» 您尚未 登录   注册 | 社区服务 | 帮助 | 社区 | 无图版


常州五颜六色网络技术有限公司 -> 网站建设 -> linux自动屏蔽IP工具
 XML   RSS 2.0   WAP 

--> 本页主题: linux自动屏蔽IP工具 加为IE收藏 | 收藏主题 | 上一主题 | 下一主题
deserts


头衔:大客部大客部
该用户目前不在线
级别: 总版主
精华: 0
发帖: 607
威望: 2 点
金钱: 1061 RMB
贡献值: 0 点
在线时间:1761(小时)
注册时间:2006-01-01
最后登录:2025-02-11
查看作者资料 发送短消息 推荐此帖 引用回复这个帖子

linux自动屏蔽IP工具

另存为 firewall.sh 给执行的权限 -"nYCF  
'Qfy+_0  
#!/bin/sh - 'V T  
# this program is used to check tcp/ip connections e.kt]l  
# and block those ip with excessive connections He*L"VpWv  
_k@l-Bj  
# my version 5(|ud)v  
myver="1.0RC1" ZT8j9zs  
X5yhS  
# wake up every 120s if last check found abuse client ;Dgp !*v=  
wakeup_time_min=120 Y'~&%|9+T  
[aC9vEso!  
# wake up every 300s if last check found no abuse client )K6{_~Kc\  
wakeup_time_max=300 xr2:bu  
LYF vzw>M  
# rule timeout 3600s H}~^,B2;  
rule_timeout=3600 *Wau 7  
]>,|v,i =  
# check port list 1mV0AE538  
portlist="80" TExlGAHo+O  
OY#_0p)i  
# max established connection per ip pk4&-iu9  
max_active_conn=8 Oe!&Jma*>  
!;a<E :  
# iptables chain name eH8.O  
iptables_chain_name="RH-Lokkit-0-50-INPUT" d!:SoZ  
Qa%SvA@R  
# log facility A&'%ou  
log_facility="local0" ZB%~>  
AF}"  
# Block policy : \OvVS/  
ipchains_block_policy="DENY" nSiNSLv  
iptables_block_policy="REJECT" xTZ5q*Hqx  
4C cb!?  
# myself IycxRig  
myself=`basename $0` Gp+XM  
Se`N5hQ  
mylogger_info() 8|GpfW3p 2  
{ WRyL pTr-  
logger -p $log_facility.info -t $myself $@ 2>/dev/null `.g8JC\_m  
} CK</2w+  
9(WC#-,  
mylogger_debug() `qz5rPyZ  
{ GcCs} (eo  
logger -p $log_facility.debug -t $myself $@ 2>/dev/null Nk4_!  
}  !ei20@  
5qEdN  
mylogger_notice() {;DZ@2|  
{ 2*YXm> |1  
logger -p $log_facility.notice -t $myself $@ 2>/dev/null jt--w"|-r  
} x^2/jUc#B  
@F^L4 N':  
dotimeout() Ue:T3jp 3%  
{  eb@Lh!  
mylogger_info "reset firewall when timeout arrives" reJ?38(  
case "$firewall" in x{V>(d'p  
ipchains) [frD L)  
  /etc/init.d/ipchains restart 1>/dev/null 2>/dev/null 86F+N_>Z  
  if [ $? = 0 ] ; then  7`@?3?  
    mylogger_info "ipchains restarted" E]?HCRa5R  
  else d}cJ5 !d  
    mylogger_notice "ipchains restart failed" K0=E4>z,`q  
  fi mm<iT59  
  ;; 7h/Q;P5  
iptables) g 'a?  
  /etc/init.d/iptables restart 1>/dev/null 2>/dev/null =w$"wzc  
  if [ $? = 0 ] ; then z2V8NUn  
    mylogger_info "iptables restarted" k]9>V@C  
  else 0a 6z "K}  
    mylogger_notice "iptables restart failed" Z*)Y:tk)b  
  fi 6x,=SW@4  
  ;; ~<[5uZIo  
*) @/NZ>.  
  mylogger_notice "neither ipchains nor iptables" [HiTR!o*  
  ;; ||ZufFO  
esac 0+y~RTAVB  
<O)X89dFM  
} JgKZ;GM:W  
eEGcio}_I9  
blockclient() 3=|2Gs?ut  
{ aa%&&  
if [ -z "$1" ] || [ -z "$2" ]; then [d~bZS|(T(  
