centos7.x SSH防守策略

1.修改登陸失敗驗證次數爲3
vi /etc/ssh/sshd_config
將#MaxAuthTries 6 改成
MaxAuthTries 3

2.將#Port 22 改成
Port 22
Port 12345(你想改的端口號)
測試經過後將Port 22刪掉

3.重啓SSH服務
systemctl restart sshd.service

4.先把始終容許的IP填入 /etc/hosts.allow ,重點! 例如:
vi /etc/hosts.allow
sshd:123.123.123.123:allow
sshd:8.8.8.8:allow

5.三次後直接封IP腳本
[root@localhost ~]# vi /usr/local/bin/secure_ssh.sh

#!/bin/bash
cat /var/log/secure | awk '/Failed/{print $(NF-3)}' | sort | uniq -c |awk '{print $2"="$1}' > /tmp/blacklist

MAXCOUNT="3"

for i in `cat /tmp/blacklist`
do
    IP=`echo $i | awk -F= '{print $1}'`
    NUM=`echo $i | awk -F= '{print $2}'`

if [ $NUM -gt $MAXCOUNT ];then

   grep $IP /etc/hosts.deny > /dev/null
   if [ $? -gt 0 ];then
    echo "sshd:$IP" >> /etc/hosts.deny
   fi
fi 
done

6.將secure_ssh.sh腳本放入cron計劃任務，天天5:20執行一次。
[root@localhost ~]# crontab -e
20 05 * sh /usr/local/bin/secure_ssh.sh

查看IP黑名單
cat /etc/hosts.deny
head -50 /etc/hosts.deny

直接執行腳本
sh /usr/local/bin/secure_ssh.sh