linux自动屏蔽IP工具



网站首页 \| 控制面板 \| 短消息 \| 搜索 \| 会员 \| 帮助 \| 社区 \| 首页 \| 无图版

常州五颜六色网络技术有限公司 -> 网站建设 -> linux自动屏蔽IP工具	转到动态网页

--> 本页主题: linux自动屏蔽IP工具

加为IE收藏 | 收藏主题 | 上一主题 | 下一主题

deserts

大客部

级别: 总版主
精华: 0
发帖: 327
威望: 2 点
金钱: 605 RMB
贡献值: 0 点
在线时间:328(小时)
注册时间:2006-01-01

linux自动屏蔽IP工具

另存为 firewall.sh 给执行的权限 rAM{<
U#G0
#!/bin/sh f{t5r
# this program is used to check tcp/ip connections PsjSL8]
# and block those ip with excessive connections U\*}}
" ;8H;U`
# my version 7y""#-}V[r
myver="1.0RC1" BGh1hyJ8d
*UJ.cQ}
# wake up every 120s if last check found abuse client ]|KOc& y:I
wakeup_time_min=120 ]q~_
I?<5 %
# wake up every 300s if last check found no abuse client SM;UNIRVE
wakeup_time_max=300 0&XdCoIe
2NMS'"8
# rule timeout 3600s }ADdKK-
rule_timeout=3600 moz*=a
~gZ"8frl
# check port list K X0{dizZ
portlist="80" A:Y ([
TQhu$z<
# max established connection per ip 'LC-/_g
max_active_conn=8 QT`|"RI%
dC,a~`%O
# iptables chain name WZh%iuI{C
iptables_chain_name="RH-Lokkit-0-50-INPUT" cpLlkR O
)/87<Y;o
# log facility ,y>Sq +
log_facility="local0" .Tm m
(8Ptuh6\\2
# Block policy ! )x2
ipchains_block_policy="DENY" WPu-P
iptables_block_policy="REJECT" B=d :r
d8!yV~Ka
# myself Y W9+.Dc`
myself=`basename $0` U0J_ 3W
&02I-lD4+
mylogger_info() =bHS@h8N<
{ cF V[k'F
logger -p $log_facility.info -t $myself $@ 2>/dev/null Jk=_8Xvr`
} $a#-d;
<p5?yF
mylogger_debug() MUW&m2
{ %M5{-pJ|C
logger -p $log_facility.debug -t $myself $@ 2>/dev/null P y!$r
} "&%Lhyt
NCa3")k
mylogger_notice() n@$("p
{ k?;@5r)y-
logger -p $log_facility.notice -t $myself $@ 2>/dev/null L_sDbAT~<
} ZJ8"5RW
;_S DW
dotimeout() }2hU7YWt
{ l:+$Ks
mylogger_info "reset firewall when timeout arrives" \Mzr[dI
case "$firewall" in dUL*~%2I
ipchains) JAX`iQd
/etc/init.d/ipchains restart 1>/dev/null 2>/dev/null `=lo.c
if [ $? = 0 ] ; then 3 MCV?"0
mylogger_info "ipchains restarted" &2nICAN[
else -/:!AxIH
mylogger_notice "ipchains restart failed" TBZhL
fi "E@A~<RKP
;; L}7 TM:%
iptables) U ]W"
/etc/init.d/iptables restart 1>/dev/null 2>/dev/null N2 t`
if [ $? = 0 ] ; then N85ZbmU~
mylogger_info "iptables restarted" T*g}^TEh
else Fkg%_v$
mylogger_notice "iptables restart failed" '#>Fe`[
fi S|T_<FCY
;; mi1^hl'2
*) S..8,5mBH
mylogger_notice "neither ipchains nor iptables" Vvp{y
;; 7VskZbj\
esac .V\~#Ro$G
v V;]?
} H/k]u)Gtv
J1w3g,
blockclient() ~*J <lln
{ $5\!ws<cZ
if [ -z "$1" ] || [ -z "$2" ]; then f,|;eF-Z
mylogger_notice "blockclient() missing client or port to block" Q&lb]U+\u
return %%I:L~c
fi 1r*yYm'
local ip port u\ /TR#b
j?T>S]xOX
ip=$1 J_j4Zb% K
port=$2 M,yxPHlN
68w~I7 D>
case "$firewall" in \zBZ$5 rE
ipchains) L?P[{Ohh/
mylogger_notice "blocking $1 to $2 via ipchains" R?,v:S&i7;
found=`ipchains -nL | egrep "^$ipchains_block_policy.*[[:space:]]+$ip[[:space:]]+.*[[:space:]]+\->[[:space:]]+$port"` 44w "U%+
if [ -z "$found" ] ; then m*h O@M
cmd="ipchains -I input 1 -p tcp -s $ip -d 0/0 $port -j $ipchains_block_policy 1>/dev/null 2>/dev/null" =h?%<2t9<
