Python武器库：暴力破解密码自动阻断代码问题

代码问题
课程：Python武器库定制
章节：章节4:项目一：暴力破解密码自动阻断

# 原代码
AutoBlock.py
```python
#!/usr/bin/env python3

import re
import subprocess
import time

'''
1.打开安全日志
2，对安全日志进行实时监控
3.解析日志的每一行的内容，找出正在爆破的ip
4.设置一个阈值，超过阈值后直接封禁（把他的ip放入黑名单中）
'''

#安全日志
logFile = '/var/log/secure'
#黑名单
hostDeny = '/etc/hosts.deny'
#封禁阈值
passwd_wrong_num = 5

#获取已经加入黑名单的ip，转换为字典
def getDenies():
    deniedDict = {}
    list = open(hostDeny).readlines()
    for ip in list:
        group = re.search(r'(\d+\.\d+\.\d+\.\d+)',ip)
    return deniedDict

#监控方法
def monitorLog(Logfile):
    #统计密码错误的次数
    tempIp = {}
    #已经拉黑的ip
    deniedDict = getDenies()
    #获取日志
    popen = subprocess.Popen('tail -f'+logFile,stdout=subprocess.PIPE,stderr=subprocess.PIPE,shell=True)
    #开始监控
    while True:
        time.sleep(0.1)
        line = popen.stdout.readline().strip()
        if line:
            group = re.search(r'Invalid user \w+ from (\d+\.\d+\.\d+\.\d+)',str(line))
            #不存在的用户直接封
            if group and not deniedDict.get(group[1]):
                # 这里的单引号是为了确保整个sshd: IP字符串作为一个整体被正确追加到黑名单文件中，
                # 防止IP地址被shell拆分或误解。
                subprocess.getoutput('echo \'sshd:{} >> {}'.format(group[1]),hostDeny)
                deniedDict[group[1]] = '1'
                time_str = time.strftime('%Y-%m-%d %H:%M:%S',time.localtime(time.time()))
                print('{} --- add ip: to hosts.deny for invalid user'.format(time_str,group[1]))
                continue

#用户名合法但是密码错误
            group = re.search(r'Faild password for \w+ from (\d+\.\d+\.\d+\.\d)',str(line))
            if group:
                ip = group[1]
                #统计ip错误次数
                if not tempIp.get(ip):
                    tempIp[ip] = 1
                else:
                    tempIp[ip] = tempIp[ip]+1
                #如果错误次数超过阈值，拉黑ip
                if tempIp[ip] >passwd_wrong_num and not deniedDict.get(ip):
                    del tempIp[ip]
                    subprocess.getoutput('echo \'sshd:{} >> {}'.format(ip.hostDeny))
                    deniedDict[ip] = '1'
                    time_str = time.strftime('%Y-%m-%d %H:%M:%S',time.localtime(time.time()))
                    print('{} --- add ip:{} to hosts.deny for invalid password'.format(time_str,ip))

if __name__ == '__main__':
    monitorLog(logFile)

# grep "Faild password for root" /var/log/secure | awk '{print $11}' | sort | uniq -c | sort -nr
```

# 运行前提
## 靶机操作系统：CentOS
日志文件：/var/log/secure
黑名单文件：/etc/hosts.deny
Python版本：Python 3，安装参考：https://wiki.bafangwy.com/doc/286/
代码运行方式：`python3 AutoBlock.py`

##  攻击机，Kali
命令：
`hydra -L username.txt -P password.txt 192.168.142.66 ssh`

username.txt内容：
```
root
admin
wuya1
test1
```

password.txt内容：
```
123456789
a123456
qq123456789
a123456789
1234567890
woaini1314
woaini520
woaini123
qq123456
abc123456
123456a
caonima
a5201314
wang123456
abcd123
123456789..
woaini1314520
qazwsxedc
qwerty
123456..
zxc123
asdfghjkl
123456789a
147258369
zxcvbnm
987654321
12345678910
abc123
123456789.
password
7708801314520
woaini
5201314520
q123456
123456abc
1233211234567
123123123
123456q
0123456789
asd123456
aa123456
135792468
q123456789
abcd123456
12345678900
zxcvbnm123
1111111111111111
w123456
aini1314
abc123456789
111111
woaini521
qwertyuiop
1314520520
1234567891
qwe123456
asd123
000000
1472583690
123456
1357924680
789456123
123456789abc
z123456
1234567899
aaa123456
abcd1234
www123456
123456789q
123abc
qwe123
w123456789
7894561230
123456qq
zxc123456
123456789qq
1111111111
111111111
0000000000000000
1234567891234567
0000000000
1234554321
123456q
123456aa
9876543210
110120119
qaz123456
qq5201314
123698745
5201314
000000000
as123456
123123
5841314520
z123456789
a123123
123456asd
aa123456789
741852963
a12345678
```

