» 您尚未 登录   注册 | 社区服务 | 帮助 | 社区 | 无图版


常州五颜六色网络技术有限公司 -> 网站建设 -> linux自动屏蔽IP工具
 XML   RSS 2.0   WAP 

--> 本页主题: linux自动屏蔽IP工具 加为IE收藏 | 收藏主题 | 上一主题 | 下一主题
deserts


头衔:大客部大客部
该用户目前不在线
级别: 总版主
精华: 0
发帖: 607
威望: 2 点
金钱: 1061 RMB
贡献值: 0 点
在线时间:1761(小时)
注册时间:2006-01-01
最后登录:2025-02-11
查看作者资料 发送短消息 推荐此帖 引用回复这个帖子

linux自动屏蔽IP工具

另存为 firewall.sh 给执行的权限 *;@wPT  
oMN<jAU.  
#!/bin/sh t+a.,$U  
# this program is used to check tcp/ip connections X$5  
# and block those ip with excessive connections =.z;:0]'n  
q;,lv3I  
# my version u@dvFzc  
myver="1.0RC1" 9)7$UQY  
fJlNxdVr  
# wake up every 120s if last check found abuse client w W\[#Ku  
wakeup_time_min=120 ;mEn@@{  
_Z(t**Zh6y  
# wake up every 300s if last check found no abuse client @ZU$W9g  
wakeup_time_max=300 Aax;0qGbH  
E[t0b5h  
# rule timeout 3600s by<@\n2B:U  
rule_timeout=3600 a qEZhMy  
b=r3WkB6  
# check port list FGi7KV=N  
portlist="80" ['o ueOg  
:V.@:x>id  
# max established connection per ip > T *`Y0P  
max_active_conn=8 bVzi^R"  
Y5tyFi#w[  
# iptables chain name [eD0L7 1[  
iptables_chain_name="RH-Lokkit-0-50-INPUT" J- S.m(  
t}eyfflZ  
# log facility 6 ]x?2P%  
log_facility="local0" /-p!|T}w  
Mm$\j*f/  
# Block policy gbuh04#~  
ipchains_block_policy="DENY" o*H U^  
iptables_block_policy="REJECT" U|3!ixk>>w  
dLp1l2h!0  
# myself r+bGZ  
myself=`basename $0` O#U maNj/  
7,SQz6]  
mylogger_info() Oin9lg-jR  
{ Zkd{EMW  
logger -p $log_facility.info -t $myself $@ 2>/dev/null #`u}#(  
} y`va6 %u{  
S-Y{Vi"2  
mylogger_debug() ~W21%T+  
{ g.&B8e  
logger -p $log_facility.debug -t $myself $@ 2>/dev/null #zl1#TC{(  
} kxhsDD$@p  
FC1rwXL(  
mylogger_notice() =R=V  
{ fi HE`]0  
logger -p $log_facility.notice -t $myself $@ 2>/dev/null $YX{gk>  
} 4 "2%mx:  
tLOGj?/r  
dotimeout() r)|~Rs!y,  
{ =v<w29P(g  
mylogger_info "reset firewall when timeout arrives" ,7s>#b'  
case "$firewall" in Leb Kzqe  
ipchains) %<>:$4U@]  
  /etc/init.d/ipchains restart 1>/dev/null 2>/dev/null 5b:1+5iF-  
  if [ $? = 0 ] ; then 0i\>(o  
    mylogger_info "ipchains restarted" Z)| ~  
  else Yd3lL:M  
    mylogger_notice "ipchains restart failed" FXr^ 4B}  
  fi vt5w(}v(  
  ;; |X=p`iz1&  
iptables) Gt*<Awn8  
  /etc/init.d/iptables restart 1>/dev/null 2>/dev/null f4p*!e  
  if [ $? = 0 ] ; then IIAp-Y~B  
    mylogger_info "iptables restarted" 1#x5 o2n  
  else @S3L%lOH  
    mylogger_notice "iptables restart failed" n =-vOa%  
  fi ) r.Wge  
  ;; zCJ"O9G<V  
*) %/3+:}@G  
  mylogger_notice "neither ipchains nor iptables" IrZjlnht  
  ;; ,C6(  
esac +}m`$B}mJ  
Ct `)R  
} 8(n>99 VVK  
\Yj_U'2"i  