mylogger_debug "cmd: $cmd" &B1!,joH~
`ipchains -I input 1 -p tcp -s $ip -d 0/0 $port -j $ipchains_block_policy 1>/dev/null 2>/dev/null` s<:);-tL
if [ $? != 0 ] ; then OwgPgrV
mylogger_notice "$cmd call failed" `#r/L@QI
return %,@e- &>
fi Nr"GxezU+A
new_block=1 &N3a`Ua
ever_block=1 [iyhrc:@
else jxq89x
mylogger_info "$ip already blocked to $port" ;Yg/y
fi 8Bxb~*
;; `}}|QP5xG
iptables) OKj\>3
mylogger_notice "blocking $1 to $2 via iptables" m (kKUv
found=`iptables -nL | egrep "^$iptables_block_policy.*[[:space:]]+$ip[[:space:]]+.*[[:space:]]+dpt:$port[[:space:]]+"` [?]p I
if [ -z "$found" ] ; then Jx Rn)D
cmd="iptables -I $iptables_chain_name 1 -p tcp -m tcp -s $ip --dport $port -j $iptables_block_policy 1>/dev/null 2>/dev/null" =#%Vs>G
mylogger_debug "cmd: $cmd" Rp}Sm,w(
`iptables -I $iptables_chain_name 1 -p tcp -m tcp -s $ip --dport $port -j $iptables_block_policy 1>/dev/null 2>/dev/null` %kQ[zd^
if [ $? != 0 ] ; then _M- PF$
mylogger_notice "$cmd call failed" ^Uik{x
return d! _8+~
fi )hfI,9I~
new_block=1 ;\Pq
ever_block=1 g'.(te |
else (;++a9GK
mylogger_info "$ip already blocked to $port" 8fb<hq<
fi 9aY}+hgb#
;; 6"GHVFB
*) <+p{U(
mylogger_notice "neither ipchains nor iptables" 1u_< 1X3
;; @kB^~Wf
esac Q;2n
} 3TNj*jo
$ I|K<slV
restartservice() 70T{tB
{ jmn<gJ2Of
local service n~?n+\.&a
if [ -z "$1" ] ; then /fC8jdp&
mylogger_notice "no port given to see which service to be restart" c"`CvQO64
return XjU/7Q
fi @wx
b' fcWp0
case "$1" in 9<-7AN}Z
80) {# Vp`ji
service="httpd" ja+PVf
;; NRDXWscb
25) xpB*>zb
service="postfix" n1;zml:7_
;; `xF^9;5mi
110) QpiA~ 4
service="courier-pop3d" r!y3VmJ'm
;; s&F& *5W
21) nUf0TkA
service="muddleftpd" e)*-<AGwC
;; tx,q=.(
53) BD?u|Fd,i:
service="named" <7_s'UAL!
;; a [@Y>
3306) =B0AG9Fz
service="mysqld" |o<c`:;kt
;; )>,ndKT~
esac Scfe6+\EW
if [ ! -z "$service" ] ; then &[P(}??Y\
/etc/init.d/$service restart 1>/dev/null 2>/dev/null fLZ mQO
if [ $? = 0 ] ; then _6-N+FI
mylogger_notice "$service restarted" $bl<mG%#9
else Hi nJ}MF
mylogger_notice "$service restart failed" %LBf' iA
fi RQU-]qQ8BM
fi (t5vBUj
} )JY#8,{w
+I+RNXR/{
docheckport() PZj}]d `
{ 5t|$Yt[
mylogger_info "do check port $1" J^!wk9q
local port last_client count client total_count W9]0 X
!QCErE;r
if [ -z "$1" ] ; then AoY!f'Z
mylogger_notice "docheckport() port not given" jQ8 T
return 0}M'>
fi Mm!;+bM%
PP]7_h^2
port=$1 :w)9(5
3GrIHiCr
clientlist=`netstat -an --tcp| grep ESTABLISHED | awk "{ if ( index(\\$4,\":$port\") ) print \\$5}" | awk -F ':' '{print $1}'|sort` >_$_fB
if [ $? != 0 ] ; then i~)EUF
mylogger_notice "netstat call failed" wk'&n^_br
return X~/-,oV=A
fi 1H-~+lf
#echo $clientlist qn'TIE.
# reset new_block e_g&L)
new_block=0 p*Yx1er1
count=0 @VyNe(U
total_count=0 [k&7h,
last_client="" =W>a~e]/
for client in $clientlist r;E5e]w*-
do 5=}CZYWB
#echo "client is $client" :nfy=*M#
if [ -z "$last_client" ] ; then h cu\c+ A
count=$((count+1)) 9l:[jsk<d
total_count=$((total_count+1)) fhNJB 0
