1: Introduction to login related documents
Introduction to the three file logs of ubuntu:
1: / var/run/utmp: records the information of the currently logged in user. By default, who and w record the information of the currently logged in user, and uptime records the system startup time;
2: / var/log/wtmp: records the user information currently logging in and logging in to the system in history. It is viewed by the last command by default;
3: / var/log/btmp: records the failed login attempt information, which is viewed by the lastb command by default.
ubuntu to view failed login records, you only need to
sudo lastb #perhaps sudo lastb -n 30 #View the latest top 30
2: View failed login records
The server I bought has been useless, idle and unmanaged. Although the port is changed, the ssh login permission of root is prohibited. However, as long as others are not lazy, it is easy to scan the port with tools. No, someone has scanned it and is trying to brutally crack the login in the form of running Dictionary (good guys, they have gone from a to m).
ubuntu@VM-20-6-ubuntu:~$ sudo lastb -n 20 maven ssh:notty 138.68.86.65 Tue Nov 23 12:58 - 12:58 (00:00) maven ssh:notty 138.68.86.65 Tue Nov 23 12:58 - 12:58 (00:00) maxiao ssh:notty 138.68.86.65 Tue Nov 23 12:58 - 12:58 (00:00) maxiao ssh:notty 138.68.86.65 Tue Nov 23 12:58 - 12:58 (00:00) maundy ssh:notty 138.68.86.65 Tue Nov 23 12:58 - 12:58 (00:00) max ssh:notty 138.68.86.65 Tue Nov 23 12:57 - 12:57 (00:00) mawenche ssh:notty 138.68.86.65 Tue Nov 23 12:57 - 12:57 (00:00) maundy ssh:notty 138.68.86.65 Tue Nov 23 12:57 - 12:57 (00:00) max ssh:notty 138.68.86.65 Tue Nov 23 12:57 - 12:57 (00:00) max ssh:notty 138.68.86.65 Tue Nov 23 12:57 - 12:57 (00:00) mawenche ssh:notty 138.68.86.65 Tue Nov 23 12:57 - 12:57 (00:00) maverick ssh:notty 138.68.86.65 Tue Nov 23 12:57 - 12:57 (00:00) mawenche ssh:notty 138.68.86.65 Tue Nov 23 12:57 - 12:57 (00:00) max ssh:notty 138.68.86.65 Tue Nov 23 12:57 - 12:57 (00:00) maverick ssh:notty 138.68.86.65 Tue Nov 23 12:57 - 12:57 (00:00) mawenche ssh:notty 138.68.86.65 Tue Nov 23 12:57 - 12:57 (00:00) maverick ssh:notty 138.68.86.65 Tue Nov 23 12:57 - 12:57 (00:00) maven ssh:notty 138.68.86.65 Tue Nov 23 12:57 - 12:57 (00:00) maverick ssh:notty 138.68.86.65 Tue Nov 23 12:57 - 12:57 (00:00) mauricio ssh:notty 138.68.86.65 Tue Nov 23 12:57 - 12:57 (00:00)
Check the failure records and count the times. It is found that the most violent cracking has run more than 30000 login records. Although it has not succeeded, it is really annoying like a fly. Therefore, you need to write a script to blacklist the failed IP addresses after multiple attempts to log in.
ubuntu@VM-20-6-ubuntu:~$ sudo lastb |awk '{print $3}'|sort |uniq -c 1 4 119.165.181.251 4 121.129.214.70 30573 138.68.86.65 4 151.50.58.55 1 151.84.178.182 30702 159.65.220.140 54 177.249.47.101 7 185.245.41.97 15331 211.246.175.6 4 24.218.231.49 4 24.224.178.87 59 47.102.111.161 4 82.66.84.2 4 83.195.190.187 4 83.228.156.118 103 83.250.30.182 4 88.157.49.186 8 98.40.14.28 1 Sat 1 Sun 1 Wed
3: Script ssh failed login limit IP
With this command, you can get the IP that has failed login more than 4 times and the IP list that needs to be added to the blacklist.
sudo lastb |awk '{print $3}'|sort |uniq -c|awk '{if ($1 > 4) print $2}'
The display is as follows:
ubuntu@VM-20-6-ubuntu:~$ sudo lastb |awk '{print $3}'|sort |uniq -c|awk '{if ($1 > 4) print $2}' 138.68.86.65 159.65.220.140 177.249.47.101 185.245.41.97 211.246.175.6 47.102.111.161 83.250.30.182 98.40.14.28
Start writing the script. The blacklist file is located at / etc/hosts.deny, and the Ubuntu format is ALL: IP
#!/bin/bash #set -x list=$(sudo lastb |awk '{print $3}'|sort |uniq -c|awk '{if ($1 > 4) print $2}') for ip in ${list} do echo ALL: ${ip} >> /etc/hosts.deny #Join the blacklist echo > /var/log/btmp #Clear the failure record to prevent repeated IP statistics in the next execution of the script done
4: Script scheduled task
crontab -e #The content is to execute the script every 1 hour * */1 * * * /bin/bash /home/ubuntu/ssh_deny.sh
After that, the server will do everything. In order to test, I will change the ssh port back to the default port 22 and start fishing. Wait a few hours to see if the / etc/hosts.deny blacklist has added IP.