» 您尚未 登录   注册 | 社区服务 | 帮助 | 社区 | 无图版


常州五颜六色网络技术有限公司 -> 网站建设 -> linux自动屏蔽IP工具
 XML   RSS 2.0   WAP 

--> 本页主题: linux自动屏蔽IP工具 加为IE收藏 | 收藏主题 | 上一主题 | 下一主题
deserts


头衔:大客部大客部
该用户目前不在线
级别: 总版主
精华: 0
发帖: 607
威望: 2 点
金钱: 1061 RMB
贡献值: 0 点
在线时间:1761(小时)
注册时间:2006-01-01
最后登录:2025-10-20
查看作者资料 发送短消息 推荐此帖 引用回复这个帖子

linux自动屏蔽IP工具

另存为 firewall.sh 给执行的权限 ,f%4xXI  
^d# AU7V|  
#!/bin/sh 7[ n |3  
# this program is used to check tcp/ip connections mS}.?[d"  
# and block those ip with excessive connections ]2ab~ gr  
cSv;HN:  
# my version OI0@lSAo <  
myver="1.0RC1" w('}QB`xad  
KXz7l\1Gb  
# wake up every 120s if last check found abuse client -1hCi !  
wakeup_time_min=120 ^N^s| c'  
NZG ^B/  
# wake up every 300s if last check found no abuse client N2|NYDQs  
wakeup_time_max=300 QxbG-B^)=  
PYNY1 |3  
# rule timeout 3600s M%$ITE  
rule_timeout=3600 uwi.Sg11  
.i )n1  
# check port list YADXXQ"  
portlist="80" ,dosF Q  
*>:<  
# max established connection per ip hAds15 %C  
max_active_conn=8 x 1 Z'_Qw  
RkTYvAk|kY  
# iptables chain name x <aR|r  
iptables_chain_name="RH-Lokkit-0-50-INPUT" eNH9`Aa  
uK# 2vgT  
# log facility Gf+X<a  
log_facility="local0" ?I+$KjE+  
<Vo ct  
# Block policy GpO*As_2  
ipchains_block_policy="DENY" 1A* "v  
iptables_block_policy="REJECT" R?#=^$7U  
G JU9[  
# myself 9; 9ge  
myself=`basename $0` E{^W-  
e7-IqQA{3C  
mylogger_info() Ek_<2!%X  
{ +!:=Mm  
logger -p $log_facility.info -t $myself $@ 2>/dev/null /C <p^#g9.  
} WWOt>C~zV  
%<p/s;eu  
mylogger_debug() QUZ+#*:s  
{ iweT @P`  
logger -p $log_facility.debug -t $myself $@ 2>/dev/null RE D@|[Qh  
} #, 1)@[  
rz`"$g+#  
mylogger_notice() x&+&)d  
{ qUn+1.[%  
logger -p $log_facility.notice -t $myself $@ 2>/dev/null r1}1lJ>7H  
} 2 J3/Eu  
\~Ml<3Zd:  
dotimeout() CvEIcm=t  
{ .wlKl[lE2  
mylogger_info "reset firewall when timeout arrives" s%>8y\MaK  
case "$firewall" in q"S,<I<f  
ipchains) B[#n,ay  
  /etc/init.d/ipchains restart 1>/dev/null 2>/dev/null 3J/l>1[  
  if [ $? = 0 ] ; then cW"DDm g  
    mylogger_info "ipchains restarted" hd(TKFL^y  
  else }s6Veosl  
    mylogger_notice "ipchains restart failed" vM$hCV ~N  
  fi 8$Zwk7 w8A  
  ;; =w"Kkj>%oh  
iptables) <%rm?;PBl  
  /etc/init.d/iptables restart 1>/dev/null 2>/dev/null 7xux%:BN  
  if [ $? = 0 ] ; then /EegP@[  
    mylogger_info "iptables restarted" ro3%VA=V  
  else L 8;H_:~_'  
    mylogger_notice "iptables restart failed" dV}]\ 8N  
  fi xdz 6[8 d8  
  ;;  ylS6D  
*) )^"V}z t  
  mylogger_notice "neither ipchains nor iptables" gX(Xj@=(&  
  ;; WSv%Rxr8L  
esac /(u? k%Q  
'iOa j0f  
} &5z9C=]e  