last_client=$client q'IMt7}
else J,s:CBCGL
if [ "$client" = "$last_client" ] ; then NLUO{'uUW
count=$((count+1)) @X9T"
total_count=$((total_count+1)) {~G~=sC$
else bQPO'S4
mylogger_debug "$last_client $count connections" ULs'oT)K;
if [ $count -ge $max_active_conn ] ; then i CB:p
mylogger_notice "client $last_client connection $count >= $max_active_conn" YN7`18u
blockclient $last_client $port }9!}T~NMs
fi m'k>U4
count=1 ug;~dhe~
total_count=$((total_count+1)) a`?Vc}&
last_client=$client "=JE12=u
fi Z%=A[`5]
fi L{&=SR.
done VWzuV&;P
# check the last client u`Y~r<?P(
if [ ! -z "$client" ] ; then L=M'QJl9
count=$((count+1)) t~) g)=>
total_count=$((total_count+1)) Np+pJc1
mylogger_debug "$client $count connections" %T\2.vl
if [ $count -ge $max_active_conn ] ; then 'iDkAmvD
mylogger_notice "client $client connection $count >= $max_active_conn" ^=PY6!iW
blockclient $client $port x\VP X
fi )e6sg]#
fi +Z"[2Dm
mylogger_info "total connections on port $port: $total_count" LX=v _}l J
$ d,{I8d
if [ $new_block = 1 ] ; then P6=5:-Hh
restartservice $port 2+g'ul`
fi giW9b_
} D>Rlm,U
VRSBf;?
docheckall() 8=?U7aw
{ 1Y~'U =9
# reset wakeup_time vmo!
wakeup_time=$wakeup_time_max UDnCHGq
for port in $portlist h,b_8g{!
do JRAU|gr
docheckport $port vu*9(t)EC
if [ $new_block = 1 ] ; then l\d[S]
# set wakeup_time shorter cause we found some abuse client C+mPl+}w
wakeup_time=$wakeup_time_min Ln/*lLIOb
fi C]ax}P>BQ
done qQ,(O5$|
} V|{~9^
6Yqqq[#V/
if [ -z "$firewall" ] && [ -f /etc/sysconfig/ipchains ] ; then %(s2{$3
firewall="ipchains" l SuNZYaO
fi V=Bmpg
V_|HzYJJ5
if [ -z "$firewall" ] && [ -f /etc/sysconfig/iptables ] ; then C?6q]k]r
firewall="iptables" vJ&35nF&
fi +hH7|:JQ
7CX5pRNL
if [ -z "$firewall" ] ; then X'2%'z<
echo "Error: This machine does not have ipchains or iptables firewall support" |I.5]r-EK
exit 1 s>TC~d82
fi +bWo{
KF`mOSP
mylogger_info "firewall.sh v$myver ValueOf.com starting" v6T<K)S
mylogger_info "Firewall is: $firewall" RF\h69]:I
mylogger_info "Port protected: $portlist" H\|H]:CE
mylogger_info "Max connection per ip: $max_active_conn" 8%b-.O:_$
mylogger_info "Min time to check: $wakeup_time_min""s" RggZ'.\
mylogger_info "Max time to check: $wakeup_time_max""s" cs]3Rp^g
mylogger_info "Timeout circle: $rule_timeout""s" lhF)$M
mylogger_info "Output is logged to: $log_facility" mxCqN1:#
1kh()IrA
# if new ip blocked at this check run? D#X&gE
new_block=0 e.;B?0QrV
# if new ip blocked at this timeout run? 9]a!1
ever_block=0 VQ4rEO=t
# reset wakeup_time ER<Z!*2
wakeup_time=$wakeup_time_max M`|E)Y
p@+D$
lasttime=`date +%s` bm(.(0MI
Cvtz&dH
while [ 1 ] PkDh[i9Z|
do @}A3ie'w
curtime=`date +%s` E <h9o>h
timediff=$((curtime-lasttime)) }j|YX&`p
#echo "timediff: $timediff" O3(H_(P
if [ $timediff -ge $rule_timeout ] && [ $ever_block = 1 ] ; then >Gr,!yP
lasttime=$curtime *!yY7 ~#
ever_block=0 DVjsz
dotimeout RJA#cv~f
fi =42NQ{%@;
docheckall zirnur1
mylogger_info "sleep for $wakeup_time""s" ^uWj#
