python脚本分析/var/log/secure登录日志进行ssh防暴力破解

hyadijxp

在工作中，我发现只要开放到公网的主机，都会受到各种攻击的威胁，常见的就是ssh暴力破解，以下是一个python脚本，对/var/log/secure登录日志中的ssh记录进行简单分析，并将一周内多次进行破解试探的ip地址，存入到/etc/hosts.deny中拒绝其连接，代码于centos6.5下测试正常工作。如需定期执行，可以配合crond使用。

• #!/usr/bin/env python
  
  
• # Hackers try to login in servers by ssh too much times, in /var/log/secure you can find it .The script will add hackers's ip to /etc/hosts.deny last  a week
  
  
• #by hank 2015-03-27
  
• 
  
• import re
  
• from datetime import date
  
• 
  
• logfile = r'/var/log/secure'
  
  
• denyfile = r'/etc/hosts.deny'
  
  
• months_31 = ['Jan','Mar','May','Jul','Aug','Oct','Dec']
  
  
• months_30 = ['Apr','Jun','Sep','Nov']
  
  
• month_28or29 = 'Feb'
  
  
• months = {
  
•           'Jan':1,'Feb':2,'Mar':3,'Apr':4,'May':5,'Jun':6,
  
  
•           'Jul':7,'Aug':8,'Sep':9,'Oct':10,'Nov':11,'Dec':12
  
  
•          }
  
• month_days = {}
  
• for mon in months_31:
  
•     month_days[mon] = 31
  
• for mon in months_30:
  
•     month_days[mon] = 30
  
• if date.isocalendar(date.today())[0] % 4 == 0:
  
•     month_days[month_28or29] = 29
  
• else:
  
•     month_days[month_28or29] = 28
  
• 
  
• def search_source():
  
•     t = date.today()
  
•     month = t.strftime('%b')
  
  
•     day = t.strftime('%d')
  
  
•     pat = re.compile('.+sshd.+Failed password.+ (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) .+')
  
  
•     lines = []
  
•     f = open(logfile,'r')
  
  
•     for line in f:
  
•         if line.split()[0] == month and (int(day) - int(line.split()[1])) < 7 and (int(day) - int(line.split()[1])) >= 0:
  
•             if re.search(pat,line):
  
•                  lines.append(line)
  
•         elif (months[month] - months[line.split()[0]]) == 1 or (months[month] - months[line.split()[0]]) == -11:
  
•             if (int(day) + month_days[line.split()[0]] - int(line.split()[1])) < 7 and  re.search(pat,line):
  
•                 lines.append(line)
  
•     return lines
  
• 
  
• def count_ips(lines):
  
•     count = {}
  
•     if len(lines) == 0:
  
•         print 'No one use ssh and failed.'
  
  
•         raise SystemExit
  
•     pat = re.compile(' (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) ')
  
  
•     for line in lines:
  
•         ip = re.findall(pat,line)[0]
  
•         if ip in count:
  
•             count[ip] += 1
  
•         else:
  
•             count[ip] = 1
  
•     return count
  
• 
  
• def deny_ips(count):
  
•     f = open(denyfile,'w')
  
  
•     valve = 50
  
•     for ip in count:
  
•         if count[ip] >= valve:
  
•             word = 'ALL: %s #failed %d times in a week.\n' % (ip,count[ip])
  
  
•             f.write(word)
  
•     f.close()
  
• 
  
• def main():
  
•     lines = search_source()
  
•     count = count_ips(lines)
  
•     deny_ips(count)
  
• 
  
• if __name__ == '__main__
  
•     main()
  

如果使用非root账户，那么得对这两个文件具有读（/var/log/secure）写（/etc/hosts.deny）权限方可进行。
使用方法：

• #cp /etc/hosts.deny /etc/hosts.deny.bak #备份源文件
  
• #vim much_failed_ssh_deny.py  #添加代码
  
• #chmod +x much_failed_ssh_deny.py #授予执行权限
  
• #./much_failed_ssh_deny.py #执行脚本
  
• #cat /etc/hosts.deny  #查看结果