如果有人尝试爆破ssh服务,就会在 /var/log/secure留下错误记录,因此我们可以利用下面的脚本批量添加历史IP到/etc/hosts.deny
#!/bin/bash
#add ip ban list and log the first 1000 lines
#grep "Failed password for invalid user" /var/log/secure | awk '{print $13}' | sort | uniq -c | sort -nr | head -n 1000|
#add invalid user ban list and log the first 100 lines
grep "Failed password for invalid user" /var/log/secure | awk '{print $11}' | sort | uniq -c | sort -nr|head -n 100|
while read a b
do
grep -q $b /etc/hosts.deny
if [ $? != 0 ] ; then
if [ $a -ge 5 ] ; then
echo "sshd: $b" >> /etc/hosts.deny
fi
fi
done