sleep $wakeup_time 3+WostOx
done >&uR=Yd
NIxtT>[+3
eLN[`hJ
MnD^jcx
1. 说明 ]ag^~8bG @
firewall.sh是一个shell脚本程序，每隔一段时间检查tcp连接的统计信息，如果来自某个ip对某个端口的活动连接超过规定的最大数量， CeW}zkcT
则自动将该IP对该端口的访问屏蔽，并重新启动相应的服务。再每隔一段时间，会重设防火墙到初始状态。 lsRW.h,
该程序可以同时保护多个端口 tz`T#9
+pJ~<ug]
2. 安装 [,|;rt\o>
tar zxf firewall-1.0b.tar.gz QDJe:\n
cd firewall-1.0b W,s Pg\G 3
install -m 700 firewall.sh /usr/prima/sbin/firewall.sh a qIpO
DYaOlT(rE
3. 配置 -<M'h
主要配置项目如下： W#lt_2!j
# 最小检查周期，缺省为120秒 |t&gyj
wakeup_time_min=120 =y WHm
V"R,omh
# 最大检查周期，缺省为300秒 t6a$ZN;
wakeup_time_max=600 h\PybSW4s
muKCCWy#
# 重设防火墙状态的时间，缺省为3600秒 A,#a?O6m
rule_timeout=3600 BhC>G2 ^7
G "`t$=0
# 保护的端口列表，缺省为80和25，支持的其他端口包括21(ftp), 110(pop3), 53(named), 3306(mysql) 1@{qPmf^
# 一般的网络攻击都是针对80和25，又以80居多 |]'0z0>
portlist="80 25" {axMS yp;
J{h?=vK
# 每个ip可占用的最大活动（Established）连接数 o0\d`0-el
max_active_conn=8 m(eR Wx&pZ
a<d$P*I(cH
# iptables防火墙规则链名称，必须和/etc/sysconfig/iptables中一致 *>8Y/3Y\B
# 如果用的是ipchains，可以忽略此项 T f;:C]
iptables_chain_name="RH-Lokkit-0-50-INPUT" 32Jl|@8,g
Fooa~C"
# 日志输出目标 %y_AT2A
log_facility="local0" C:$pAE(
5B,HJax
**** 关于检查周期 **** 4N{5i)
程序定义了两个检查周期，如果上次检查中屏蔽了某个IP，则程序会更频繁地检查连接情况，反之则等待更长时间。通过检查周期 rtY4B~_
的动态调整，可以有效调度在遭受攻击和正常状态下程序的运行次数。 N_qKIc_R
7<p?E7
**** ipchains vs iptables **** k=8LhO
目前该程序支持ipchains和iptables两种软件防火墙，使用何种是由程序启动时自动检测的。如果/etc/sysconfig/ipchains和 R4P$zB_<2
/etc/sysconfig/iptables都没有检测到，则报错退出。 |y~un9j+
5*31nMP\
**** 日志输出 **** h`HdM58CQ
程序的输出信息记录在系统日志中，目标是local0。如果没有特殊配置，可以在/var/log/messages中看到。建议在/etc/syslog.conf KQ\ d$fX
中加入一条： TSCc=c
local0.* /var/log/firewall.log Jb4A!g5C
然后重新启动syslog %/(>>*}Kw|
/etc/init.d/syslog restart *zR
这样，可以将firewall.sh输出的日志单独记到文件/var/log/firewall.log里。 "t\gkJyK
4;hgi[
4. 运行 r$Z_Kwe.|&
/usr/prima/sbin/firewall.sh & 4[]/
'!6Py1i
范例输出： xXktMlI
*** firewall.sh v1.0b ValueOf.com*** uM^eoh_
Firewall is: ipchains krC4O2Fkj
Port protected: 80 25 T&]J3TFJ
Max connection per ip: 8 E.kjYIH8
Min time to check: 120s /@<Pn&Rq
Max time to check: 300s ZgcJxWC<
Timeout circle: 3600s ]mN'Qoc
Output is logged to: local0 pb(YA/
) /kf
察看/var/log/firewall.log，可以看到： 2Qqk?;^1
Oct 16 14:08:55 server firewall.sh: do check port 80 // 检查80端口 ^ 2"r't
Oct 16 14:08:55 server firewall.sh: 192.168.0.60 2 connections // 有两个来自192.168.0.60的连接 FYI*44E
Oct 16 14:08:55 server firewall.sh: total connections on port 80: 2 // 80端口总共2个连接 j9@7\N<
Oct 16 14:08:55 server firewall.sh: do check port 25 // 检查25端口 O\h*?, )
Oct 16 14:08:55 server firewall.sh: total connections on port 25: 0 // 25端口没有连接 b]'Uv8fbF
Oct 16 14:08:55 server firewall.sh: sleep for 300s // 等待300秒 la7VeFT
\Kp!G1?_AY
5. 停止 2lVJ"jg
先用ps命令察看firewall.sh进程的进程号，然后用kill命令将其终止，如 UEZnd8
# ps auxww|grep firewall.sh WaY_{)x
root 27932 0.0 0.5 2312 1060 pts/2 S 12:38 0:00 /bin/sh /usr/prima/sbin/firewall.sh _MF:?p,l
root 27967 0.0 0.3 1732 592 pts/2 S 12:39 0:00 grep firewall.sh qPEtMvL #
第一行即firewall.sh的进程，用kill命令： S VCTiG8t
# kill 27932 Tm!pAD
[1] Terminated /usr/prima/sbin/firewall.sh K4\{G
即将其终止

