Ubuntu通过iptables防止ssh暴力破解

步骤

安装iptables-persistent用于保存iptables规则
配置iptables规则
实时更新iptables规则以拦截IP访问

安装iptables-persistent

sudo aptitude install iptables-persistent

配置iptables规则

# 先查看网卡的名称，修改脚本中的$EXTIF变量
ip addr

sudo mkdir -p /usr/local/feng/iptables/

cat << 'EOF' | sudo tee /usr/local/feng/iptables/iptables.rule
#!/bin/bash

EXTIF="ens4"

INIF=""

INNET=""

export EXTIF INIF INNET

# 设置核心的网络功能：

echo "1" > /proc/sys/net/ipv4/tcp_syncookies

echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# 清除规则，设定预设政策以及开放lo与相关的设定值

PATH=/sbin:/usr/sbin:/bin:/usr/bin:/usr/local/sbin:/usr/local/bin; export PATH

iptables -F ; iptables -X ; iptables -Z

iptables -P INPUT DROP

iptables -P OUTPUT ACCEPT

iptables -P FORWARD ACCEPT

iptables -A INPUT -i lo -j ACCEPT

iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# 启动额外的防火墙script（如果有）

if [ -f /usr/local/feng/iptables/iptables.allow ]; then

sh /usr/local/feng/iptables/iptables.allow

fi

AICMP="0 3 3/4 4 11 12 14 16 18"

for tyicmp in $AICMP

do

iptables -A INPUT -i $EXTIF -p icmp --icmp-type $tyicmp -j ACCEPT

done

iptables -A INPUT -p TCP -i $EXTIF --dport 22 --sport 1024:65534 -j ACCEPT
iptables -A INPUT -p TCP -i $EXTIF --dport 80 --sport 1024:65534 -j ACCEPT 
iptables -A INPUT -p TCP -i $EXTIF --dport 443 --sport 1024:65534 -j ACCEPT
iptables -A INPUT -p TCP -i $EXTIF --dport 2333 --sport 1024:65534 -j ACCEPT

# ubuntu
/usr/sbin/netfilter-persistent save

# 不这么保存，在重启后失效
iptables-save > /usr/local/feng/iptables/rule.temp
iptables-restore < /usr/local/feng/iptables/rule.temp
rm /usr/local/feng/iptables/rule.temp
EOF

## 执行脚本
sudo bash /usr/local/feng/iptables/iptables.rule

实时更新iptables

编写脚本

cat << 'EOF' | sudo tee /usr/local/feng/iptables/secure_iptables.sh
tail /var/log/auth.log -n 10000 |awk '/Failed/{print $(NF-3)}'|sort|uniq -c|awk '{print $2"="$1;}' | sort -g -t '=' -k2 > /tmp/black.txt #尝试登录的次数和ip
DEFINE="3"  #单个ip尝试登录最大值

for i in `cat /tmp/black.txt`
do
    IP=`echo $i |awk -F= '{print $1}'`
    NUM=`echo $i|awk -F= '{print $2}'`
    if [ $NUM -gt $DEFINE ]; then
        grep $IP /etc/hosts.deny > /dev/null
        if [ $? -gt 0 ]; then
            iptables-save | grep "-j DROP" | grep $IP > /dev/null
            if [ $? -gt 0 ];then
                if [ ! "$IP" == "127.0.0.1" ]; then
                    echo "iptables -A INPUT -s $IP -j DROP" >> /usr/local/feng/iptables/iptables.deny
                fi
            fi
        fi
    fi
done
if [ -f /usr/local/feng/iptables/iptables.deny ]; then
    sh /usr/local/feng/iptables/iptables.deny
    rm /usr/local/feng/iptables/iptables.deny
    # 不这么保存，在重启后失效
    iptables-save > /usr/local/feng/iptables/rule.temp
    iptables-restore < /usr/local/feng/iptables/rule.temp
    rm /usr/local/feng/iptables/rule.temp
fi
EOF

配置crontab

设置每30分钟执行一次。频次不宜过高，容易影响其他服务。

# 涉及防火墙，需要root权限
echo "30 * * * * root bash /usr/local/feng/iptables/secure_iptables.sh" | sudo tee -a /etc/crontab

查看被拦截IP

# 通过iptables
sudo iptables-save

# 查看iptables.deny文件
sudo cat /usr/local/feng/iptables/iptables.deny

释放被拦截IP

# 设置IP变量
IP=112.27.168.236

# 把IP从iptables.deny移除
sudo sed -i "/${IP}/d" /usr/local/feng/iptables/iptables.deny

# 把IP从auth.log移除
sudo sed -i "/${IP}/d" /var/log/auth.log

# 更新iptables规则
sudo bash /usr/local/feng/iptables/iptables.rule

# 检查防火墙规则，检查auth.log文件
sudo iptables-save | grep $IP
cat /var/log/auth.log|awk '/Failed/{print $(NF-3)}'|sort|uniq -c|awk '{print $2"="$1;}' | grep ${IP}

# 由于 rsyslogd 的登录文件（auth.log）只要“被编辑过”就无法继续记录，需要重启rsyslog服务
sudo systemctl restart rsyslog.service