blockclient() #om Gj&  
{ Mc c%&j  
if [ -z "$1" ] || [ -z "$2" ]; then ^JxVs 7  
mylogger_notice "blockclient() missing client or port to block" t? &;   
return 7a_8007$l  
fi U`) " ;WN  
local ip port d1#lC*.Sg  
iJh{ ,0))g  
ip=$1 NdJ]\>5oN,  
port=$2 JVg}XwR  
{KSLB8gtL  
case "$firewall" in f]10^y5&  
ipchains) b6;MTz*k>  
  mylogger_notice "blocking $1 to $2 via ipchains" !]R>D{""  
found=`ipchains -nL | egrep "^$ipchains_block_policy.*[[:space:]]+$ip[[:space:]]+.*[[:space:]]+\->[[:space:]]+$port"` 5n>zJ ~  
if [ -z "$found" ] ; then [|$C2Dhw=  
cmd="ipchains -I input 1 -p tcp -s $ip -d 0/0 $port -j $ipchains_block_policy 1>/dev/null 2>/dev/null" r!w4Br0  
mylogger_debug "cmd: $cmd" -ik$<>{X  
`ipchains -I input 1 -p tcp -s $ip -d 0/0 $port -j $ipchains_block_policy 1>/dev/null 2>/dev/null` !gyW15z'  
if [ $? != 0 ] ; then O\q6T7bfRW  
mylogger_notice "$cmd call failed" Jm=3 %H  
return <b ~~X`Z  
fi ,V!Wo4M  
new_block=1 }x6)}sz7  
ever_block=1 ~Q^.7.-T  
else >8>s K(S]  
mylogger_info "$ip already blocked to $port" a"}ndrc*  
fi pQZ`dS\  
  ;; B!x6N"  
iptables)  f^}n#  
  mylogger_notice "blocking $1 to $2 via iptables" MYJMZ3qBi  
found=`iptables -nL | egrep "^$iptables_block_policy.*[[:space:]]+$ip[[:space:]]+.*[[:space:]]+dpt:$port[[:space:]]+"` I=Y_EjZ D  
if [ -z "$found" ] ; then |U'`Sc  
cmd="iptables -I $iptables_chain_name 1 -p tcp -m tcp -s $ip --dport $port -j $iptables_block_policy 1>/dev/null 2>/dev/null" AH#a+<;a  
mylogger_debug "cmd: $cmd" ME>Sh~C\  
`iptables -I $iptables_chain_name 1 -p tcp -m tcp -s $ip --dport $port -j $iptables_block_policy 1>/dev/null 2>/dev/null` C!K&d,M  
if [ $? != 0 ] ; then mxH63$R  
mylogger_notice "$cmd call failed" ]w*`}  
return 25 U+L  
fi  !Qsjn  
new_block=1 |A|K);  
ever_block=1 Bs '=YK$  
else [@pumH>   
mylogger_info "$ip already blocked to $port" 1TzwXX7  
fi ;x FB /,  
  ;; av'[k<  
*) );S8`V  
  mylogger_notice "neither ipchains nor iptables" Rw63{b/  
  ;; hVz]' ,  
esac D#,A_GA{A  
} XE0b9q954  
@tRDKPh  
restartservice() zII^Ny8D  
{ L6jwJwD  
local service Q 4L7{^[X  
if [ -z "$1" ] ; then oBnes*  
mylogger_notice "no port given to see which service to be restart" 8X? EB6=c  
return |g !$TUS.  
fi dtG>iJ  
YoK )fh$  
case "$1" in }Q^*Zq9-  
80) (6 RWI#  
  service="httpd" ,CBE&g  
  ;; }dU!PZ9N)  
25) Xe\v6gbD  
  service="postfix" L|'B*  
  ;; V HLNJnA  
110) Osy_C<O  
  service="courier-pop3d" Da)_OJYE  
  ;; !@arPN$  
21) HqyAo]{GN  
  service="muddleftpd" \nT V;@F  
  ;; #oR@!?  
53) q}z`Z/`/  
  service="named" 0q]0+o*%  
  ;; 93,7yZ 5#  
3306) ?O]RQXsZ2  
