2. 程式碼如下:
For SSHD
#!/usr/local/bin/bash
LOGFILE="/PATH/TO/auth.log"
PROCFOLDER="/PATH/TO/auth_sshd_banip"
TOTALBANLOGFILE="/PATH/TO/auth_sshd_banip.log"
TOTALBANLOGFILESORTED="/PATH/TO/auth_sshd_banip_sorted.log"
TOTALBANLOGFILEFROMPROCFOLDERSORTED="/PATH/TO/auth_sshd_banip_from_procfolder_sorted.log"
TOTALRESCUELIST="/PATH/TO/auth_sshd_rescue_list.log"
CRONJOBDATE="crontjobdate.log"
TODAYLOGFM=`date +"%b %e"`
DefaultCheckPeriod="30"
MVFilePeriod="90"
TODAY=`date +"%Y%m%d"`
OLDDAY=`date -v-${DefaultCheckPeriod}d +"%Y%m%d"`
OLDYEAR=`date -v-${DefaultCheckPeriod}d +"%Y"`
fwcmd="/sbin/ipfw"
echo "Prepare folder and file"
mkdir -p $PROCFOLDER
touch $TOTALBANLOGFILE
touch $TOTALRESCUELIST
touch $PROCFOLDER/$CRONJOBDATE
touch $TOTALBANLOGFILEFROMPROCFOLDERSORTED
SSHDErrorCounter1=`cat $LOGFILE | grep "$TODAYLOGFM" | grep sshd | grep "Invalid user" | awk '{ print $10 }' | wc -l`
SSHDErrorCounter2=`cat $LOGFILE | grep "$TODAYLOGFM" | grep sshd | grep "Did not receive identification string from" | awk '{ print $12 }' | wc -l`
SSHDErrorCounter3=`cat $LOGFILE | grep "$TODAYLOGFM" | grep sshd | grep "not allowed because none of user" | awk '{ print $9 }' | wc -l`
if [ $SSHDErrorCounter1 -ne 0 ]||[ $SSHDErrorCounter2 -ne 0 ]||[ $SSHDErrorCounter3 -ne 0 ]||[ -f $PROCFOLDER/sshdpre-$TODAY.log ]; then
echo "Write pre-process file"
touch $PROCFOLDER/sshdpre-$TODAY.log
cat $LOGFILE | grep "$TODAYLOGFM" | grep sshd | grep "Invalid user" | awk '{ print $10 }' | sort -n | sort -u >> $PROCFOLDER/sshdpre-$TODAY.log
cat $LOGFILE | grep "$TODAYLOGFM" | grep sshd | grep "Did not receive identification string from" | awk '{ print $12 }' | sort -n | sort -u >> $PROCFOLDER/sshdpre-$TODAY.log
cat $LOGFILE | grep "$TODAYLOGFM" | grep sshd | grep "not allowed because none of user" | awk '{ print $9 }' | sort -n | sort -u >> $PROCFOLDER/sshdpre-$TODAY.log
cp -a $PROCFOLDER/sshdpre-$TODAY.log /tmp
cat /tmp/sshdpre-$TODAY.log | sort -n | sort -u > $PROCFOLDER/sshdpre-$TODAY.log
rm -f /tmp/sshdpre-$TODAY.log
echo "Collect new ban IP"
for ip in $(awk '{ print }' $PROCFOLDER/sshdpre-$TODAY.log)
do
if [ `grep $ip $PROCFOLDER/sshd-*.log | wc -l` -gt 0 ]; then
echo $ip "Old bad boy"
else
echo $ip
touch $PROCFOLDER/sshd-$TODAY.log
echo $ip >> $PROCFOLDER/sshd-$TODAY.log
echo $ip >> $TOTALBANLOGFILE
fi
done
echo "Ban bad boy"
if [ -f $PROCFOLDER/sshd-$TODAY.log ]; then
for banip in $(awk '{ print }' $PROCFOLDER/sshd-$TODAY.log)
do
#Ban IP
echo "Check $banip"
if [ `ipfw table 3 list | grep $banip | wc -l` -gt 0 ]; then
echo "Had ban bad boy($banip)."
else
echo "Ban bad boy($banip) now."
