1、编写脚本/root/bin/checkip.sh,每5分钟检查一次,如果发现通过ssh登录失败 次数超过10次,自动将此远程IP放入Tcp Wrapper的黑名单中予以禁止防问
- 准备脚本
[root@localhost ~]# cat /root/bin/checkip.sh
#!/bin/bash
ip_deny=/etc/hosts.deny
ip_allow=/etc/hosts.allow
sed -i '/^[^#]/d' $ip_allow
#取出失败登录超过10次的IP列表
ip_list=$(lastb -a | awk '!/^btmp|^$/{ip[$NF]++}END{for(i in ip){if(ip[i]>=10)print i}}')
#循环IP列表,如果IP不存在hosts.deny中才添加新的规则
for i in ${ip_list};do
grep -o "\<$i\>" $ip_deny &> /dev/null
if [ $? -ne 0 ];then
echo "sshd: $i" >> $ip_deny
fi
done
- 创建crontab定时任务
[root@localhost ~]# crontab -l
*/5 * * * * /bin/bash /root/bin/checkip.sh
- 制造失败登录
Dec 28 15:44:21 localhost sshd[18044]: Failed password for invalid user from 10.0.0.1 port 50336 ssh2
Dec 28 15:44:22 localhost sshd[18044]: Failed password for invalid user from 10.0.0.1 port 50336 ssh2
Dec 28 15:44:22 localhost sshd[18044]: Failed password for invalid user from 10.0.0.1 port 50336 ssh2
Dec 28 15:44:23 localhost sshd[18044]: Failed password for invalid user from 10.0.0.1 port 50336 ssh2
Dec 28 15:44:23 localhost sshd[18044]: Failed password for invalid user from 10.0.0.1 port 50336 ssh2
Dec 28 15:47:42 localhost sshd[18086]: Failed password for invalid user from 10.0.0.1 port 50388 ssh2
Dec 28 15:47:42 localhost sshd[18086]: Failed password for invalid user from 10.0.0.1 port 50388 ssh2
Dec 28 15:47:43 localhost sshd[18086]: Failed password for invalid user from 10.0.0.1 port 50388 ssh2
Dec 28 15:47:43 localhost sshd[18086]: Failed password for invalid user from 10.0.0.1 port 50388 ssh2
Dec 28 15:47:44 localhost sshd[18086]: Failed password for invalid user from 10.0.0.1 port 50388 ssh2
Dec 28 16:03:34 localhost sshd[18158]: Failed password for invalid user a from 10.0.0.1 port 50773 ssh2
Dec 28 16:03:34 localhost sshd[18158]: Failed password for invalid user a from 10.0.0.1 port 50773 ssh2
Dec 28 16:03:34 localhost sshd[18158]: Failed password for invalid user a from 10.0.0.1 port 50773 ssh2
Dec 28 16:03:34 localhost sshd[18158]: Failed password for invalid user a from 10.0.0.1 port 50773 ssh2
Dec 28 16:03:34 localhost sshd[18158]: Failed password for invalid user a from 10.0.0.1 port 50773 ssh2
- 5分钟后查看hosts.deny
[root@localhost ~]# cat /etc/hosts.deny
sshd: 10.0.0.1
[root@localhost ~]#
- 再尝试从10.0.0.1 ssh登录
[C:\~]$
Connecting to 10.0.0.17:22...
Connection established.
To escape to local shell, press 'Ctrl+Alt+]'.
Connection closing...Socket close.
Connection closed by foreign host.
Disconnected from remote host(CentOS-7-1) at 16:40:35.
Type `help' to learn how to use Xshell prompt.
2、配置magedu用户的sudo权限,允许magedu用户拥有root权限
- 创建magedu用户
[root@localhost ~]# useradd magedu
[root@localhost ~]#echo "123456" | passwd --stdin magedu
- magedu用户在没有sudo规则下,不允许创建用户zzz
[root@localhost ~]# su - magedu
Last login: Mon Dec 28 17:06:55 CST 2020 on pts/0
[magedu@localhost ~]$
[magedu@localhost ~]$ useradd zzz
useradd: Permission denied.
useradd: cannot lock /etc/passwd; try again later.
[magedu@localhost ~]$
[magedu@localhost ~]$ sudo useradd zzz
magedu is not in the sudoers file. This incident will be reported.
[magedu@localhost ~]$
- 编辑/etc/sudoers或者/etc/sudoers.d/magedu添加sudo规则
magedu ALL=(ALL) ALL
- 验证magedu是否拥有root权限
[root@localhost sudoers.d]# su - magedu
[magedu@localhost ~]$ useradd zzz
useradd: Permission denied.
useradd: cannot lock /etc/passwd; try again later.
[magedu@localhost ~]$
[magedu@localhost ~]$ sudo useradd zzz
[magedu@localhost ~]$ id zzz
uid=1001(zzz) gid=1001(zzz) groups=1001(zzz)
[magedu@localhost ~]$
[magedu@localhost ~]$ passwd zzz
passwd: Only root can specify a user name.
[magedu@localhost ~]$ sudo passwd zzz
Changing password for user zzz.
New password:
架构
1、安装配置zabbix,并实现zabbix监控tomcat,nginx,memcached,redis等,并实现发生报警后发送邮件报警。
