网站首页 | 控制面板 | 短消息 | 搜索 | 会员 | 帮助 | 社区 | 首页 | 无图版


常州五颜六色网络技术有限公司 -> 网站建设 -> linux自动屏蔽IP工具 转到动态网页

--> 本页主题: linux自动屏蔽IP工具 加为IE收藏 | 收藏主题 | 上一主题 | 下一主题
deserts


头衔:大客部大客部

级别: 总版主
精华: 0
发帖: 327
威望: 2 点
金钱: 605 RMB
贡献值: 0 点
在线时间:328(小时)
注册时间:2006-01-01
查看作者资料 发送短消息 发送邮件 推荐此帖 引用回复这个帖子


linux自动屏蔽IP工具

另存为 firewall.sh 给执行的权限 rAM{<  
U# G0  
#!/bin/sh f{t5r  
# this program is used to check tcp/ip connections PsjSL8]  
# and block those ip with excessive connections U\*}}   
" ;8H;U`  
# my version 7y""#-}V[r  
myver="1.0RC1" BGh1hyJ8d  
*UJ.cQ}  
# wake up every 120s if last check found abuse client ]|KOc& y:I  
wakeup_time_min=120 ]q~ _  
I?<5 %  
# wake up every 300s if last check found no abuse client SM;UNIRVE  
wakeup_time_max=300 0&XdCoIe  
2NMS '"8  
# rule timeout 3600s }ADdKK-  
rule_timeout=3600 moz*=a  
~gZ"8frl  
# check port list K X0{dizZ  
portlist="80" A:Y ([  
TQ hu$z<  
# max established connection per ip 'LC-/_g  
max_active_conn=8 QT`|"RI%  
dC,a~`%O  
# iptables chain name WZh%iuI{C  
iptables_chain_name="RH-Lokkit-0-50-INPUT" cpLlkR O  
)/87<Y;o  
# log facility ,y>Sq +  
log_facility="local0" .Tm m  
(8Ptuh6\\2  
# Block policy ! )x2   
ipchains_block_policy="DENY"  WPu-P  
iptables_block_policy="REJECT"  B=d :r  
d8!yV~Ka  
# myself Y W9+.Dc`  
myself=`basename $0` U0J_ 3W  
&02I-lD4+  
mylogger_info() =bHS@h8N<  
{ cF V[k'F  
logger -p $log_facility.info -t $myself $@ 2>/dev/null Jk=_8Xvr`  
} $a#-d;  
<p5?yF  
mylogger_debug() MUW&m2  
{ %M5{-pJ|C  
logger -p $log_facility.debug -t $myself $@ 2>/dev/null  P y!$r  
} "&%Lhyt  
NCa3")k  
mylogger_notice() n@$("p  
{ k?;@5r)y-  
logger -p $log_facility.notice -t $myself $@ 2>/dev/null L_sDbAT~<  
} ZJ8"5RW  
;_ S D W  
dotimeout() }2hU7YWt  
{ l:+$Ks  
mylogger_info "reset firewall when timeout arrives" \Mzr[dI  
case "$firewall" in dUL*~%2I  
ipchains) JAX`iQd  
  /etc/init.d/ipchains restart 1>/dev/null 2>/dev/null `=lo.c  
  if [ $? = 0 ] ; then 3 MCV?"0  
    mylogger_info "ipchains restarted" &2nICAN[  
  else -/:!AxIH  
    mylogger_notice "ipchains restart failed" TBZhL  
  fi "E@A~<RKP  
  ;; L}7 TM:%  
iptables) U ]W "  
  /etc/init.d/iptables restart 1>/dev/null 2>/dev/null N2 t`  
  if [ $? = 0 ] ; then N85ZbmU~  
    mylogger_info "iptables restarted" T*g}^TEh  
  else Fkg%_v$  
    mylogger_notice "iptables restart failed" '#>Fe`[  
  fi S|T_<FCY  
  ;; mi1^hl'2  
*) S..8,5mBH  
  mylogger_notice "neither ipchains nor iptables" Vvp{y  
  ;; 7VskZbj\  
esac .V\~#Ro$G  
v V;]?  
} H/k]u)Gtv  
J1 w3g,  
blockclient() ~*J <lln  
{ $5\!ws<cZ  