${fwcmd} table 3 add $banip/32
${fwcmd} table 4 add $banip/32
fi
done
else
echo "No bad boy"
fi
echo "Rescue good boy"
if [ -f $PROCFOLDER/sshd-$OLDDAY.log ]; then
for rescueip in $(awk '{ print }' $PROCFOLDER/sshd-$OLDDAY.log)
do
#Rescue IP
echo "Check $rescueip"
BadBoyDCPCounter=`find $PROCFOLDER -d 1 -ctime +${DefaultCheckPeriod} -type f -name 'sshd*.log' -exec grep $rescueip {} \; | wc -l`
BadBoyMVFCounter=`find $PROCFOLDER -d 1 -ctime +${MVFilePeriod} -type f -name 'sshd*.log' -exec grep $rescueip {} \; | wc -l`
if [ $BadBoyDCPCounter -lt 1 ]; then
if [ $BadBoyMVFCounter -le 2 ]; then
echo "Rescue $rescueip"
${fwcmd} table 3 delete $rescueip/32
${fwcmd} table 4 delete $rescueip/32
grep -v $rescueip $TOTALBANLOGFILE > /tmp/stillbanip-$TODAY
cp -f /tmp/stillbanip-$TODAY $TOTALBANLOGFILE
rm -f /tmp/stillbanip-$TODAY
echo $rescueip >> $TOTALRESCUELIST
echo "Rescued"
else
echo "Not bad boy in ${DefaultCheckPeriod} days, but had bad boy record in ${MVFilePeriod} days."
fi
else
echo "Still bad boy in ${DefaultCheckPeriod} days"
fi
done
#Move to old folder
echo "Move old file to storage folder"
mkdir -p $PROCFOLDER/$OLDYEAR
mv $PROCFOLDER/sshd*-$OLDDAY.log $PROCFOLDER/$OLDYEAR
else
echo "No candidate file"
fi
cat $TOTALBANLOGFILE | sort -n | sort -u > $TOTALBANLOGFILESORTED
else
echo "No bad boy"
fi
### Move old files to backup folder
find $PROCFOLDER -d 1 -ctime +${MVFilePeriod} -type f -name 'sshd*.log' -exec mv {} $PROCFOLDER/$OLDYEAR \;
cat $PROCFOLDER/sshd-*.log | sort -n | sort -u > $TOTALBANLOGFILEFROMPROCFOLDERSORTED
### Additional rescure goodboy
for rescueip in `diff $TOTALBANLOGFILEFROMPROCFOLDERSORTED $TOTALBANLOGFILESORTED | grep -v a | awk '{ print $2 }' | sort -r -n`
do
echo "Additional rescure goodboy from diff $TOTALBANLOGFILEFROMPROCFOLDERSORTED and $TOTALBANLOGFILESORTED"
echo "Rescue $rescueip"
${fwcmd} table 3 delete $rescueip/32
${fwcmd} table 4 delete $rescueip/32
grep -v $rescueip $TOTALBANLOGFILE > /tmp/stillbanip-$TODAY
cp -f /tmp/stillbanip-$TODAY $TOTALBANLOGFILE
rm -f /tmp/stillbanip-$TODAY
echo $rescueip >> $TOTALRESCUELIST
echo "Rescued"
done
cat $TOTALBANLOGFILE | sort -n | sort -u > $TOTALBANLOGFILESORTED
echo $TODAY > $PROCFOLDER/$CRONJOBDATE
### For backup and administration
/PATH/TO/BACKUP_SCRIPT
For MAIL
#!/usr/local/bin/bash
PATH=$PATH
LOGFILE="/PATH/TO/maillog"
DOVECOTERRORLOGFILE="/PATH/TO/dovecot/error.log"
