|
|
IPXcore老板写的,原文如下:
Not sure if it's limited only to us, but we have a problem with having our customer's VPSes sshscanned for weak passwords.
So I have developed a simple PHP script to parse the output of netstat -n | grep :22, then counts how many IP addresses the remote IP is attempting to connect to, then add iptables rules when it determines an attack is happening. It will only add an iptable rule if a DROP rule for the IP does not exist already.
As we only run OpenVZ, it has only been tested on OpenVZ nodes. I am curious for feedback on if it works for Xen or KVM nodes.
It is being released to the community. You can find it here: http://pastebin.com/kfWaJa9q
Install it by writing it anywhere on your node, (I have mine in /sbin), editing the variables at the top of the script, then adding a crontab entry for root.
This will run it every 5 minutes:
*/5 * * * * /usr/bin/php /sbin/sshcheck.php
(update to reflect your php binary, and where you put the script)
You will get reports in your email like this:
Hello, this is sshcheck.php running on sapphire.ipxcore.com
Current time: Thu, 09 Aug 12 19:33:49 -0600
Adding iptables DROP rule. Remove it with:
iptables -D FORWARD -s 218.203.165.153 -j DROP
IP 218.203.165.153 is involved in a brute force attack against the
following IPs:
Count: 13
1.2.3.157:22
1.2.3.136:22
1.2.3.108:22
1.2.3.31:22
1.2.3.201:22
1.2.3.32:22
1.2.3.195:22
1.2.3.11:22
1.2.3.32:22
1.2.3.180:22
1.2.3.103:22
1.2.3.108:22
1.2.3.122:22
Tested with PHP 5.1.6 (Centos 5), PHP 5.3.3 (Centos 6), PHP 5.3.3-7+squeeze13 (Debian Squeeze).
Upcoming/to-do/V2.0:
-check that destination IPs are unique
-add method for iptables drop for a specified timeframe only
-proper source code commenting
http://www.lowendtalk.com/discussion/4185/sshcheck.php-blocking-ssh-bruteforce-attempts-against-client-vps-containers |
|
发表于 2012-8-10 10:46:13
楼主
QQ好友和群
QQ空间
收藏