  service="mysqld" PH^Gjm  
  ;; CZ{7?:^f  
esac ZhC ,nbM  
if [ ! -z "$service" ] ; then rz%^l1@-  
/etc/init.d/$service restart 1>/dev/null 2>/dev/null Jm0.\[J  
if [ $? = 0 ] ; then (Y^tky$9  
  mylogger_notice "$service restarted" bV"t;R9  
else `9T5Dem|#  
  mylogger_notice "$service restart failed" m GJRCK_  
fi z'"Y+EWN  
fi qN Ut&#  
} Y|tK19  
U: )Gc  
docheckport() hR.vJ2oa  
{ Z B!~@Vf  
mylogger_info "do check port $1" m4'jTC$  
local port last_client count client total_count }O| 9Qb  
cz|?j  
if [ -z "$1" ] ; then v?%vB#A^  
mylogger_notice "docheckport() port not given" 3Y&4yIx  
return Qam48XZ >  
fi C46jVl   
Io&HzQW^a  
port=$1 7;&,L H  
IcGX~zWr  
clientlist=`netstat -an --tcp| grep ESTABLISHED | awk "{ if ( index(\\$4,\":$port\") ) print \\$5}" | awk -F ':' '{print $1}'|sort` S.<4t *,  
if [ $? != 0 ] ; then p(Osz7K  
mylogger_notice "netstat call failed" :)&vf<JL  
return v53|)]V  
fi F!*GrQms  
#echo $clientlist eg1F[~YL/  
# reset new_block -8<vWe  
new_block=0 f$vTDak  
count=0 t*u#4I1  
total_count=0 n1:q:qMR1  
last_client="" ~l*<LXp8  
for client in $clientlist 1X9s\JKQ  
do Fmz+ Xb  
#echo "client is $client" /H3w7QU   
if [ -z "$last_client" ] ; then j2.7b1s  
  count=$((count+1)) yf4L0.  
  total_count=$((total_count+1)) bX` Gv+  
  last_client=$client y\Utm$)j  
else \k{[HfVvn  
  if [ "$client" = "$last_client" ] ; then PL 3hrI 5  
  count=$((count+1)) &ODo7@v`1  
  total_count=$((total_count+1)) $$"G1<EZ  
  else =9,^Tu|  
  mylogger_debug "$last_client $count connections" s f->8  
  if [ $count -ge $max_active_conn ] ; then dM P'Vnfj  
    mylogger_notice "client $last_client connection $count >= $max_active_conn" CH;U_b  
    blockclient $last_client $port n;Q8Gg2U  
  fi m8e()8lZ3  
  count=1 kxJ[Bi#  
  total_count=$((total_count+1)) Im@OAR4,R  
  last_client=$client Xc}XRKiy{  
  fi evYn }  
fi KB(W'M_D\  
done jlFlhj:/I  
# check the last client L$.3,./  
if [ ! -z "$client" ] ; then js@L%1r#L  
count=$((count+1)) 79exZ7|  
total_count=$((total_count+1)) 8T6N G!/  
mylogger_debug "$client $count connections" $~W5! m  
if [ $count -ge $max_active_conn ] ; then =!xX{o?64  
  mylogger_notice "client $client connection $count >= $max_active_conn" 3}F>t{FDk  
  blockclient $client $port <r$h =hM  
fi # #2'QNN  
fi c@3 5\!9  
mylogger_info "total connections on port $port: $total_count" yNP4Ey  
f17E2^(I(}  
if [ $new_block = 1 ] ; then "QxULiw  
restartservice $port R_KDY  
fi ipbhjK$  
} Zr2!}jD9a  
k_7b0 dr%F  
docheckall() kwc Cf2  
{ h72/03!  
# reset wakeup_time &{a!)I>  
wakeup_time=$wakeup_time_max 5P"R'/[PA_  