mylogger_notice "blockclient() missing client or port to block" z "$d5XR  
return "mK i$FV  
fi =/QU$[7X(  
local ip port (s@tU>4U  
 {%~4RZA  
ip=$1 #Q7x:,f  
port=$2 4J 51i*`  
^C)TM@+  
case "$firewall" in ME@6.*  
ipchains) :htq%gPex9  
  mylogger_notice "blocking $1 to $2 via ipchains" J1Ki2I=  
found=`ipchains -nL | egrep "^$ipchains_block_policy.*[[:space:]]+$ip[[:space:]]+.*[[:space:]]+\->[[:space:]]+$port"` eQax ZMU  
if [ -z "$found" ] ; then >"<k8wn  
cmd="ipchains -I input 1 -p tcp -s $ip -d 0/0 $port -j $ipchains_block_policy 1>/dev/null 2>/dev/null" 1LId_vJtJ  
mylogger_debug "cmd: $cmd" Ao,!z  
`ipchains -I input 1 -p tcp -s $ip -d 0/0 $port -j $ipchains_block_policy 1>/dev/null 2>/dev/null` fw|+7 O  
if [ $? != 0 ] ; then T'b/]&0Tio  
mylogger_notice "$cmd call failed" %::deV7  
return 6+B{4OY  
fi =i^<a7M~  
new_block=1 KA-/k@1&  
ever_block=1 N>pmhskN?  
else c6Aut`dK  
mylogger_info "$ip already blocked to $port" ^L-w(r62<  
fi :IR9=nhS]  
  ;; y B4H3Q )  
iptables) pba8=Z  
  mylogger_notice "blocking $1 to $2 via iptables" Vl 19Md  
found=`iptables -nL | egrep "^$iptables_block_policy.*[[:space:]]+$ip[[:space:]]+.*[[:space:]]+dpt:$port[[:space:]]+"` 4OOn,09  
if [ -z "$found" ] ; then JYg% ~tW'  
cmd="iptables -I $iptables_chain_name 1 -p tcp -m tcp -s $ip --dport $port -j $iptables_block_policy 1>/dev/null 2>/dev/null" %`?;V;{=  
mylogger_debug "cmd: $cmd" 9XoQO9*Q  
`iptables -I $iptables_chain_name 1 -p tcp -m tcp -s $ip --dport $port -j $iptables_block_policy 1>/dev/null 2>/dev/null` phgexAq  
if [ $? != 0 ] ; then W[>iJJwz  
mylogger_notice "$cmd call failed" 4j@i%  
return x9)aBB  
fi BU9J_rCIv  
new_block=1 R>d@tr  
ever_block=1 )W`SC mr]  
else HUJ|-)"dw  
mylogger_info "$ip already blocked to $port" OpK. Lsd0y  
fi /BMtcCPG!  
  ;; @GG(7r\/B  
*) <8rgtu!VU  
  mylogger_notice "neither ipchains nor iptables" OQ(D5GR:4  
  ;; LZM,QQ  
esac zb5N,!%r  
} ' :\fl.b  
WHUT/:?f  
restartservice() dh^+l;!L  
{ [dj5 $l|  
local service PMgQxM*h  
if [ -z "$1" ] ; then M%$ DT  
mylogger_notice "no port given to see which service to be restart" I?a8h`WS+  
return co5y"yj_  
fi F#(.v7 Za  
_i3i HR?  
case "$1" in |l|_dn  
80) V43nws "4  
  service="httpd" tTotPPZf}  
  ;; 'nRp}s1^[  
25) n6b3E *  
  service="postfix" cYGRy,'gH  
  ;; M h`CP  
110) dQ: ?< zZ  
  service="courier-pop3d" Kb}MF9?:e  
  ;; 6Wj@r!u  
21) n0_B(997*  
  service="muddleftpd" ~&1KrUu&  
  ;; ezp<@'0ZT  
53) hM~eJv  
  service="named" U,e'ZRU6  
  ;; #wr2imG6  
3306) U\Ct/U&A?  
  service="mysqld" j"5Pe  
  ;; 1e/L\Y=m  
esac !g8*r"[UJ  
if [ ! -z "$service" ] ; then [*Q-nZ/L  
/etc/init.d/$service restart 1>/dev/null 2>/dev/null UxyY<H~Wx  
if [ $? = 0 ] ; then Y;} 2'"  