DOVECOTINFOLOGFILE="/PATH/TO/dovecot/info.log"
PROCFOLDER="/PATH/TO/mail_banip"
DAILYLOG="mail_banip"`date +"%Y%m%d"`".log"
TMPFILE="/tmp/mailban-"`date +"%s"`
TODAYLOGFM=`date +"%b %e"`
fwcmd="/sbin/ipfw"
DefaultCheckPeriod="30"
MVFilePeriod="30"
OLDDAILYLOG="mail_banip"`date -v-${DefaultCheckPeriod}d +"%Y%m%d"`".log"
OLDYEAR=`date -v-${MVFilePeriod}d +"%Y"`
mkdir -p $PROCFOLDER
MAILErrorString1="NOQUEUE: reject"
MAILErrorCounter1=`cat $LOGFILE | grep "$TODAYLOGFM" | grep postfix | grep "$MAILErrorString1" | wc -l`
MAILErrorString2="auth-worker(default): Error: pam"
MAILErrorCounter2=`cat $DOVECOTERRORLOGFILE | grep "$TODAYLOGFM" | grep "$MAILErrorString2" | awk 'BEGIN { FS = ": " } ; { print $3 }' | awk 'BEGIN { FS = "," } ; { print $2 }' | sort -n | sort -u | sed -Ee 's/)//' | wc -l`
MAILErrorString3="pop3-login: Info: Aborted login (auth failed"
MAILErrorCounter3=`cat $DOVECOTINFOLOGFILE | grep "$TODAYLOGFM" | grep "$MAILErrorString3" | awk 'BEGIN { FS = ", " } ; { print $4 }' | awk 'BEGIN { FS = "=" } ; { print $2 }' | sort -n | sort -u | wc -l`
if [ $MAILErrorCounter1 -ne 0 ]||[ $MAILErrorCounter2 -ne 0 ]||[ $MAILErrorCounter3 -ne 0 ]||[ -f $PROCFOLDER/$DAILYLOG ]; then
if [ ! -f $PROCFOLDER/$DAILYLOG ]; then
touch $PROCFOLDER/$DAILYLOG
fi
echo "Collect Bad boy"
touch $TMPFILE
cat $LOGFILE | grep "$TODAYLOGFM" | grep postfix | grep "NOQUEUE: reject" | awk 'BEGIN { FS = "[" } ; { print $3 }' | awk 'BEGIN { FS = "]" } ; { print $1 }' | sort -n | sort -u >> $PROCFOLDER/$DAILYLOG
cat $DOVECOTERRORLOGFILE | grep "$TODAYLOGFM" | grep "$MAILErrorString2" | awk 'BEGIN { FS = ": " } ; { print $3 }' | awk 'BEGIN { FS = "," } ; { print $2 }' | sort -n | sort -u | sed -Ee 's/)//' >> $PROCFOLDER/$DAILYLOG
cat $DOVECOTINFOLOGFILE | grep "$TODAYLOGFM" | grep "$MAILErrorString3" | awk 'BEGIN { FS = ", " } ; { print $4 }' | awk 'BEGIN { FS = "=" } ; { print $2 }' | sort -n | sort -u >> $PROCFOLDER/$DAILYLOG
cat $PROCFOLDER/$DAILYLOG | sort -n | sort -u | grep -v "192.168.58" | grep -v "192.168.68" | grep -v "192.168.8" | grep -v "60.248.16.64" | grep -v "60.248.16.65" | grep -v "60.248.16.66" > $TMPFILE
cp -f $TMPFILE $PROCFOLDER/$DAILYLOG
echo "Ban Bad Boy"
for banip in $(awk '{ print }' $PROCFOLDER/$DAILYLOG)
do
if [ `ipfw table 3 list | grep $banip | wc -l` -gt 0 ]; then
echo "Had ban bad boy($banip)."
else
echo "Ban bad boy($banip) now."