![fNlG!r  
blockclient() @#-\ BQ;  
{ i: jB  
if [ -z "$1" ] || [ -z "$2" ]; then njO~^Hl7  
mylogger_notice "blockclient() missing client or port to block" .}Ys+d1b9c  
return XZ3fWcw[  
fi Ht/#d6cQ  
local ip port R ?/xH=u>  
cR,'aX  
ip=$1 7'Hh^0<  
port=$2 gu~R4 @3  
}aI>dHL  
case "$firewall" in 6BEpnw>p(  
ipchains) W=LJhCpRHj  
  mylogger_notice "blocking $1 to $2 via ipchains" 11Qi _T\  
found=`ipchains -nL | egrep "^$ipchains_block_policy.*[[:space:]]+$ip[[:space:]]+.*[[:space:]]+\->[[:space:]]+$port"` .X"&k O>G  
if [ -z "$found" ] ; then b !Nr  
cmd="ipchains -I input 1 -p tcp -s $ip -d 0/0 $port -j $ipchains_block_policy 1>/dev/null 2>/dev/null"  ST~YO  
mylogger_debug "cmd: $cmd" %hw4IcWJ|  
`ipchains -I input 1 -p tcp -s $ip -d 0/0 $port -j $ipchains_block_policy 1>/dev/null 2>/dev/null` B afNF Pc  
if [ $? != 0 ] ; then V"2 G  
mylogger_notice "$cmd call failed" 5K682+^5  
return :D;pDl  
fi f\Hw Y)^>  
new_block=1 ,O:p`"3`0=  
ever_block=1 m|x_++3  
else yV(9@lj3;  
mylogger_info "$ip already blocked to $port" 7+@-mJMP$D  
fi L:mE)Xq2  
  ;; Kb;Pd!Q  
iptables) r&+C %  
  mylogger_notice "blocking $1 to $2 via iptables" I|K!hQ"m  
found=`iptables -nL | egrep "^$iptables_block_policy.*[[:space:]]+$ip[[:space:]]+.*[[:space:]]+dpt:$port[[:space:]]+"` *8;<w~  
if [ -z "$found" ] ; then zSk`Ou8M  
cmd="iptables -I $iptables_chain_name 1 -p tcp -m tcp -s $ip --dport $port -j $iptables_block_policy 1>/dev/null 2>/dev/null" MtF0/aT  
mylogger_debug "cmd: $cmd" qwnVtD  
`iptables -I $iptables_chain_name 1 -p tcp -m tcp -s $ip --dport $port -j $iptables_block_policy 1>/dev/null 2>/dev/null` bwP@}(K  
if [ $? != 0 ] ; then ) R5j?6}xF  
mylogger_notice "$cmd call failed" tlg}"lY  
return uTPAf^|  
fi `,/5skeJ  
new_block=1 !O}e)t  
ever_block=1 c9Cc%EK  
else k$8Zg*)  
mylogger_info "$ip already blocked to $port" 02%~HBS  
fi OT=1doDp  
  ;; )p>p3b g  
*) @p^EXc*|  
  mylogger_notice "neither ipchains nor iptables" QJi H^KY6  
  ;; :V#xrH8R  
esac :"Tkl$@,  
} u;1[_~  
M2d&7>N  
restartservice() Ex*{iJ;\  
{ u8|CeA  
local service Qy4Pw\  
if [ -z "$1" ] ; then ][V`ym-e  
mylogger_notice "no port given to see which service to be restart" pr4y*!|Y$  
return q(hBqUW  
fi oTXIs4+G  
(f_J @n  
case "$1" in v''J@F7  
80) c'Ibgfx%m  
  service="httpd" T3S FG]H  
  ;; /?XI,#j3kM  
25) L2}<2  
  service="postfix" F]>+pU  
  ;; +|pYu<OY  
110) rLmc(-q  
  service="courier-pop3d" ]>k8v6*=  
  ;; #<sK3PT  
21) y x#ub-A8  
  service="muddleftpd" h?B1Emlq  
  ;; ;XjXv'   
53) ~Jw84U{$  
  service="named" gE=9K @  
  ;; >py[g0J  
3306) RIO?rt;  
