読者です 読者をやめる 読者になる 読者になる

michihide's blog

技術メモおよび雑感

ssh attackers list

sshで突いてくる輩がたくさんいるので、あぶりだすスクリプトを書いてみた。

元ネタ
# tail /var/log/secure
Jan  6 10:44:55 gaia sshd[4452]: Received disconnect from 211.96.27.152: 11: Bye Bye
Jan  6 10:44:56 gaia sshd[4453]: Invalid user format from 211.96.27.152
Jan  6 10:44:56 gaia sshd[4454]: input_userauth_request: invalid user format
Jan  6 10:44:57 gaia sshd[4454]: Received disconnect from 211.96.27.152: 11: Bye Bye
Jan  6 10:44:58 gaia sshd[4455]: Invalid user forrest from 211.96.27.152
Jan  6 10:44:58 gaia sshd[4456]: input_userauth_request: invalid user forrest
Jan  6 10:44:58 gaia sshd[4456]: Received disconnect from 211.96.27.152: 11: Bye Bye
Jan  6 10:44:59 gaia sshd[4457]: Invalid user forsythe from 211.96.27.152
Jan  6 10:44:59 gaia sshd[4458]: input_userauth_request: invalid user forsythe
Jan  6 10:44:59 gaia sshd[4458]: Received disconnect from 211.96.27.152: 11: Bye Bye

書いたスクリプト:
# cat ssh_attack.sh
#!/bin/bash
SECURE=/var/log/secure
AWK=/usr/bin/awk
GREP=/bin/grep
SED=/bin/sed
SORT=/bin/sort
UNIQ=/usr/bin/uniq
$GREP '11: Bye Bye$' $SECURE | $AWK '{print $9}' | $SED 's/:$//' | $SORT | $UNIQ

# ./ssh_attack.sh
121.11.65.227
122.193.4.115
129.132.173.142
173.9.241.153
200.195.174.122
201.245.179.115
202.117.56.29
202.118.224.97
202.141.148.100
211.96.27.152
218.106.205.109
220.170.79.47
221.195.2.201
222.82.218.12
82.182.92.195
83.19.222.221
89.17.48.21

しかし、こいつらをどうすれば…?