# 原代码问题
## tail -f 无法读取日志内容
subprocess.Popen 读取 tail -f 输出时却无法正确获取内容

修改后的代码如下：
`popen = subprocess.Popen(['tail', '-f', '-n', '0', logFile], stdout=subprocess.PIPE, stderr=subprocess.PIPE)`

## echo无法写入黑名单文件
原代码中，使用了以下命令来将 IP 添加到 /etc/hosts.deny：
`subprocess.run(['echo', f'sshd:{ip} >> {hostDeny}'], shell=True)`

1、命令格式错误：`subprocess.run` 的参数是一个列表，代码中将整个命令字符串作为单个元素传递。这会导致 `subprocess.run` 无法正确解析命令。
2、重定向问题：`>>` 是 shell 的重定向操作符，但在 `subprocess.run` 中，直接传递这样的命令字符串可能会导致问题。

# 修改后的完整代码
AutoBlock.py
```python
#!/usr/bin/env python3

import re
import subprocess
import time

# 安全日志
logFile = '/var/log/secure'
# 黑名单
hostDeny = '/etc/hosts.deny'
# 封禁阈值
passwd_wrong_num = 5

# 获取已经加入黑名单的ip，转换为字典
def getDenies():
    deniedDict = {}
    try:
        with open(hostDeny, 'r') as f:
            for line in f:
                group = re.search(r'(\d+\.\d+\.\d+\.\d+)', line)
                if group:
                    deniedDict[group.group(1)] = '1'
    except Exception as e:
        print(f"Error reading {hostDeny}: {e}")
    return deniedDict

# 监控方法
def monitorLog(Logfile):
    # 统计密码错误的次数
    tempIp = {}
    # 已经拉黑的ip
    deniedDict = getDenies()
    # 获取日志
    try:
        popen = subprocess.Popen(['stdbuf', '-oL', 'tail', '-f', '-n', '0', logFile], stdout=subprocess.PIPE, stderr=subprocess.PIPE)
        print("已打开日志")
        # 开始监控
        while True:
            time.sleep(0.1)
            line = popen.stdout.readline().strip().decode('utf-8')
            if line:
                # 匹配无效用户尝试登录
                group = re.search(r'Failed password for invalid user \w+ from (\d+\.\d+\.\d+\.\d+)', line)
                if group:
                    ip = group.group(1)
                    if ip not in deniedDict:
                        print("IP加黑名单")
                        # 方法 1：不使用 shell=True
                        subprocess.run(['echo', f'sshd:{ip}'], stdout=open(hostDeny, 'a'))
                        # 方法 2：使用 shell=True
                        # subprocess.run(f'echo "sshd:{ip}" >> {hostDeny}', shell=True)
                        deniedDict[ip] = '1'
                        time_str = time.strftime('%Y-%m-%d %H:%M:%S', time.localtime(time.time()))
                        print(f'{time_str} --- add ip: {ip} to hosts.deny for invalid user')
                    else:
                        print("黑名单重复，略过")
                # 匹配密码错误
                group = re.search(r'Failed password for \w+ from (\d+\.\d+\.\d+\.\d+)', line)
                if group:
                    ip = group.group(1)
                    if ip not in tempIp:
                        tempIp[ip] = 1
                    else:
                        tempIp[ip] += 1
                    if tempIp[ip] > passwd_wrong_num and ip not in deniedDict:
                        print(f"错误次数超限")
                        del tempIp[ip]
                        subprocess.run(['echo', f'sshd:{ip}'], stdout=open(hostDeny, 'a'))
                        deniedDict[ip] = '1'
                        time_str = time.strftime('%Y-%m-%d %H:%M:%S', time.localtime(time.time()))
                        print(f'{time_str} --- add ip: {ip} to hosts.deny for invalid password')
    except Exception as e:
        print(f"Error monitoring log: {e}")

if __name__ == '__main__':
    monitorLog(logFile)
```