  service="mysqld" l.Ev]G/5  
  ;; O#O"]A  
esac 7w8UnPuM  
if [ ! -z "$service" ] ; then Ef ?|0Gm  
/etc/init.d/$service restart 1>/dev/null 2>/dev/null ; 2V$`k  
if [ $? = 0 ] ; then YN <vOv  
  mylogger_notice "$service restarted" Gx}`_[-  
else &V+KM"Ow  
  mylogger_notice "$service restart failed" T: 2f*!r  
fi ?K2}<H-  
fi QUvSeNS p  
} #9.%>1{6Y  
:Mh\;e  
docheckport() +_bxza(ma{  
{ z#P`m,~t0  
mylogger_info "do check port $1" k\j_hu  
local port last_client count client total_count 5/h-H r  
&HAu;u@  
if [ -z "$1" ] ; then ^ACrWk~UY  
mylogger_notice "docheckport() port not given" |s(Ih_Zn  
return IhZn  
fi mXS]SE  
3RvD X p  
port=$1 zb"4_L@m2  
3tJfh=r=1  
clientlist=`netstat -an --tcp| grep ESTABLISHED | awk "{ if ( index(\\$4,\":$port\") ) print \\$5}" | awk -F ':' '{print $1}'|sort` !.t D.(XP  
if [ $? != 0 ] ; then rKFnivGT  
mylogger_notice "netstat call failed" $U9]v5  
return Z[] 8X@IPe  
fi Umzb  
#echo $clientlist ^E8qI8s  
# reset new_block ]$9y7Bhj.  
new_block=0 ?nbu`K6T  
count=0 .`*]nN{  
total_count=0 oD\t4]?E  
last_client="" =H;'.!77Hx  
for client in $clientlist v@q&B|0  
do |W=-/~X  
#echo "client is $client" +l VA$]d  
if [ -z "$last_client" ] ; then oPni4^g i  
  count=$((count+1)) }+pwSjsno  
  total_count=$((total_count+1)) s2|.LmC3|B  
  last_client=$client /^k%sG@?  
else 1;S?9N_B  
  if [ "$client" = "$last_client" ] ; then m;>G]Sbe  
  count=$((count+1)) )`'a1y|  
  total_count=$((total_count+1)) P!IA;i  
  else 6D2ot&5WW  
  mylogger_debug "$last_client $count connections" PlS)Zv 3  
  if [ $count -ge $max_active_conn ] ; then 0#8, (6  
    mylogger_notice "client $last_client connection $count >= $max_active_conn" :Rv+Bm  
    blockclient $last_client $port h^Yh~84T  
  fi \aM-m:J  
  count=1 #\^=3A|b  
  total_count=$((total_count+1)) '/6f2[%Y"  
  last_client=$client Wex2Fd?DO  
  fi Y,}h{*9Kd  
fi quaRVD>s +  
done {^N,$,Ab.  
# check the last client &g23tT#P?  
if [ ! -z "$client" ] ; then 71P. 9Iz  
count=$((count+1)) 0)b1'xt',  
total_count=$((total_count+1)) er-0 i L@  
mylogger_debug "$client $count connections" K39I j_3  
if [ $count -ge $max_active_conn ] ; then 2}/r>]9^-  
  mylogger_notice "client $client connection $count >= $max_active_conn" p=> +3  
  blockclient $client $port O{\<Izm`D  
fi uuF~+=.|  
fi =EA @  
mylogger_info "total connections on port $port: $total_count" c7@/<*E+  
}wv Rs5;o  
if [ $new_block = 1 ] ; then SIR2 Kc0  
restartservice $port MoEh25U.  
fi *?uUP  
} MMET^SO  
n[K%Xs)  
docheckall() -]u>kjiIT  
{ u #}1 M  
# reset wakeup_time v*JKLA  
wakeup_time=$wakeup_time_max H\<0{#F  