常州电信/网通机房,100M共享/10M独享/1000M共享/100M独享/电信+网通双线路服务器托管

Tel：0519-86605212 QQ：8732391 5y6s Inc.

[楼主] Posted:2008-01-26 02:12|

deserts

大客部

级别: 总版主
精华: 0
发帖: 327
威望: 2 点
金钱: 605 RMB
贡献值: 0 点
在线时间:328(小时)
注册时间:2006-01-01

通过脚本自动屏蔽非法IP http://www.bornin76.cn/?p=31 @y/!`Ziw @;7Ht Z` 最近很是奇怪，我查看我的服务器日志，居然发现有来自全世界[1]的很多人在锲而不舍的试图猜解我的系统密码（遗憾的是还没人可以成功入侵）。我是穷尽我吃奶的智商也想不通，就这么一个破机器（无屏的IBM T23，开博说明里就已经明确说了），上面只是跑了一个可有可无的Blog程序而已，咋就这么多人感兴趣？莫不是都把我这里当成了入侵中央银行的系统入口？我倒是希望这是那个入口哦！ +c tJV> `RyH~4\; 研究了一下，觉得通过对日志文件进行判断，识别出扫描者的IP地址，然后再对其进行处理，这样也许是一种比较不错的简单的解决办法。经过实践，证明这是可行的。脚本代码如下： "eIE5h KT0Pmpp5 KidbcZ #! /bin/bash QB#_Wn .>NPgdI SCANIP=`grep "\`date \"+ %d %H:%M\" -d \"-1min\"\`" /var/log/secure\|awk '/Failed/{print $(NF-3)}'\|sort\|uniq -c\|awk '{print $1"="$2;}'` 11B8 LX kudXwj for i in $SCANIP x{3q'2 do !=?Q>mz NUMBER=`echo $i\|awk -F= '{print $1}'` 6SEq 2 SCANIP=`echo $i\|awk -F= '{print $2}'` ?I7%ueFY echo $NUMBER _+dljP)l3 echo $SCANIP k< if [ $NUMBER -gt 10 ] && [ -z "`iptables -vnL INPUT\|grep $SCANIP`" ] 4SdNYc then _CG ED{b@ iptables -I INPUT -s $SCANIP -m state --state NEW,RELATED,ESTABLISHED -j DROP < X ([VZ echo "`date` $SCANIP($NUMBER)" >> /var/log/scanip.log s ?\|Hw\|j fi "ed A done G.>Ul)O:a Y,{pG]B$w 这个世界终于清静了！有遇到类似情况的朋友可以一试，我的系统是Linux，防火墙是用的Iptables。 y':65NMda yw\| HT sv2XD}} ------------------------------------------------------- uVa`2]NV r O#Ho08Xn 注释： t_id/ \2 M{R 有美国、冰岛、日本、韩国、印度、挪威、唐山、内蒙古、广州等等，不过也许只是同一个人通过IP伪装了而已。
常州电信/网通机房,100M共享/10M独享/1000M共享/100M独享/电信+网通双线路服务器托管 Tel：0519-86605212 QQ：8732391 5y6s Inc.
[1 楼] Posted:2008-01-26 04:39\|


常州五颜六色网络技术有限公司 -> 网站建设

[ 常州五颜六色网络技术有限公司 ]