${fwcmd} table 3 add $banip/32
${fwcmd} table 4 add $banip/32
fi
done
rm -f $TMPFILE
fi
if [ -f $PROCFOLDER/$OLDDAILYLOG ]; then
for rescueip in $(awk '{ print }' $PROCFOLDER/$OLDDAILYLOG)
do
echo "Rescue $rescueip"
${fwcmd} table 3 delete $rescueip/32
${fwcmd} table 4 delete $rescueip/32
done
else
echo "No candidate file"
fi
#Move to old folder
echo "Move old file to storage folder"
mkdir -p $PROCFOLDER/$OLDYEAR
find $PROCFOLDER -d 1 -ctime +${MVFilePeriod} -type f -name 'mail_banip*.log' -exec mv {} $PROCFOLDER/$OLDYEAR \;
For HTTPD
#!/usr/local/bin/bash
PATH=$PATH
LOGFILE="/PATH/TO/httpd-access.log"
PROCFOLDER="/PATH/TO/httpd_banip"
DAILYLOG="httpd_banip"`date +"%Y%m%d"`".log"
TMPFILE="/tmp/httpdban-"`date +"%s"`
TODAYLOGFM=`date +"%d/%b/%Y"`
fwcmd="/sbin/ipfw"
DefaultCheckPeriod="30"
MVFilePeriod="30"
OLDDAILYLOG="httpd_banip"`date -v-${DefaultCheckPeriod}d +"%Y%m%d"`".log"
OLDYEAR=`date -v-${MVFilePeriod}d +"%Y"`
mkdir -p $PROCFOLDER
ErrorString1="xmlrpc.php"
ErrorCounter1=`cat $LOGFILE | grep "$TODAYLOGFM" | grep "$ErrorString1" | grep 404 | awk 'BEGIN { FS = " " } ; { print $1 }' | grep -v "192.168.58" | grep -v "192.168.68" | grep -v "192.168.8" | grep -v "60.248.16.64" | grep -v "60.248.16.65" | grep -v "60.248.16.66" | wc -l`
if [ $ErrorCounter1 -ne 0 ]||[ -f $PROCFOLDER/$DAILYLOG ]; then
if [ ! -f $PROCFOLDER/$DAILYLOG ]; then
touch $PROCFOLDER/$DAILYLOG
fi
echo "Collect Bad boy"
touch $TMPFILE
cat $LOGFILE | grep "$TODAYLOGFM" | grep "$ErrorString1" | grep 404 | awk 'BEGIN { FS = " " } ; { print $1 }' | sort -n | sort -u >> $PROCFOLDER/$DAILYLOG
cat $PROCFOLDER/$DAILYLOG | sort -n | sort -u | grep -v "192.168.58" | grep -v "192.168.68" | grep -v "192.168.8" | grep -v "60.248.16.64" | grep -v "60.248.16.65" | grep -v "60.248.16.66" > $TMPFILE
cp -f $TMPFILE $PROCFOLDER/$DAILYLOG
echo "Ban Bad Boy"
for banip in $(awk '{ print }' $PROCFOLDER/$DAILYLOG)
do
if [ `ipfw table 3 list | grep $banip | wc -l` -gt 0 ]; then
echo "Had ban bad boy($banip)."
else
echo "Ban bad boy($banip) now."
${fwcmd} table 3 add $banip/32
${fwcmd} table 4 add $banip/32
fi
done
rm -f $TMPFILE
fi
if [ -f $PROCFOLDER/$OLDDAILYLOG ]; then
for rescueip in $(awk '{ print }' $PROCFOLDER/$OLDDAILYLOG)
do
echo "Rescue $rescueip"
${fwcmd} table 3 delete $rescueip/32
${fwcmd} table 4 delete $rescueip/32
done
else
echo "No candidate file"
fi
#Move to old folder
echo "Move old file to storage folder"
mkdir -p $PROCFOLDER/$OLDYEAR
find $PROCFOLDER -d 1 -ctime +${MVFilePeriod} -type f -name 'httpd_banip*.log' -exec mv {} $PROCFOLDER/$OLDYEAR \;
3. 以上程式碼為自由軟體, 請自行取用. 強烈建議服用前先看清楚再服用, 避免發生意外.
No comments:
Post a Comment