for port in $portlist n9}BT^4 v  
do YRX^fZ-b  
docheckport $port p TwzVz~  
if [ $new_block = 1 ] ; then BO w[*hM  
  # set wakeup_time shorter cause we found some abuse client e8^/S^ =&d  
  wakeup_time=$wakeup_time_min rSJ!vQo Cb  
fi T :X*  
done `@],J  
} otR7E+*3  
ZZI} Ot{  
if [ -z "$firewall" ] && [ -f /etc/sysconfig/ipchains ] ; then B=& [Z2  
firewall="ipchains" N'WTIM3W  
fi RdWn =;  
s0f+AS|}  
if [ -z "$firewall" ] && [ -f /etc/sysconfig/iptables ] ; then N{HAWB{  
firewall="iptables" >B**fZ~L  
fi Uq#2~0n>  
|ffHOef  
if [ -z "$firewall" ] ; then )2?]c  
echo "Error: This machine does not have ipchains or iptables firewall support" ]?@ [Ny=0  
exit 1 ;7:} iKU  
fi K $-  *  
e&VC }%m  
mylogger_info "firewall.sh v$myver ValueOf.com starting" hHJvLs>^  
mylogger_info "Firewall is:       $firewall" *P= 3Pl?j  
mylogger_info "Port protected:     $portlist" 7wh4~  
mylogger_info "Max connection per ip: $max_active_conn" +a.2\Qt2A  
mylogger_info "Min time to check:   $wakeup_time_min""s" K-TsSW$}  
mylogger_info "Max time to check:   $wakeup_time_max""s" %"mI["{  
mylogger_info "Timeout circle:     $rule_timeout""s" 5WHz_'c  
mylogger_info "Output is logged to:   $log_facility" qSr]d`7@  
&!X<F,  
# if new ip blocked at this check run? ^t4^gcoZ4Z  
new_block=0 cmXbkM  
# if new ip blocked at this timeout run? #wIWh^^ Zy  
ever_block=0 g ,JfT^  
# reset wakeup_time O00;0w u  
wakeup_time=$wakeup_time_max }jCO@v;  
(2H GV+Dg  
lasttime=`date +%s` M@{?#MkS%  
CjpGo}a/  
while [ 1 ] 9lYfII}4(  
do Qpmq@iL  
curtime=`date +%s` s oY\6mHio  
timediff=$((curtime-lasttime)) <WIIurp  
#echo "timediff: $timediff" iuY,E  
if [ $timediff -ge $rule_timeout ] && [ $ever_block = 1 ] ; then USyc D`  
lasttime=$curtime  `qs,V  
ever_block=0 -8qCCV&1i  
dotimeout 3Sfd|0^  
fi n3~axRPO  
docheckall w~6UOA8}  
mylogger_info "sleep for $wakeup_time""s" $}W T"K  
sleep $wakeup_time gf8o~vKX$G  
done aNu.4c/5  
0R)x"4Ww  
G7&TMg7i  
(o|bst][S  
1. 说明 9Q,>I6`l  
firewall.sh是一个shell脚本程序,每隔一段时间检查tcp连接的统计信息,如果来自某个ip对某个端口的活动连接超过规定的最大数量, ?]D&D:Z?I  
则自动将该IP对该端口的访问屏蔽,并重新启动相应的服务。再每隔一段时间,会重设防火墙到初始状态。 iUcX\ uW  
该程序可以同时保护多个端口 4O-LLH  
j<kW+Iio  
2. 安装 B%\&Q @X  
tar zxf firewall-1.0b.tar.gz ]\^O(BzB  
cd firewall-1.0b p48enH8CO  
install -m 700 firewall.sh /usr/prima/sbin/firewall.sh ExtC\(X;  
1=J& ^O{W  
3. 配置 \|S%zX  
主要配置项目如下: JY CMW! ~  
# 最小检查周期,缺省为120秒 gPCf+>X{  
wakeup_time_min=120 1@OpvO5  
2|bt"y-5r  
# 最大检查周期,缺省为300秒 l[i4\ CT  
wakeup_time_max=600 >ZkL`!:s  
eAW)|=2  
# 重设防火墙状态的时间,缺省为3600秒 3 zh:~w_  
rule_timeout=3600 FQO=}0Hl  
1?&|V1vc  
