¿ù°£ Àα⠰Խù°

°Ô½Ã¹° 111°Ç
   
/var/log/secure ·Î±×¸¦ ÀÌ¿ëÇÑ IP Deny ÀÚµ¿ µî·Ï ½ºÅ©¸³Æ®
±Û¾´ÀÌ : ÃÖ°í°ü¸®ÀÚ ³¯Â¥ : 2009-11-30 (¿ù) 21:09 Á¶È¸ : 5242
±ÛÁÖ¼Ò :
                             

 
 
ÀÌ ½ºÅ©¸³Æ®´Â ¸®´ª½º¿¡¼­ ±âº»ÀûÀ¸·Î Á¦°øÇÏ´Â ·Î±×¸¦ ÀÌ¿ëÇÏ¿© 10ºÐ °£°ÝÀ¸·Î ·Î±×¸¦ ÃßÃâÇÏ°í 20ȸ ÀÌ»ó Fail Password¸¦ ¹ß»ý½ÃŲ ¾ÆÀÌÇǸ¦ Tcp-Wrapper(/etc/hosts.deny)¿¡ µî·Ï½ÃÄÑ ´õÀÌ»ó ÇØÅ· ½Ãµµ¸¦ ¹æÁöÇÑ´Ù.
Caution : 10ºÐÀ̳»¿¡ ¶Õ¸®¸é ¾îÂîÇÒ ¼ö ¾øÀ½... =,.=;
ps. ½ºÅ©¸³Æ®ÀÇ Á¦ÀÛÀÇ Æí¸®¸¦ À§Çؼ­ Áߺ¹ µî·ÏÈ®ÀÎÀº ¾øÀ½... ^^;
 
±âº»È¯°æ : ¸®´ª½º, PHP Shell script
ÀÛ¼º¾ð¾î : PHP
µ¿ÀÛ¿ø¸®
1. /var/log/secure ÆÄÀÏ¿¡¼­ 10ºÐ´ëÀÇ ·Î±×¸¦ ÃßÃâÇÑ´Ù.
  ¿¹ : ÇöÀç½Ã°£ÀÌ 18:25:00 À̶ó¸é ÃßÃâÇÏ´Â ½Ã°£Àº 18:10~19ºÐÀ» ÃßÃâÇÑ´Ù.
2. ¾ÆÀÌÇÇ º°·Î °¹¼ö¸¦ Åë°è³½´Ù.
3. ÇÑ ¾ÆÀÌÇÇ¿¡¼­ 20ȸ ÀÌ»ó sshd·Î ºñ¹Ð¹øÈ£°¡ Ʋ·È´Ù¸é /etc/hosts.deny¿¡ "ALL:¾ÆÀÌÇÇÁÖ¼Ò"ÀÇ ÇüÅ·Πµî·ÏµÈ´Ù.
4. xinetd µ¥¸óÀ» Àç½ÃÀÛÇÑ´Ù.
5. µî·ÏÇÑ ¾ÆÀÌÇÇ ¸ñ·ÏÀ» ÁöÁ¤µÈ ¸ÞÀÏ ÁÖ¼Ò·Î ¹ß¼ÛÇÑ´Ù.

 
 