for port in $portlist #<m2Xo?d]  
do 2|RoN)%  
docheckport $port I/A%3i=H  
if [ $new_block = 1 ] ; then !- QB>`7$  
  # set wakeup_time shorter cause we found some abuse client S\t!7Xs%*U  
  wakeup_time=$wakeup_time_min #EE<MKka  
fi :]Om4Q\-#  
done z~p!7q&g  
} yW7>5r  
30Qp:_D  
if [ -z "$firewall" ] && [ -f /etc/sysconfig/ipchains ] ; then Th\T$T`X$  
firewall="ipchains" d*k5h<jM  
fi &LB`  
2Y[n  
if [ -z "$firewall" ] && [ -f /etc/sysconfig/iptables ] ; then -p7 HQ/  
firewall="iptables" oPbziB8  
fi edlf++r~  
\' A- Lp  
if [ -z "$firewall" ] ; then R!X+-  
echo "Error: This machine does not have ipchains or iptables firewall support" &%/T4$'+Y+  
exit 1 G O G[^T  
fi jll|y0  
(0_zp`)  
mylogger_info "firewall.sh v$myver ValueOf.com starting" b~)2`l  
mylogger_info "Firewall is:       $firewall" c`lL&*]  
mylogger_info "Port protected:     $portlist" Wk/Q~ o  
mylogger_info "Max connection per ip: $max_active_conn" 7o!t/WEEq  
mylogger_info "Min time to check:   $wakeup_time_min""s" BAi0w{  
mylogger_info "Max time to check:   $wakeup_time_max""s" 5K$<Ad4$b  
mylogger_info "Timeout circle:     $rule_timeout""s" <W7WlT  
mylogger_info "Output is logged to:   $log_facility" .V_5q:tu  
b~YIaD[Z  
# if new ip blocked at this check run? Z}>;@c  
new_block=0 G6x'Myg I  
# if new ip blocked at this timeout run? |_+l D|'  
ever_block=0 #a tL2(wJ  
# reset wakeup_time 4N7|LxNNl_  
wakeup_time=$wakeup_time_max swJQwY   
=kK%,Mr  
lasttime=`date +%s` dShGIH?  
UFj!7gX]  
while [ 1 ] ,TB$D]u8  
do Au(oKs<  
curtime=`date +%s` #67 7,dn  
timediff=$((curtime-lasttime)) +/M%%:>mY  
#echo "timediff: $timediff" d(b~s2\i  
if [ $timediff -ge $rule_timeout ] && [ $ever_block = 1 ] ; then n 3-VqYUP  
lasttime=$curtime S>j.i  
ever_block=0 |}<Gz+E>  
dotimeout SdnO#J}{  
fi <nN# K{AH  
docheckall "oF)u1_?  
mylogger_info "sleep for $wakeup_time""s" O;}K7rSc  
sleep $wakeup_time JB.U&  
done ]0|A\bE\S  
B/!/2x  
fYh<S  
?Drq!?3PDc  
1. 说明 vEGI  
firewall.sh是一个shell脚本程序,每隔一段时间检查tcp连接的统计信息,如果来自某个ip对某个端口的活动连接超过规定的最大数量, x#R6Ez7  
则自动将该IP对该端口的访问屏蔽,并重新启动相应的服务。再每隔一段时间,会重设防火墙到初始状态。 Un T\6u  
该程序可以同时保护多个端口 :rjfAe=s  
iXvrZofE  
2. 安装 x)eoz2E1  
tar zxf firewall-1.0b.tar.gz jcBZ#|B7;  
cd firewall-1.0b wQ@:0GJH  
install -m 700 firewall.sh /usr/prima/sbin/firewall.sh Eciu^  
M:iH7K  
3. 配置 WBm)Q#1:  
主要配置项目如下: 'U0W   
# 最小检查周期,缺省为120秒 =]/<Kd}A.  
wakeup_time_min=120 0 ]L   
qc\D=3 #Yp  
# 最大检查周期,缺省为300秒 uI%7jA~@  
wakeup_time_max=600 ;YW@ 3F-h  
lCl5#L9  
# 重设防火墙状态的时间,缺省为3600秒 g%!U7CM6h  
rule_timeout=3600 [ K'gvLt1  
P+OS  