if [ -z "$1" ] || [ -z "$2" ]; then f,|;eF-Z  
mylogger_notice "blockclient() missing client or port to block" Q&lb]U+\u  
return %%I:L~c  
fi 1r*yYm'  
local ip port u\ /TR#b  
j?T>S]xOX  
ip=$1 J_j4Zb% K  
port=$2 M,yxPHlN  
68w~I7 D>  
case "$firewall" in \zBZ$5 rE  
ipchains) L?P[{Ohh/  
  mylogger_notice "blocking $1 to $2 via ipchains" R?,v:S&i7;  
found=`ipchains -nL | egrep "^$ipchains_block_policy.*[[:space:]]+$ip[[:space:]]+.*[[:space:]]+\->[[:space:]]+$port"` 44w "U%+  
if [ -z "$found" ] ; then m*h O@M  
cmd="ipchains -I input 1 -p tcp -s $ip -d 0/0 $port -j $ipchains_block_policy 1>/dev/null 2>/dev/null" =h?%<2t9<  
mylogger_debug "cmd: $cmd" &B1!,joH~  
`ipchains -I input 1 -p tcp -s $ip -d 0/0 $port -j $ipchains_block_policy 1>/dev/null 2>/dev/null` s<:) ;-tL  
if [ $? != 0 ] ; then OwgPgrV  
mylogger_notice "$cmd call failed" `#r/L@QI  
return %,@e- &>  
fi Nr"GxezU+A  
new_block=1 &N3a`Ua  
ever_block=1 [iyhrc:@  
else jxq89x  
mylogger_info "$ip already blocked to $port"  ;Yg/y  
fi 8Bxb~*   
  ;; `}}|QP5xG  
iptables) OKj\>3  
  mylogger_notice "blocking $1 to $2 via iptables" m (kKUv  
found=`iptables -nL | egrep "^$iptables_block_policy.*[[:space:]]+$ip[[:space:]]+.*[[:space:]]+dpt:$port[[:space:]]+"` [?]p I  
if [ -z "$found" ] ; then Jx Rn)D  
cmd="iptables -I $iptables_chain_name 1 -p tcp -m tcp -s $ip --dport $port -j $iptables_block_policy 1>/dev/null 2>/dev/null" =#%Vs>G  
mylogger_debug "cmd: $cmd" Rp}Sm,w(  
`iptables -I $iptables_chain_name 1 -p tcp -m tcp -s $ip --dport $port -j $iptables_block_policy 1>/dev/null 2>/dev/null` %kQ[z d^  
if [ $? != 0 ] ; then _M- PF$  
mylogger_notice "$cmd call failed" ^Uik{x  
return d! _8+~  
fi )hfI,9I~  
new_block=1 ;\Pq  
ever_block=1 g'.(te |  
else (;++a9GK  
mylogger_info "$ip already blocked to $port" 8fb<hq<  
fi 9aY}+hgb#  
  ;; 6" GHVFB  
*)  <+p{U(  
  mylogger_notice "neither ipchains nor iptables" 1u_< 1X3  
  ;; @kB^~Wf  
esac Q;2n  
} 3TNj*jo  
$ I|K<slV  
restartservice() 70T{tB  
{ jmn<gJ2Of  
local service n~?n+\.&a  
if [ -z "$1" ] ; then /fC8jdp&  
mylogger_notice "no port given to see which service to be restart" c"`CvQO64  
return XjU/7Q  
fi @ wx  
b' fcWp0  
case "$1" in 9<-7AN}Z  
80) {# Vp`ji  
  service="httpd" ja+PVf  
  ;; NRDXWscb  
25) xpB* > zb  
  service="postfix" n1;zml:7_  
  ;; `xF^9;5mi  
110) QpiA~ 4  
  service="courier-pop3d" r!y3VmJ'm  
  ;; s&F& *5W  
21) nUf0TkA  
  service="muddleftpd" e)*-<AGwC  
  ;; tx,q=.(  
53) BD?u|Fd,i:  
  service="named" <7_s'UAL!  
  ;; a [@Y >  
3306) =B0AG9Fz  
  service="mysqld" |o<c`:;kt  