# 保护的端口列表,缺省为80和25,支持的其他端口包括21(ftp), 110(pop3), 53(named), 3306(mysql) cV6H!\  
# 一般的网络攻击都是针对80和25,又以80居多 F3(Sb M-  
portlist="80 25" 7T[$BrO\  
mBwz.KEm<  
# 每个ip可占用的最大活动(Established)连接数 A2gFY}  
max_active_conn=8 gf>H-718F  
#,z-Pj?O!  
# iptables防火墙规则链名称,必须和/etc/sysconfig/iptables中一致 7_oUuNw  
# 如果用的是ipchains,可以忽略此项 s]99'Q",  
iptables_chain_name="RH-Lokkit-0-50-INPUT" CjPdN#*l  
WS[Z[O  
# 日志输出目标 V7U*09 0*5  
log_facility="local0" IoOOS5a  
Pi"?l[T0  
**** 关于检查周期 **** 6V$ )ym*F  
程序定义了两个检查周期,如果上次检查中屏蔽了某个IP,则程序会更频繁地检查连接情况,反之则等待更长时间。通过检查周期 1,=:an  
的动态调整,可以有效调度在遭受攻击和正常状态下程序的运行次数。 {v'eP[  
z$^wCd:  
**** ipchains vs iptables **** Nsh/  
目前该程序支持ipchains和iptables两种软件防火墙,使用何种是由程序启动时自动检测的。如果/etc/sysconfig/ipchains和 Ut2T:%m{  
/etc/sysconfig/iptables都没有检测到,则报错退出。 @>(JC]HtR  
KH#z =_  
**** 日志输出 **** ;!f~  
程序的输出信息记录在系统日志中,目标是local0。如果没有特殊配置,可以在/var/log/messages中看到。建议在/etc/syslog.conf VB905%  
中加入一条: ahg P"Qz  
local0.*                 /var/log/firewall.log T+T)~!{%  
然后重新启动syslog NpGi3>5  
/etc/init.d/syslog restart EE]xZz>o  
这样,可以将firewall.sh输出的日志单独记到文件/var/log/firewall.log里。 ! xM=7Q k  
v`mB82s  
4. 运行 awR !=\  
/usr/prima/sbin/firewall.sh & JJ1>)S}X-  
j)8$hK/e0.  
范例输出: ZFMO;'m&  
*** firewall.sh v1.0b ValueOf.com*** %?n=I n(F  
Firewall is:       ipchains (7<G1$:z=  
Port protected:     80 25 q 1xSylE  
Max connection per ip: 8 ;/V])4=  
Min time to check:   120s tYTl-c  
Max time to check:   300s aJv+BX_,  
Timeout circle:     3600s |in>`:qk  
Output is logged to:   local0 8aHE=x/TL  
Kn$t_7AF^  
察看/var/log/firewall.log,可以看到: !otseI!!/  
Oct 16 14:08:55 server firewall.sh: do check port 80                   // 检查80端口 f%n ;Z}=  
Oct 16 14:08:55 server firewall.sh: 192.168.0.60 2 connections             // 有两个来自192.168.0.60的连接 I-8I/RRkmP  
Oct 16 14:08:55 server firewall.sh: total connections on port 80: 2         // 80端口总共2个连接 'wFhfZB1!B  
Oct 16 14:08:55 server firewall.sh: do check port 25                   // 检查25端口 9[\do@  
Oct 16 14:08:55 server firewall.sh: total connections on port 25: 0         // 25端口没有连接 :mDOqlXW/  
Oct 16 14:08:55 server firewall.sh: sleep for 300s                     // 等待300秒 QsKnaRT  
t c.|mIvw  
5. 停止 PUD8  
先用ps命令察看firewall.sh进程的进程号,然后用kill命令将其终止,如 Ys_L GfK  
# ps auxww|grep firewall.sh LtwfL^#  
root   27932 0.0 0.5 2312 1060 pts/2   S   12:38   0:00 /bin/sh /usr/prima/sbin/firewall.sh lAG@nh^  
root   27967 0.0 0.3 1732 592 pts/2   S   12:39   0:00 grep firewall.sh ?#<'w(^%#  
第一行即firewall.sh的进程,用kill命令: MV3K'<Y  
# kill 27932  l #]#_  
[1]   Terminated             /usr/prima/sbin/firewall.sh 8 [,R4@  
即将其终止