# 保护的端口列表,缺省为80和25,支持的其他端口包括21(ftp), 110(pop3), 53(named), 3306(mysql) $60`Hh 4/  
# 一般的网络攻击都是针对80和25,又以80居多 gw[Eu>I  
portlist="80 25" ,u)jZ7  
BOq9\g`5s  
# 每个ip可占用的最大活动(Established)连接数 %b4tyX:N0  
max_active_conn=8 (K84J*;  
: T7(sf*!*  
# iptables防火墙规则链名称,必须和/etc/sysconfig/iptables中一致 Qx8(w"k*  
# 如果用的是ipchains,可以忽略此项 p:W]  
iptables_chain_name="RH-Lokkit-0-50-INPUT" v}d)uPl} ;  
6yMZ2%  
# 日志输出目标 =y)K er  
log_facility="local0" 4nh=Dq[  
1 ptyiy  
**** 关于检查周期 **** ZILJXX4  
程序定义了两个检查周期,如果上次检查中屏蔽了某个IP,则程序会更频繁地检查连接情况,反之则等待更长时间。通过检查周期 ~QxW^DGa7]  
的动态调整,可以有效调度在遭受攻击和正常状态下程序的运行次数。 pq&[cA_w  
IM/xBP  
**** ipchains vs iptables **** W{tZX^|  
目前该程序支持ipchains和iptables两种软件防火墙,使用何种是由程序启动时自动检测的。如果/etc/sysconfig/ipchains和 i$PO#}  
/etc/sysconfig/iptables都没有检测到,则报错退出。 ljOY;WV3  
Rb& 9!z  
**** 日志输出 **** ; teM^zyI  
程序的输出信息记录在系统日志中,目标是local0。如果没有特殊配置,可以在/var/log/messages中看到。建议在/etc/syslog.conf VwPoQ9pIS  
中加入一条: %<(d %&~  
local0.*                 /var/log/firewall.log 8B?U\cfa^  
然后重新启动syslog h@G~' \8t  
/etc/init.d/syslog restart tO:JB&vO2  
这样,可以将firewall.sh输出的日志单独记到文件/var/log/firewall.log里。 OoH-E.lp  
!3Pmjip  
4. 运行 ?{^_z_,  
/usr/prima/sbin/firewall.sh & 2HN*j~>i~  
a{hc{  
范例输出: Q+9:]Bt  
*** firewall.sh v1.0b ValueOf.com*** D_czUM  
Firewall is:       ipchains :ZIa   
Port protected:     80 25 ?{B5gaU9F  
Max connection per ip: 8 ?<C(ga  
Min time to check:   120s N\g=9o|Q  
Max time to check:   300s DlE,aYB  
Timeout circle:     3600s nf 8V:y4  
Output is logged to:   local0 6Uk+a=Ar  
5 k3m"*  
察看/var/log/firewall.log,可以看到: J~]@#=,v  
Oct 16 14:08:55 server firewall.sh: do check port 80                   // 检查80端口 ^?+[yvq  
Oct 16 14:08:55 server firewall.sh: 192.168.0.60 2 connections             // 有两个来自192.168.0.60的连接 Rq5'=L  
Oct 16 14:08:55 server firewall.sh: total connections on port 80: 2         // 80端口总共2个连接 2RX]~}  
Oct 16 14:08:55 server firewall.sh: do check port 25                   // 检查25端口 EpMxq7*  
Oct 16 14:08:55 server firewall.sh: total connections on port 25: 0         // 25端口没有连接 /)Cfm1$ic  
Oct 16 14:08:55 server firewall.sh: sleep for 300s                     // 等待300秒 y2#>a8SRS  
M x#L|w`r  
5. 停止 6Lq`zU^  
先用ps命令察看firewall.sh进程的进程号,然后用kill命令将其终止,如 _) x{TnK  
# ps auxww|grep firewall.sh ?o;ip  
root   27932 0.0 0.5 2312 1060 pts/2   S   12:38   0:00 /bin/sh /usr/prima/sbin/firewall.sh #:gl+  
root   27967 0.0 0.3 1732 592 pts/2   S   12:39   0:00 grep firewall.sh zY_J7,0g  
第一行即firewall.sh的进程,用kill命令: ` 5Kg[nB:  
# kill 27932 L?d?O  
[1]   Terminated             /usr/prima/sbin/firewall.sh ?Te#lp;`~  
即将其终止