  ;; )>,ndKT~  
esac Scfe6+\EW  
if [ ! -z "$service" ] ; then &[P(}??Y\  
/etc/init.d/$service restart 1>/dev/null 2>/dev/null fLZ mQO  
if [ $? = 0 ] ; then _6-N+FI  
  mylogger_notice "$service restarted" $bl<mG%#9  
else Hi nJ}MF  
  mylogger_notice "$service restart failed" %LBf' iA  
fi RQU-]qQ8BM  
fi (t5vBUj  
} )JY#8,{w  
+I+RNXR/{  
docheckport()  PZj}]d `  
{ 5t|$Yt[  
mylogger_info "do check port $1" J^!wk9q  
local port last_client count client total_count W9]0 X  
!QC ErE;r  
if [ -z "$1" ] ; then AoY!f'Z  
mylogger_notice "docheckport() port not given" j Q8 T  
return 0}M'>  
fi Mm!;+bM%  
PP]7_h^ 2  
port=$1 :w)9 (5  
3GrIHiC r  
clientlist=`netstat -an --tcp| grep ESTABLISHED | awk "{ if ( index(\\$4,\":$port\") ) print \\$5}" | awk -F ':' '{print $1}'|sort` >_$_fB  
if [ $? != 0 ] ; then i~)EU F  
mylogger_notice "netstat call failed" wk'&n^_br  
return X~/-,oV=A  
fi 1H-~+lf  
#echo $clientlist qn'TIE.  
# reset new_block e_g&L)  
new_block=0 p*Yx1er1  
count=0 @VyNe(U  
total_count=0 [k&7h,  
last_client="" =W>a~e]/  
for client in $clientlist r;E5e]w*-  
do 5=}CZYWB  
#echo "client is $client" :nfy=*M#  
if [ -z "$last_client" ] ; then h cu\c+ A  
  count=$((count+1)) 9l:[jsk<d  
  total_count=$((total_count+1)) f hNJB 0  
  last_client=$client q'IMt7}  
else J,s:CBCGL  
  if [ "$client" = "$last_client" ] ; then NLUO{'uUW  
  count=$((count+1)) @X9T"  
  total_count=$((total_count+1)) {~G~=sC$  
  else bQPO'S4  
  mylogger_debug "$last_client $count connections" ULs'oT)K;  
  if [ $count -ge $max_active_conn ] ; then i CB:p  
    mylogger_notice "client $last_client connection $count >= $max_active_conn" YN7`18u  
    blockclient $last_client $port }9!}T~NMs  
  fi m'k>U4  
  count=1 u g;~dhe~  
  total_count=$((total_count+1)) a`?Vc}&  
  last_client=$client "=JE12=u  
  fi Z%=A[` 5]  
fi L {&=SR.  
done VWzuV&;P  
# check the last client u`Y~r<?P(  
if [ ! -z "$client" ] ; then L =M'QJl9  
count=$((count+1)) t~) g)=>  
total_count=$((total_count+1)) Np+pJc1  
mylogger_debug "$client $count connections" %T\ 2.vl  
if [ $count -ge $max_active_conn ] ; then 'iDkAmvD  
  mylogger_notice "client $client connection $count >= $max_active_conn" ^=PY6!iW  
  blockclient $client $port  x\VP X  
fi )e6sg]#  
fi +Z"[2Dm  
mylogger_info "total connections on port $port: $total_count" LX=v _}l J  
$ d,{I8d  
if [ $new_block = 1 ] ; then P6=5:-Hh  
restartservice $port 2+ g'ul`  
fi giW9b_  
} D>Rlm,U  
VRSBf;?  
docheckall() 8=?U7aw  
{ 1Y~'U =9  
# reset wakeup_time vmo!  
wakeup_time=$wakeup_time_max UDnCHGq  
