python脚本分析/var/log/secure登录日志并处理

因为自己有服务器，发现/var/log/secure 日志中最近出现大量验证失败的日志，故找了个脚本跑了下，具体如下

#!/usr/bin/env python
# Hackers try to login in servers by ssh too much times, in /var/log/secure you can find it .The script will add hackers's ip to /etc/hosts.deny last a week

import re
from datetime import date

logfile = r'/var/log/secure'
#denyfile = r'/tmp/hosts.deny'
denyfile = r'/etc/hosts.deny'
months_31 = ['Jan','Mar','May','Jul','Aug','Oct','Dec']
months_30 = ['Apr','Jun','Sep','Nov']
month_28or29 = 'Feb'
months = {
          'Jan':1,'Feb':2,'Mar':3,'Apr':4,'May':5,'Jun':6,
          'Jul':7,'Aug':8,'Sep':9,'Oct':10,'Nov':11,'Dec':12
         }
month_days = {}
for mon in months_31:
    month_days[mon] = 31
for mon in months_30:
    month_days[mon] = 30
if date.isocalendar(date.today())[0] % 4 == 0:
    month_days[month_28or29] = 29
else:
    month_days[month_28or29] = 28

def search_source():
    t = date.today()
    month = t.strftime('%b')
    day = t.strftime('%d')
    pat = re.compile('.+sshd.+Failed password.+ (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) .+')
    lines = []
    f = open(logfile,'r')
    for line in f:
        if len(line) < 10:
            continue
        if line.split()[0] == month and (int(day) - int(line.split()[1])) < 7 and (int(day) - int(line.split()[1])) >= 0:
            if re.search(pat,line):
                 lines.append(line)
        elif (months[month] - months[line.split()[0]]) == 1 or (months[month] - months[line.split()[0]]) == -11:
            if (int(day) + month_days[line.split()[0]] - int(line.split()[1])) < 7 and re.search(pat,line):
                lines.append(line)
    return lines

def count_ips(lines):
    count = {}
    if len(lines) == 0:
        print 'No one use ssh and failed.'
        raise SystemExit
    pat = re.compile(' (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) ')
    for line in lines:
        ip = re.findall(pat,line)[0]
        if ip in count:
            count[ip] += 1
        else:
            count[ip] = 1
    return count

def deny_ips(count):
    f = open(denyfile,'w')
    valve = 50
    for ip in count:
        if count[ip] >= valve:
            word = 'ALL: %s #failed %d times in a week.\n' % (ip,count[ip])
            f.write(word)
    f.close()

def main():
    lines = search_source()
    count = count_ips(lines)
    deny_ips(count)

main()

创建成功后给脚本加执行权限后即可运行，默认将失败IP错误次数达到50次以上的就会加入到/etc/hosts.deny中进行拒绝连接处理。

######## 2020 10.29 以上脚本增加日志中存在空行时报错处理

建议将脚本增加crontab 定时任务自动处理，间隔10分钟处理一次

[root@VM-0-9-centos ~]# crontab -e
*/10 * * * * /root/check_ssh.sh > /dev/null 2>&1 &