  mylogger_notice "$service restarted" @r F/]UJ  
else e#.\^   
  mylogger_notice "$service restart failed" gI)u}JX  
fi lX"bN=E?!  
fi < kz[:n:  
} &&WDo(r3  
Km,*)X.-5  
docheckport() B| tzF0;c  
{ H'EY)s Hi  
mylogger_info "do check port $1" atyu/+U'}  
local port last_client count client total_count \^&   
tjj^O%SV<  
if [ -z "$1" ] ; then (= 9 wo  
mylogger_notice "docheckport() port not given" aVwH  
return gz;&u)  
fi yyP'Z~0  
Ra[>P _  
port=$1 cD2+hp|9  
n_P3\Y|  
clientlist=`netstat -an --tcp| grep ESTABLISHED | awk "{ if ( index(\\$4,\":$port\") ) print \\$5}" | awk -F ':' '{print $1}'|sort` 'z5h3J  
if [ $? != 0 ] ; then \tx%WC  
mylogger_notice "netstat call failed" v0#*X5 C1'  
return QL97WK\$  
fi +{$QAjW(/  
#echo $clientlist rQJ"&CapT  
# reset new_block |CIC$2u  
new_block=0 y\'P3ihK  
count=0 M4KWN'  
total_count=0 iY~rne"l  
last_client="" 5wT>N46UX  
for client in $clientlist J[@u m:  
do BAV>o|-K  
#echo "client is $client" .VM3D0aV  
if [ -z "$last_client" ] ; then UXH"si:  
  count=$((count+1)) 8uch i  
  total_count=$((total_count+1)) L9FHgl?  
  last_client=$client "NzD1k6.L  
else }T.?c9l X  
  if [ "$client" = "$last_client" ] ; then )R?;M  
  count=$((count+1)) {2 %aCCV  
  total_count=$((total_count+1)) p'f%%#I  
  else B$vr'U   
  mylogger_debug "$last_client $count connections" o>?*X(+le  
  if [ $count -ge $max_active_conn ] ; then 0Fw6Dq<8-!  
    mylogger_notice "client $last_client connection $count >= $max_active_conn" &aG*k*  
    blockclient $last_client $port zhblLBpeE\  
  fi 2c(aO[%h9  
  count=1 A8DFm{})c  
  total_count=$((total_count+1)) ,v9f~qh  
  last_client=$client ROc`BH=  
  fi j_cs;G: "  
fi "TS  
done e3(/qMl  
# check the last client JkQ\)^5v  
if [ ! -z "$client" ] ; then ~1kXUWq3  
count=$((count+1)) 5x8+xw3Eh  
total_count=$((total_count+1)) 9z>z3,ftN  
mylogger_debug "$client $count connections" Uf\nFB? ^  
if [ $count -ge $max_active_conn ] ; then ^tH#YlV4>9  
  mylogger_notice "client $client connection $count >= $max_active_conn" MJ{%4S{K,p  
  blockclient $client $port Ts$@s^S]  
fi ut2~rRiK  
fi Vz=auM1xZ  
mylogger_info "total connections on port $port: $total_count" >vbY<HGt  
D w<k3zaW  
if [ $new_block = 1 ] ; then \G |%Zw|  
restartservice $port .dMVoG5  
fi a->3`c  
} lB91An  
M~Ttb29{  
docheckall() Ro(Zmk\t  
{ U_GgCI)  
# reset wakeup_time KhbYr$  
wakeup_time=$wakeup_time_max ~]C%/gEh  
for port in $portlist V5F%_,No  
do v *-0M  
docheckport $port RoGwK*j0+  
if [ $new_block = 1 ] ; then q@hzo>[  
  # set wakeup_time shorter cause we found some abuse client 2 {Vcb  
  wakeup_time=$wakeup_time_min }Z-Z|G)#  
fi $Fkaa<9;P  
done %V9ZyQg%*  
} 7Z ;?b0W  