常州电信/网通机房,100M共享/10M独享/1000M共享/100M独享/电信+网通双线路服务器托管

Tel:0519-89991155 企业QQ:4006023839   5y6s Inc.
[楼 主] | Posted: 2008-01-26 02:12 顶端
deserts


头衔:大客部大客部
该用户目前不在线
级别: 总版主
精华: 0
发帖: 607
威望: 2 点
金钱: 1061 RMB
贡献值: 0 点
在线时间:1761(小时)
注册时间:2006-01-01
最后登录:2025-02-11
查看作者资料 发送短消息 推荐此帖 引用回复这个帖子

通过脚本自动屏蔽非法IP

http://www.bornin76.cn/?p=31 <?;KF2A({  
J5f}-W@  
最近很是奇怪,我查看我的服务器日志,居然发现有来自全世界[1]的很多人在锲而不舍的试图猜解我的系统密码(遗憾的是还没人可以成功入侵)。我是穷尽我吃奶的智商也想不通,就这么一个破机器(无屏的IBM T23,开博说明里就已经明确说了),上面只是跑了一个可有可无的Blog程序而已,咋就这么多人感兴趣?莫不是都把我这里当成了入侵中央银行的系统入口?我倒是希望这是那个入口哦! s nNd7v.U6  
L cy6G%A  
研究了一下,觉得通过对日志文件进行判断,识别出扫描者的IP地址,然后再对其进行处理,这样也许是一种比较不错的简单的解决办法。经过实践,证明这是可行的。脚本代码如下: oj?y_0}:^  
l \m7~  
Kj?hcG l[  
#! /bin/bash dgByl-8Q  
%l%2 hvGZ  
SCANIP=`grep "\`date \"+ %d %H:%M\" -d \"-1min\"\`" /var/log/secure|awk '/Failed/{print $(NF-3)}'|sort|uniq -c|awk '{print $1"="$2;}'` nI73E  
J-klpr#  
for i in $SCANIP BoARM{m  
do x>J(3I5_b  
NUMBER=`echo $i|awk -F= '{print $1}'` 7~N4~KAUS  
SCANIP=`echo $i|awk -F= '{print $2}'` }-Nc}%5  
echo $NUMBER ]h`d>#Hw!  
echo $SCANIP {?cF2K#  
if [ $NUMBER -gt 10 ] && [ -z "`iptables -vnL INPUT|grep $SCANIP`" ] tC=K;zsXpz  
then &g8Xjx&zj  
iptables -I INPUT -s $SCANIP -m state --state NEW,RELATED,ESTABLISHED -j DROP |@'K]$vZ*  
echo "`date` $SCANIP($NUMBER)" >> /var/log/scanip.log $p }q,f.  
fi (Dba!zSs  
done ^7:UC\_  
?2gXF0+~Y2  
这个世界终于清静了!有遇到类似情况的朋友可以一试,我的系统是Linux,防火墙是用的Iptables。 Cs vwc%  
l['ER$(7  
ATV|M[B  
------------------------------------------------------- DoN]v  
u0ZMrIJ  
注释: je%y9*V  
[xdVuL;N  
有美国、冰岛、日本、韩国、印度、挪威、唐山、内蒙古、广州等等,不过也许只是同一个人通过IP伪装了而已。


常州电信/网通机房,100M共享/10M独享/1000M共享/100M独享/电信+网通双线路服务器托管

Tel:0519-89991155 企业QQ:4006023839   5y6s Inc.
[1 楼] | Posted: 2008-01-26 04:39 顶端

常州五颜六色网络技术有限公司 -> 网站建设



Copyright © 2005-2009 5y6s Inc. 苏ICP备05001866号 Powered by PHPWind 5.0.1
Total 0.018285(s) query 5, Gzip enabled
会员言论不代表本站立场 本站法律顾问:北京汇泽律师事务所 韩律师
QQ:点击这里给我发消息 /点击这里给我发消息 /点击这里给我发消息
51La