TShopping

標題: 自動封鎖暴力破解dovecot pop3 的腳本 [打印本頁]

---

作者: woff5678    時間: 2012-4-17 22:46
標題: 自動封鎖暴力破解dovecot pop3 的腳本


最近SERVER老是被人暴力破解TRY DOVECOT

目的是為了獲得亂發EMAIL的資源

檢視
vi /var/log/secure 檔案

發現一堆TRY SERVER的訊息

1. Apr 17 05:48:41 dns dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user admin
   
2. Apr 17 05:48:44 dns dovecot-auth: pam_unix(dovecot:auth): check pass; user unknown
   
3. Apr 17 05:48:44 dns dovecot-auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser= rhost=::ffff:82.8.46.254
   
4. Apr 17 05:48:44 dns dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user admin
   
5. Apr 17 05:48:47 dns dovecot-auth: pam_unix(dovecot:auth): check pass; user unknown
   
6. Apr 17 05:48:47 dns dovecot-auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser= rhost=::ffff:82.8.46.254
   
7. Apr 17 05:48:47 dns dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user admin
   
8. Apr 17 05:48:49 dns dovecot-auth: pam_unix(dovecot:auth): check pass; user unknown
   
9. Apr 17 05:48:49 dns dovecot-auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser= rhost=::ffff:82.8.46.254
   
10. Apr 17 05:48:49 dns dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user admin
    
11. Apr 17 05:49:30 dns dovecot-auth: pam_unix(dovecot:auth): check pass; user unknown
    
12. Apr 17 05:49:30 dns dovecot-auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser= rhost=::ffff:82.8.46.254
    

複製代碼

手動封鎖實在太累
所以寫了各SCRIPT腳本
讓黑名單自動寫入 /etc/hosts.deny

建檔名 vi /root/dovecotdeny.sh

1. #! /bin/bash
   
2. cat /var/log/secure|awk '/authentication failure/{print $(NF-1)}'|sort|uniq -c|sed 's/rhost=/ /g'|sed 's/::ffff://g'|awk '{print $2"="$1;}' > /root/blackdovecot.txt
   
3. cat blackdovecot.txt |egrep ^[0-9].[0-9]* > /root/blackdovecot1.txt
   
4. DEFINE="30"
   
5. for i in `cat /root/blackdovecot1.txt`
   
6. do
   
7. IP=`echo $i |awk -F= '{print $1}'`
   
8. NUM=`echo $i|awk -F= '{print $2}'`
   
9. if [ $NUM -gt $DEFINE ];
   
10. then
    
11. grep $IP /etc/hosts.deny > /dev/null
    
12. if [ $? -gt 0 ];
    
13. then
    
14. echo "dovecot:$IP" >> /etc/hosts.deny
    
15. echo "vsftpd:$IP" >> /etc/hosts.deny
    
16. fi
    
17. fi
    
18. done

複製代碼

DEFINE="30"是對方IP TRY 30次錯誤就封鎖
再來就是加入排程
crontab -e

1. 50 * * * * /root/dovecotdeny.sh

複製代碼

---

作者: 伊伊    時間: 2013-11-10 00:57
不錯，感謝版主

---

作者: rxft2080    時間: 2013-11-10 00:57
感謝版主  

---

作者: 0973002    時間: 2013-11-10 00:57
支持一下吧  

---

歡迎光臨 TShopping (http://www.tshopping.com.tw/)

Powered by Discuz! X3.2