:r#)z4d5  
if [ -z "$firewall" ] && [ -f /etc/sysconfig/ipchains ] ; then 0& >H^  
firewall="ipchains" CI U1R;  
fi 8K(Z0  
Q\ /uKQ  
if [ -z "$firewall" ] && [ -f /etc/sysconfig/iptables ] ; then X$% 4$  
firewall="iptables" .MQ^(  
fi uiq^|5Z  
'r1LSht'  
if [ -z "$firewall" ] ; then 8r"+bhGx~  
echo "Error: This machine does not have ipchains or iptables firewall support" tCxF~L@  
exit 1 Twn4lG4~  
fi )-*5v D  
KL$bqgc(p3  
mylogger_info "firewall.sh v$myver ValueOf.com starting" 1I@8A>2^OX  
mylogger_info "Firewall is:       $firewall" Hbv6_H  
mylogger_info "Port protected:     $portlist" T91moRv  
mylogger_info "Max connection per ip: $max_active_conn" u:0aM}9A  
mylogger_info "Min time to check:   $wakeup_time_min""s" Oo kh<ES>  
mylogger_info "Max time to check:   $wakeup_time_max""s" "ju6XdZ o  
mylogger_info "Timeout circle:     $rule_timeout""s" ()&~@1U  
mylogger_info "Output is logged to:   $log_facility" CLvX!O(~  
pTIf@n6I  
# if new ip blocked at this check run? p<=$ &*  
new_block=0 L(&&26Y  
# if new ip blocked at this timeout run? ca+5=+X7  
ever_block=0 F:x [  
# reset wakeup_time z5ij(RE]  
wakeup_time=$wakeup_time_max 2UGsYQn  
TB0 5?F  
lasttime=`date +%s` mI74x3 [  
pz"0J_xDM  
while [ 1 ] p/+a=Yo  
do  *6q5S4 r  
curtime=`date +%s` /?SLdW  
timediff=$((curtime-lasttime)) 5\z `-)  
#echo "timediff: $timediff" wI(M^8F_Mf  
if [ $timediff -ge $rule_timeout ] && [ $ever_block = 1 ] ; then *}P~P$q%  
lasttime=$curtime g+z1  
ever_block=0 <)1qt 9  
dotimeout 82l~G;.n3  
fi HTG%t/S  
docheckall wmTb97o  
mylogger_info "sleep for $wakeup_time""s" =?!wXOg_  
sleep $wakeup_time \ Yx/(e  
done `nu''B H  
\-g)T}g,I  
<7~'; K  
n rjE.+v  
1. 说明 GWfL  
firewall.sh是一个shell脚本程序,每隔一段时间检查tcp连接的统计信息,如果来自某个ip对某个端口的活动连接超过规定的最大数量, vam;4vyu  
则自动将该IP对该端口的访问屏蔽,并重新启动相应的服务。再每隔一段时间,会重设防火墙到初始状态。 $` ""  
该程序可以同时保护多个端口 *WuID2cOI  
Z.Lc>7o  
2. 安装 :=Nz }mUV  
tar zxf firewall-1.0b.tar.gz o2F)%TDY  
cd firewall-1.0b {z{bY\  
install -m 700 firewall.sh /usr/prima/sbin/firewall.sh .6Pw|xu`Pw  
,5h)x"s  
3. 配置 DW[N|-L  
主要配置项目如下: rbWP78  
# 最小检查周期,缺省为120秒 *_d7E   
wakeup_time_min=120 $| @ (  
1ukTA@Rj&  
# 最大检查周期,缺省为300秒 s*.hl.k.  
wakeup_time_max=600 5j?3a1l0  
C&(N I  
# 重设防火墙状态的时间,缺省为3600秒 ``hf= `We  
rule_timeout=3600 D9H?:pmv?  
 "y}--  
# 保护的端口列表,缺省为80和25,支持的其他端口包括21(ftp), 110(pop3), 53(named), 3306(mysql) pOIJH =#  
# 一般的网络攻击都是针对80和25,又以80居多 k 5'Vy8q  
portlist="80 25" vg32y /l]S  
u7>],<  
# 每个ip可占用的最大活动(Established)连接数 Q' {M L4  
max_active_conn=8 Yi.N&&o  
*nkoPVpC  
# iptables防火墙规则链名称,必须和/etc/sysconfig/iptables中一致 iv J@=pd)B  
# 如果用的是ipchains,可以忽略此项 v dc\R?  
iptables_chain_name="RH-Lokkit-0-50-INPUT" %]}  
-cAo@}v  
