防火墙shell脚本

#!/bin/bash

FAILED_LOGINS=$(journalctl --since="20 minutes ago" | grep "Failed password" | awk "{print \$3}" | sort)

# 统计每个IP的登录失败次数
LOGIN_COUNTS=$(echo "$FAILED_LOGINS" | uniq -c)

# 定义防火墙规则的动作（DROP）
FIREWALL_ACTION="drop"

# 设置阈值，只有登录失败次数大于3次的IP才会被加入黑名单
THRESHOLD=1

# 添加防火墙规则
echo "$LOGIN_COUNTS" | while read COUNT IP_TO_BLOCK; do
    if [ "$COUNT" -gt "$THRESHOLD" ]; then
        sudo firewall-cmd --permanent --add-rich-rule="rule family=ipv4 source address='$IP_TO_BLOCK' $FIREWALL_ACTION"
        if [ $? -eq 0 ]; then
            echo "IP $IP_TO_BLOCK 已被添加到防火墙规则"
        else
            echo "添加规则时出现错误"
        fi
    fi
done

# 重新加载防火墙规则
sudo firewall-cmd --reload

echo "防火墙规则已更新"