TShopping

 找回密碼
 註冊
搜索
查看: 2985|回復: 3

[教學] 自動封鎖暴力破解dovecot pop3 的腳本

[複製鏈接]
發表於 2012-4-17 22:46:04 | 顯示全部樓層 |閱讀模式
 
Push to Facebook Push to Plurk Push to Twitter 
本帖最後由 woff5678 於 2012-5-2 11:08 編輯

最近SERVER老是被人暴力破解TRY DOVECOT

目的是為了獲得亂發EMAIL的資源

檢視
vi /var/log/secure 檔案

發現一堆TRY SERVER的訊息
  1. Apr 17 05:48:41 dns dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user admin
  2. Apr 17 05:48:44 dns dovecot-auth: pam_unix(dovecot:auth): check pass; user unknown
  3. Apr 17 05:48:44 dns dovecot-auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser= rhost=::ffff:82.8.46.254
  4. Apr 17 05:48:44 dns dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user admin
  5. Apr 17 05:48:47 dns dovecot-auth: pam_unix(dovecot:auth): check pass; user unknown
  6. Apr 17 05:48:47 dns dovecot-auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser= rhost=::ffff:82.8.46.254
  7. Apr 17 05:48:47 dns dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user admin
  8. Apr 17 05:48:49 dns dovecot-auth: pam_unix(dovecot:auth): check pass; user unknown
  9. Apr 17 05:48:49 dns dovecot-auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser= rhost=::ffff:82.8.46.254
  10. Apr 17 05:48:49 dns dovecot-auth: pam_succeed_if(dovecot:auth): error retrieving information about user admin
  11. Apr 17 05:49:30 dns dovecot-auth: pam_unix(dovecot:auth): check pass; user unknown
  12. Apr 17 05:49:30 dns dovecot-auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser= rhost=::ffff:82.8.46.254
複製代碼
手動封鎖實在太累
所以寫了各SCRIPT腳本
讓黑名單自動寫入 /etc/hosts.deny

建檔名 vi /root/dovecotdeny.sh
  1. #! /bin/bash
  2. cat /var/log/secure|awk '/authentication failure/{print $(NF-1)}'|sort|uniq -c|sed 's/rhost=/ /g'|sed 's/::ffff://g'|awk '{print $2"="$1;}' > /root/blackdovecot.txt
  3. cat blackdovecot.txt |egrep ^[0-9].[0-9]* > /root/blackdovecot1.txt
  4. DEFINE="30"
  5. for i in `cat /root/blackdovecot1.txt`
  6. do
  7. IP=`echo $i |awk -F= '{print $1}'`
  8. NUM=`echo $i|awk -F= '{print $2}'`
  9. if [ $NUM -gt $DEFINE ];
  10. then
  11. grep $IP /etc/hosts.deny > /dev/null
  12. if [ $? -gt 0 ];
  13. then
  14. echo "dovecot:$IP" >> /etc/hosts.deny
  15. echo "vsftpd:$IP" >> /etc/hosts.deny
  16. fi
  17. fi
  18. done
複製代碼
DEFINE="30"是對方IP TRY 30次錯誤就封鎖
再來就是加入排程
crontab -e
  1. 50 * * * * /root/dovecotdeny.sh
複製代碼


 

臉書網友討論
發表於 2013-11-10 00:57:28 | 顯示全部樓層
不錯,感謝版主

版主招募中

發表於 2013-11-10 00:57:28 | 顯示全部樓層
感謝版主  


發表於 2013-11-10 00:57:28 | 顯示全部樓層
支持一下吧  


您需要登錄後才可以回帖 登錄 | 註冊 |

本版積分規則



Archiver|手機版|小黑屋|免責聲明|TShopping

GMT+8, 2016-12-5 18:24 , Processed in 0.060863 second(s), 19 queries .

本論壇言論純屬發表者個人意見,與 TShopping綜合論壇 立場無關 如有意見侵犯了您的權益 請寫信聯絡我們。

Powered by Discuz! X3.2

© 2001-2013 Comsenz Inc.

快速回復 返回頂部 返回列表