for port in $portlist h,b_8g{!  
do JRAU|gr  
docheckport $port vu*9(t)EC  
if [ $new_block = 1 ] ; then l\d[S]  
  # set wakeup_time shorter cause we found some abuse client C+mPl+}w  
  wakeup_time=$wakeup_time_min Ln/*lLIOb  
fi C]ax}P>BQ  
done qQ,(O5$|  
} V|{~9^  
6Yqqq[#V/  
if [ -z "$firewall" ] && [ -f /etc/sysconfig/ipchains ] ; then %(s2{$3  
firewall="ipchains" l SuNZY aO  
fi V=Bmpg  
V_|HzYJJ5  
if [ -z "$firewall" ] && [ -f /etc/sysconfig/iptables ] ; then C?6q ]k]r  
firewall="iptables" vJ&35nF&  
fi +hH7|:JQ  
7CX5pRNL  
if [ -z "$firewall" ] ; then X'2%'z<  
echo "Error: This machine does not have ipchains or iptables firewall support" |I.5]r-EK  
exit 1 s>TC~d82  
fi +bWo{   
KF`mOSP  
mylogger_info "firewall.sh v$myver ValueOf.com starting" v6T<K)S  
mylogger_info "Firewall is:       $firewall" RF\h69]:I  
mylogger_info "Port protected:     $portlist" H\|H]:CE  
mylogger_info "Max connection per ip: $max_active_conn" 8%b-.O:_$  
mylogger_info "Min time to check:   $wakeup_time_min""s" R ggZ'.\  
mylogger_info "Max time to check:   $wakeup_time_max""s" cs]3Rp^g  
mylogger_info "Timeout circle:     $rule_timeout""s" lhF)$M  
mylogger_info "Output is logged to:   $log_facility" mxCqN1:#  
1kh()IrA  
# if new ip blocked at this check run? D#X&gE  
new_block=0 e.;B?0QrV  
# if new ip blocked at this timeout run? 9]a!1  
ever_block=0 VQ4rEO=t  
# reset wakeup_time ER<Z!*2  
wakeup_time=$wakeup_time_max M`|E)Y  
p@+D$  
lasttime=`date +%s` bm(.(0MI  
Cvtz&dH  
while [ 1 ] PkDh[i9Z|  
do @}A3ie'w  
curtime=`date +%s` E <h9o>h  
timediff=$((curtime-lasttime)) }j|YX&`p  
#echo "timediff: $timediff" O3(H_(P  
if [ $timediff -ge $rule_timeout ] && [ $ever_block = 1 ] ; then >Gr,!yP  
lasttime=$curtime *!yY7 ~#  
ever_block=0 DV jsz  
dotimeout  RJA#cv~f  
fi =42NQ{%@;  
docheckall zirnur1  
mylogger_info "sleep for $wakeup_time""s" ^uWj#  
sleep $wakeup_time 3+ WostOx  
done >&uR=Yd  
NIxtT>[+3  
eLN[`hJ  
MnD^jcx   
1. 说明 ]ag^~8bG @  
firewall.sh是一个shell脚本程序,每隔一段时间检查tcp连接的统计信息,如果来自某个ip对某个端口的活动连接超过规定的最大数量, CeW}z kcT  
则自动将该IP对该端口的访问屏蔽,并重新启动相应的服务。再每隔一段时间,会重设防火墙到初始状态。 lsRW.h,  
该程序可以同时保护多个端口 tz`T#9  
+pJ~<ug]  
2. 安装 [,|;rt\o>  
tar zxf firewall-1.0b.tar.gz Q DJe:\n  
cd firewall-1.0b W,s Pg\G 3  
install -m 700 firewall.sh /usr/prima/sbin/firewall.sh a qIpO  
DYaOlT(rE  
3. 配置 - <M'h  
主要配置项目如下: W#lt_2!j  
# 最小检查周期,缺省为120秒 |t&gyj  
wakeup_time_min=120 =y WHm  
V"R,omh  
# 最大检查周期,缺省为300秒 t6a$ZN;  
wakeup_time_max=600 h\PybSW4s  
muKCCWy#  
# 重设防火墙状态的时间,缺省为3600秒 A,#a?O6m  
rule_timeout=3600 BhC>G2 ^7  
G "`t$=0  