常州电信/网通机房,100M共享/10M独享/1000M共享/100M独享/电信+网通双线路服务器托管

Tel:0519-89991155 企业QQ:4006023839   5y6s Inc.
[楼 主] | Posted: 2008-01-26 02:12 顶端
deserts


头衔:大客部大客部
该用户目前不在线
级别: 总版主
精华: 0
发帖: 607
威望: 2 点
金钱: 1061 RMB
贡献值: 0 点
在线时间:1761(小时)
注册时间:2006-01-01
最后登录:2025-10-20
查看作者资料 发送短消息 推荐此帖 引用回复这个帖子

通过脚本自动屏蔽非法IP

http://www.bornin76.cn/?p=31 X~jdOaq{F:  
*eoH"UFYQ#  
最近很是奇怪,我查看我的服务器日志,居然发现有来自全世界[1]的很多人在锲而不舍的试图猜解我的系统密码(遗憾的是还没人可以成功入侵)。我是穷尽我吃奶的智商也想不通,就这么一个破机器(无屏的IBM T23,开博说明里就已经明确说了),上面只是跑了一个可有可无的Blog程序而已,咋就这么多人感兴趣?莫不是都把我这里当成了入侵中央银行的系统入口?我倒是希望这是那个入口哦! ;<garDf  
JhFn"(O  
研究了一下,觉得通过对日志文件进行判断,识别出扫描者的IP地址,然后再对其进行处理,这样也许是一种比较不错的简单的解决办法。经过实践,证明这是可行的。脚本代码如下: -kk7y  
hP+4{F*}-  
^Q`5+  
#! /bin/bash f8lyH'z0 @  
<u\Hy0g  
SCANIP=`grep "\`date \"+ %d %H:%M\" -d \"-1min\"\`" /var/log/secure|awk '/Failed/{print $(NF-3)}'|sort|uniq -c|awk '{print $1"="$2;}'` 7.Y;nem:(  
'l^Bb#)"  
for i in $SCANIP /GGyM]k3  
do 7_ix&oVI  
NUMBER=`echo $i|awk -F= '{print $1}'` #4m5 I="  
SCANIP=`echo $i|awk -F= '{print $2}'` IRQtA ZV$  
echo $NUMBER  ~frsgHW  
echo $SCANIP Sqn>L`Lz  
if [ $NUMBER -gt 10 ] && [ -z "`iptables -vnL INPUT|grep $SCANIP`" ] |V\{U j  
then e=(Y,e3  
iptables -I INPUT -s $SCANIP -m state --state NEW,RELATED,ESTABLISHED -j DROP o)5zvnu7  
echo "`date` $SCANIP($NUMBER)" >> /var/log/scanip.log /^xv1F{  
fi 4N,[Gs<7  
done I]eeV+U8W  
{nmu(E P  
这个世界终于清静了!有遇到类似情况的朋友可以一试,我的系统是Linux,防火墙是用的Iptables。 $Xwk8<   
V5lUh#@TN&  
[ ojL9.6  
------------------------------------------------------- & $|~",  
\YzKEYx+  
注释: :(XyiF<Ud  
G@DNV3Cc  
有美国、冰岛、日本、韩国、印度、挪威、唐山、内蒙古、广州等等,不过也许只是同一个人通过IP伪装了而已。


常州电信/网通机房,100M共享/10M独享/1000M共享/100M独享/电信+网通双线路服务器托管

Tel:0519-89991155 企业QQ:4006023839   5y6s Inc.
[1 楼] | Posted: 2008-01-26 04:39 顶端

常州五颜六色网络技术有限公司 -> 网站建设



Copyright © 2005-2009 5y6s Inc. 苏ICP备05001866号 Powered by PHPWind 5.0.1
Total 0.028196(s) query 5, Gzip enabled
会员言论不代表本站立场 本站法律顾问:北京汇泽律师事务所 韩律师
QQ:点击这里给我发消息 /点击这里给我发消息 /点击这里给我发消息