我们在使用ssh登录服务器的时候,经常会弹出类似于以下的提示:Last failed login: Fri May 1 23:31:22 CST 2021 from 87.251.74.56 on ssh:notty There were 187 failed login attempts since the last successful login.
后面一句意思是从上次登录成功之后,有187次失败的登录。也就是说有人在尝试登录我们的服务器,但是登录失败了,距离上次成功登录到本次登录之前产生了187的失败记录,不可质疑,有人在猜测服务器的登录用户名和密码.
我们来查看一下服务器失败登录记录,用以下命令查看:
# 查看失败登录记录
lastb
# 结果展示,跟上参数-xx,表示显示多少记录
root ssh:notty 110.188.85.88 Tue Oct 5 10:46 - 10:46 (00:00)
pi ssh:notty 121.180.246.194 Mon Oct 4 10:53 - 10:53 (00:00)
pi ssh:notty 121.180.246.194 Mon Oct 4 10:53 - 10:53 (00:00)
pi ssh:notty 121.180.246.194 Mon Oct 4 10:53 - 10:53 (00:00)
pi ssh:notty 121.180.246.194 Mon Oct 4 10:53 - 10:53 (00:00)
root ssh:notty 110.188.84.142 Mon Oct 4 10:09 - 10:09 (00:00)
root ssh:notty 110.188.84.142 Mon Oct 4 10:09 - 10:09 (00:00)
root ssh:notty 125.70.165.6 Sun Oct 3 09:39 - 09:39 (00:00)
db2inst1 ssh:notty 152.136.245.102 Sun Oct 3 09:00 - 09:00 (00:00)
db2inst1 ssh:notty 152.136.245.102 Sun Oct 3 09:00 - 09:00 (00:00)
db2inst1 ssh:notty 152.136.245.102 Sun Oct 3 08:57 - 08:57 (00:00)
db2inst1 ssh:notty 152.136.245.102 Sun Oct 3 08:57 - 08:57 (00:00)
db2inst1 ssh:notty 152.136.245.102 Sun Oct 3 08:55 - 08:55 (00:00)
db2inst1 ssh:notty 152.136.245.102 Sun Oct 3 08:55 - 08:55 (00:00)
rx ssh:notty 152.136.245.102 Sun Oct 3 08:53 - 08:53 (00:00)
rx ssh:notty 152.136.245.102 Sun Oct 3 08:53 - 08:53 (00:00)
rx ssh:notty 152.136.245.102 Sun Oct 3 08:50 - 08:50 (00:00)
rx ssh:notty 152.136.245.102 Sun Oct 3 08:50 - 08:50 (00:00)
rx ssh:notty 152.136.245.102 Sun Oct 3 08:48 - 08:48 (00:00)
rx ssh:notty 152.136.245.102 Sun Oct 3 08:48 - 08:48 (00:00)
从结果可以看出,第一列为登录时所用的用户名,第二列为登录方式(了解,具体含义可以参考以下摘要),第三列为登录客户端IP地址,最后一列为登录时间。
“ Notty”一词仅表示“ no tty”,大致翻译为“ no terminal”。 当您本地登录到任何Linux计算机时,终端将始终在进程列表中显示为“ tty”。 如果通过SFTP建立了连接,或者您正在使用SCP复制文件,那么它将显示为tty(notty)。
Who or what is root@notty?
If you’re looking through WHM’s process manager and you see root@notty mentioned as one of the processes, don’t be alarmed. It’s perfectly normal and it’s definitely not some hacker called ‘Notty’ who has suddenly got root permissions. Be honest, you’re here because you thought that ????
You may also have seen sshd: root@notty in the output of ps aux too.
Why notty?
The term ‘notty’ just represents ‘no tty’ which roughly translates as meaning ‘no terminal’. When you login locally to any Linux machine the terminal will always appear in the process list as ‘tty’. If a connection is made via SFTP or you are copying files with SCP (as I did here on a test server prior to bringing up the screenshot above) then it will show as no tty (notty).
Where does TTY come from?
Many years ago, user terminals that were connected to computers were clunky and noisy Electro-mechanical Teleprinters also known as Teletypewriters. They took the latter phrase and chopped some characters out to get the TTY abbreviation:
TeleTYpewriter = TTY
Since then, TTY has been used as the shortened name for a text-only console.
从上面看到这些IP在一段时间内使用不同的用户名和密码在尝试登录服务器,要是通过shell脚本的方式,统计出失败登录IP的次数,如果大于我们的设定值,我们就把该IP放入黑名单中。
#!/bin/bash
#Denyhosts SHELL SCRIPT
# 分析登录日志文件,筛选失败登录并统计次数存入文件备用
cat /var/log/secure | awk '/Failed/{print $(NF-3)}'|sort|uniq -c|awk '{print $2"=" $1;}' >/root/Denyhosts.txt
# 定义允许失败登录的次数
DEFINE="10"
# 读取文件,并把条件范围内的IP写到hosts.deny中,实现黑名单效果
for i in `cat /root/Denyhosts.txt`
do
IP=`echo $i|awk -F= '{print $1}'`
NUM=`echo $i|awk -F= '{print $2}'`
if [ $NUM -gt $DEFINE ]
then
ipExists=`grep $IP /etc/hosts.deny |grep -v grep |wc -l`
if [ $ipExists -lt 1 ]
then
echo "sshd:$IP" >> /etc/hosts.deny
fi
fi
done
最后把文件保存并添加执行权限和定时任务,就可以自动的分析IP并加黑名单了。让这些顽固分子知道我们管理员也是有做事的!