# 保护的端口列表,缺省为80和25,支持的其他端口包括21(ftp), 110(pop3), 53(named), 3306(mysql) 1@{qPmf^  
# 一般的网络攻击都是针对80和25,又以80居多 |]'0z0>  
portlist="80 25" {axMS yp;  
J{h?=vK  
# 每个ip可占用的最大活动(Established)连接数 o0\d`0-el  
max_active_conn=8 m(eR Wx&pZ  
a<d$P*I(cH  
# iptables防火墙规则链名称,必须和/etc/sysconfig/iptables中一致 *>8Y/3Y\B  
# 如果用的是ipchains,可以忽略此项 T f;:C]  
iptables_chain_name="RH-Lokkit-0-50-INPUT" 32Jl|@8,g  
Fooa~C"  
# 日志输出目标 %y_AT2A  
log_facility="local0" C:$pAE(  
5B,HJax  
**** 关于检查周期 **** 4 N{5i )  
程序定义了两个检查周期,如果上次检查中屏蔽了某个IP,则程序会更频繁地检查连接情况,反之则等待更长时间。通过检查周期 rtY4 B~_  
的动态调整,可以有效调度在遭受攻击和正常状态下程序的运行次数。 N_qKIc_R  
7<p? E7  
**** ipchains vs iptables **** k=8LhO  
目前该程序支持ipchains和iptables两种软件防火墙,使用何种是由程序启动时自动检测的。如果/etc/sysconfig/ipchains和 R4P$zB_<2  
/etc/sysconfig/iptables都没有检测到,则报错退出。 |y~un9j +  
5*31nMP\  
**** 日志输出 **** h`HdM58CQ  
程序的输出信息记录在系统日志中,目标是local0。如果没有特殊配置,可以在/var/log/messages中看到。建议在/etc/syslog.conf KQ\ d$fX  
中加入一条: TSCc=c  
local0.*                 /var/log/firewall.log Jb4A!g5C  
然后重新启动syslog %/(>>*}Kw|  
/etc/init.d/syslog restart *zR   
这样,可以将firewall.sh输出的日志单独记到文件/var/log/firewall.log里。 "t\gkJyK  
4;hgi[  
4. 运行 r$Z_Kwe.|&  
/usr/prima/sbin/firewall.sh &  4[] /  
'!6Py1i  
范例输出: xX ktMlI  
*** firewall.sh v1.0b ValueOf.com*** uM^eoh_  
Firewall is:       ipchains kr C4O2Fkj  
Port protected:     80 25 T&]J3TFJ  
Max connection per ip: 8 E.kjYIH8  
Min time to check:   120s /@<Pn&Rq  
Max time to check:   300s ZgcJxWC<  
Timeout circle:     3600s ]mN'Qoc  
Output is logged to:   local0 pb(YA/  
) /kf  
察看/var/log/firewall.log,可以看到: 2Qqk?;^ 1  
Oct 16 14:08:55 server firewall.sh: do check port 80                   // 检查80端口 ^ 2"r't  
Oct 16 14:08:55 server firewall.sh: 192.168.0.60 2 connections             // 有两个来自192.168.0.60的连接 FYI*44E  
Oct 16 14:08:55 server firewall.sh: total connections on port 80: 2         // 80端口总共2个连接 j9@7\N<  
Oct 16 14:08:55 server firewall.sh: do check port 25                   // 检查25端口 O\h*?, )  
Oct 16 14:08:55 server firewall.sh: total connections on port 25: 0         // 25端口没有连接 b]'Uv8fbF  
Oct 16 14:08:55 server firewall.sh: sleep for 300s                     // 等待300秒 la7VeFT  
\Kp!G1?_AY  
5. 停止 2lVJ"jg  
先用ps命令察看firewall.sh进程的进程号,然后用kill命令将其终止,如 UEZnd8  
# ps auxww|grep firewall.sh WaY_{)x  
root   27932 0.0 0.5 2312 1060 pts/2   S   12:38   0:00 /bin/sh /usr/prima/sbin/firewall.sh _MF:?p,l  
root   27967 0.0 0.3 1732 592 pts/2   S   12:39   0:00 grep firewall.sh qPEtMvL #  
第一行即firewall.sh的进程,用kill命令: S VCTiG8t  
# kill 27932 Tm!pAD  
[1]   Terminated             /usr/prima/sbin/firewall.sh K4 \{G  
即将其终止


