche ssh:notty    138.68.86.65     Tue Nov 23 12:57 - 12:57  (00:00)
maverick ssh:notty    138.68.86.65     Tue Nov 23 12:57 - 12:57  (00:00)
maven    ssh:notty    138.68.86.65     Tue Nov 23 12:57 - 12:57  (00:00)
maverick ssh:notty    138.68.86.65     Tue Nov 23 12:57 - 12:57  (00:00)
mauricio ssh:notty    138.68.86.65     Tue Nov 23 12:57 - 12:57  (00:00)

Check the failure records and count the times. It is found that the most violent cracking has run more than 30000 login records. Although it has not succeeded, it is really annoying like a fly. Therefore, you need to write a script to blacklist the failed IP addresses after multiple attempts to log in.

ubuntu@VM-20-6-ubuntu:~$ sudo lastb |awk '{print $3}'|sort |uniq -c
      1 
      4 119.165.181.251
      4 121.129.214.70
  30573 138.68.86.65
      4 151.50.58.55
      1 151.84.178.182
  30702 159.65.220.140
     54 177.249.47.101
      7 185.245.41.97
  15331 211.246.175.6
      4 24.218.231.49
      4 24.224.178.87
     59 47.102.111.161
      4 82.66.84.2
      4 83.195.190.187
      4 83.228.156.118
    103 83.250.30.182
      4 88.157.49.186
      8 98.40.14.28
      1 Sat
      1 Sun
      1 Wed

3: Script ssh failed login limit IP

With this command, you can get the IP that has failed login more than 4 times and the IP list that needs to be added to the blacklist.

sudo lastb |awk '{print $3}'|sort |uniq -c|awk '{if ($1 > 4) print $2}'

The display is as follows:

ubuntu@VM-20-6-ubuntu:~$ sudo lastb |awk '{print $3}'|sort |uniq -c|awk '{if ($1 > 4) print $2}'
138.68.86.65
159.65.220.140
177.249.47.101
185.245.41.97
211.246.175.6
47.102.111.161
83.250.30.182
98.40.14.28

Start writing the script. The blacklist file is located at / etc/hosts.deny, and the Ubuntu format is ALL: IP

#!/bin/bash
#set -x
list=$(sudo lastb |awk '{print $3}'|sort |uniq -c|awk '{if ($1 > 4) print $2}')
for ip in ${list}
do
	echo ALL: ${ip} >> /etc/hosts.deny #Join the blacklist
	echo > /var/log/btmp	#Clear the failure record to prevent repeated IP statistics in the next execution of the script
done

4: Script scheduled task

crontab -e
#The content is to execute the script every 1 hour
* */1 * * * /bin/bash /home/ubuntu/ssh_deny.sh

After that, the server will do everything. In order to test, I will change the ssh port back to the default port 22 and start fishing. Wait a few hours to see if the / etc/hosts.deny blacklist has added IP.

Tags: Linux Operation & Maintenance shell ssh Ubuntu

Posted on Tue, 23 Nov 2021 07:29:06 -0500 by jtravis