½ÇÇà¹æ¹ý
./secure_analysis.sh sshd
 
crontab µî·Ï½Ã
*/10 * * * * /°æ·Î¸í/secure_analysis.sh sshd
 
#!/usr/local/bin/php

#!/usr/local/bin/php
<?
// °³¿ä
// secure log ¸¦ ºÐ¼®Çؼ­ sshd·Î ºÒ¹ýÀûÀÎ Á¢¼ÓÀ» ½ÃµµÇÏ´Â IP¸¦ /etc/hosts.deny¿¡ µî·ÏÇÏ´Â ÀÛ¾÷À» ÇÑ´Ù.
// Log Example : Jun  5 07:49:18 p1 sshd[1110]: Failed password for root from 211.114.190.196 port 52944 ssh2
// ÃßÃâ ¸í·É¾î : grep "Jun  7 09" secure | grep "sshd" | grep "Failed password" | awk -F "from" '{print $2}' | awk '{print $1}'
// ÁöÁ¤µÈ ÀԷ°ªÀ» ÀÔ·ÂÇÏÁö ¾ÊÀ¸¸é ½ÇÇàÇÏÁö ¾Ê´Â´Ù.
if($argc > 1)
{
$RECEIVE_EMAIL = "¼ö½Å ¸ÞÀÏÁÖ¼Ò";
$Hostname = trim(exec("hostname"));
$Date = date("Y-m-d H:i:s");
// 10ºÐÀü ºÐÀ» ±¸ÇÑ´Ù.
$TenAgo = substr(date("i",mktime (date("H"), date("i")-10, 0, date("m"), date("d"), date("Y"))),0,1);
if(!file_exists("/service/log_temp"))
{
  exec("mkdir -p /service/log_temp");
}
  if(!file_exists("/service/log_temp/secure_analysis.log"))
  {
       exec("touch /service/log_temp/secure_analysis.log");
  }
// ³¯Â¥¿¡ µû¶ó¼­ °Ë»ö¾îÀÇ °ø¹é󸮰¡ Ʋ¸° °ü°è·Î ... =,.=;
$DayLength = strlen(date("j"));
if($DayLength == 2)
{
$now = date("M j H:");
}
else
{
$now = date("M  j H:");
}
if($argv[1] == "sshd")
{
exec("grep \"$now$TenAgo\" /var/log/secure | grep \"sshd\" | grep \"Failed password\" | awk -F \"from\" '{print \$2}' | awk '{print \$1}' > /service/log_temp/secure_log_".$argv[1]);
}
$Fail_IP_File = file("/service/log_temp/secure_log_".$argv[1]);
for($i=0; $i < count($Fail_IP_File); $i++)
{
$Fail_IP_File[$i] = trim($Fail_IP_File[$i]);
}
$Fail_Statistics = array_count_values($Fail_IP_File);
exec("echo \"\" > /service/log_temp/DenyIP.list_".$argv[1]);
while (list ($Ip, $Count) = each ($Fail_Statistics))
{
// ¿©±âÀÇ 20À» Á¶Á¤ÇÏ¿© µî·ÏÀ» Á¶ÀýÇÒ ¼ö ÀÖ´Ù.
if($Count > 20)
{
  $Now_Time = date("Y³â m¿ù dÀÏ H½Ã iºÐ sÃÊ");
  exec("echo \"#Regist $Now_Time\" >> /etc/hosts.deny");
  exec("echo \"ALL : $Ip\" >> /etc/hosts.deny");
  $Restart_Xinetd = 1;
  exec("echo \"$Now_Time | $Ip | $Count ȸ\" >> /service/log_temp/DenyIP.list_".$argv[1]);
}
exec("echo \"$Date\t$Ip\t$Count\" >> /service/log_temp/secure_analysis.log");
}
if($Restart_Xinetd)
{
exec("killall -HUP xinetd");
exec("cat \"/service/log_temp/DenyIP.list_".$argv[1]."\" | mail -s \"$Hostname Deny IP List - $Date \" $RECEIVE_EMAIL");
}
}
else
{
echo("Missing Argument... Confirm Execute ...\n");
}
?>

 


À̸§ Æнº¿öµå
ºñ¹Ð±Û (üũÇÏ¸é ±Û¾´À̸¸ ³»¿ëÀ» È®ÀÎÇÒ ¼ö ÀÖ½À´Ï´Ù.)
¿ÞÂÊÀÇ ±ÛÀÚ¸¦ ÀÔ·ÂÇϼ¼¿ä.
   

 



 
»çÀÌÆ®¸í : ¸ðÁö¸®³× | ´ëÇ¥ : ÀÌ°æÇö | °³ÀÎÄ¿¹Â´ÏƼ : ·©Å°´åÄÄ ¿î¿µÃ¼Á¦(OS) | °æ±âµµ ¼º³²½Ã ºÐ´ç±¸ | ÀüÀÚ¿ìÆí : mojily°ñ¹ðÀÌchonnom.com Copyright ¨Ï www.chonnom.com www.kyunghyun.net www.mojily.net. All rights reserved.