常州电信/网通机房,100M共享/10M独享/1000M共享/100M独享/电信+网通双线路服务器托管

Tel:0519-86605212 QQ:8732391   5y6s Inc.
[楼 主] Posted:2008-01-26 02:12| 顶端
deserts


头衔:大客部大客部

级别: 总版主
精华: 0
发帖: 327
威望: 2 点
金钱: 605 RMB
贡献值: 0 点
在线时间:328(小时)
注册时间:2006-01-01
查看作者资料 发送短消息 发送邮件 推荐此帖 引用回复这个帖子
通过脚本自动屏蔽非法IP

http://www.bornin76.cn/?p=31 @y/!`Ziw  
@;7Ht Z`  
最近很是奇怪,我查看我的服务器日志,居然发现有来自全世界[1]的很多人在锲而不舍的试图猜解我的系统密码(遗憾的是还没人可以成功入侵)。我是穷尽我吃奶的智商也想不通,就这么一个破机器(无屏的IBM T23,开博说明里就已经明确说了),上面只是跑了一个可有可无的Blog程序而已,咋就这么多人感兴趣?莫不是都把我这里当成了入侵中央银行的系统入口?我倒是希望这是那个入口哦! +c tJV>  
`RyH~4\;  
研究了一下,觉得通过对日志文件进行判断,识别出扫描者的IP地址,然后再对其进行处理,这样也许是一种比较不错的简单的解决办法。经过实践,证明这是可行的。脚本代码如下: "eIE5h  
KT0Pmpp5  
Kidbc Z  
#! /bin/bash  QB#_Wn  
.>NPgd I  
SCANIP=`grep "\`date \"+ %d %H:%M\" -d \"-1min\"\`" /var/log/secure|awk '/Failed/{print $(NF-3)}'|sort|uniq -c|awk '{print $1"="$2;}'` 11B8 LX  
kudXwj  
for i in $SCANIP x{3q'2  
do !=?Q>mz  
NUMBER=`echo $i|awk -F= '{print $1}'` 6SEq 2   
SCANIP=`echo $i|awk -F= '{print $2}'` ?I7%ueFY  
echo $NUMBER _+d*ljP)l3  
echo $SCANIP  k<  
if [ $NUMBER -gt 10 ] && [ -z "`iptables -vnL INPUT|grep $SCANIP`" ] 4S*dNYc  
then _CG ED{b@  
iptables -I INPUT -s $SCANIP -m state --state NEW,RELATED,ESTABLISHED -j DROP < X ([VZ  
echo "`date` $SCANIP($NUMBER)" >> /var/log/scanip.log s ?|Hw|j  
fi "ed A  
done G.>Ul)O:a  
Y, {pG]B$w  
这个世界终于清静了!有遇到类似情况的朋友可以一试,我的系统是Linux,防火墙是用的Iptables。 y':65NMda  
yw*| HT  
sv2XD}}  
------------------------------------------------------- uVa`2]NV r  
O#Ho08*Xn  
注释: t_ id/  
\2 M{R  
有美国、冰岛、日本、韩国、印度、挪威、唐山、内蒙古、广州等等,不过也许只是同一个人通过IP伪装了而已。


常州电信/网通机房,100M共享/10M独享/1000M共享/100M独享/电信+网通双线路服务器托管

Tel:0519-86605212 QQ:8732391   5y6s Inc.
[1 楼] Posted:2008-01-26 04:39| 顶端


 常州五颜六色网络技术有限公司 -> 网站建设


快速发帖 顶端
内容
HTML 代码不可用

使用签名
Wind Code自动转换

[查看帖子长度]
标题:
表情:


     按 Ctrl+Enter 直接提交   


[ 常州五颜六色网络技术有限公司 ]
Copyright © 2005-2007 5y6s Inc. 苏ICP备05001866号 Powered by PHPWind 5.0.1

☏:0519-6605212 QQ: 点击这里给我发消息 /点击这里给我发消息 /点击这里给我发消息