# 日志输出目标 ;U+3w~  
log_facility="local0" 2K/4Rf0;  
<L8'!q}  
**** 关于检查周期 **** 8;RUf~q?  
程序定义了两个检查周期,如果上次检查中屏蔽了某个IP,则程序会更频繁地检查连接情况,反之则等待更长时间。通过检查周期 W}@c|d $`  
的动态调整,可以有效调度在遭受攻击和正常状态下程序的运行次数。 3u+T~g0^  
V^bwXr4f  
**** ipchains vs iptables **** .ypL=~Rp  
目前该程序支持ipchains和iptables两种软件防火墙,使用何种是由程序启动时自动检测的。如果/etc/sysconfig/ipchains和 Ot_]3:`J~  
/etc/sysconfig/iptables都没有检测到,则报错退出。 98IJu  
R'as0 u\  
**** 日志输出 **** [}E='m}u9+  
程序的输出信息记录在系统日志中,目标是local0。如果没有特殊配置,可以在/var/log/messages中看到。建议在/etc/syslog.conf 61C7.EZZ;  
中加入一条: 2*;~S4 4  
local0.*                 /var/log/firewall.log 3nO]Ge"w'n  
然后重新启动syslog >* f-Wde  
/etc/init.d/syslog restart Qb-M6ihcc  
这样,可以将firewall.sh输出的日志单独记到文件/var/log/firewall.log里。 l*Gvf_UH  
-A^_{4X  
4. 运行  MzdV2.  
/usr/prima/sbin/firewall.sh & WUn]F~Lt  
c<:-T  
范例输出: X:"i4i[}{9  
*** firewall.sh v1.0b ValueOf.com***  ?Jm^<  
Firewall is:       ipchains cKca;SNql1  
Port protected:     80 25 #4 <SAgq  
Max connection per ip: 8 {#vgtgBB  
Min time to check:   120s NZ:,ph  
Max time to check:   300s %v M-mbX  
Timeout circle:     3600s EHJ .T~X  
Output is logged to:   local0 #jvtUS\  
Mq156TL  
察看/var/log/firewall.log,可以看到: .5_2zat0H  
Oct 16 14:08:55 server firewall.sh: do check port 80                   // 检查80端口 gh]cXuph  
Oct 16 14:08:55 server firewall.sh: 192.168.0.60 2 connections             // 有两个来自192.168.0.60的连接 lfow1WRF  
Oct 16 14:08:55 server firewall.sh: total connections on port 80: 2         // 80端口总共2个连接 Z"xvh81P  
Oct 16 14:08:55 server firewall.sh: do check port 25                   // 检查25端口 ,]F,Uu_H7  
Oct 16 14:08:55 server firewall.sh: total connections on port 25: 0         // 25端口没有连接 76{G'}B  
Oct 16 14:08:55 server firewall.sh: sleep for 300s                     // 等待300秒 X 'Xx"M  
W:2( .?  
5. 停止 9s q  
先用ps命令察看firewall.sh进程的进程号,然后用kill命令将其终止,如 D%pF;XY  
# ps auxww|grep firewall.sh l ukB8  
root   27932 0.0 0.5 2312 1060 pts/2   S   12:38   0:00 /bin/sh /usr/prima/sbin/firewall.sh x=P\qjSa  
root   27967 0.0 0.3 1732 592 pts/2   S   12:39   0:00 grep firewall.sh cKI9#t_  
第一行即firewall.sh的进程,用kill命令: zR:L! S  
# kill 27932 <)H9V-5aZ  
[1]   Terminated             /usr/prima/sbin/firewall.sh -uG +BraI  
即将其终止

常州电信/网通机房,100M共享/10M独享/1000M共享/100M独享/电信+网通双线路服务器托管

Tel:0519-89991155 企业QQ:4006023839   5y6s Inc.
[楼 主] | Posted: 2008-01-26 02:12 顶端
deserts


头衔:大客部大客部
该用户目前不在线
级别: 总版主
精华: 0
发帖: 607
威望: 2 点
金钱: 1061 RMB
贡献值: 0 点
在线时间:1761(小时)
注册时间:2006-01-01
最后登录:2025-02-11
查看作者资料 发送短消息 推荐此帖 引用回复这个帖子

通过脚本自动屏蔽非法IP

http://www.bornin76.cn/?p=31 zdam^o  
'm$L Ij?@  
最近很是奇怪,我查看我的服务器日志,居然发现有来自全世界[1]的很多人在锲而不舍的试图猜解我的系统密码(遗憾的是还没人可以成功入侵)。我是穷尽我吃奶的智商也想不通,就这么一个破机器(无屏的IBM T23,开博说明里就已经明确说了),上面只是跑了一个可有可无的Blog程序而已,咋就这么多人感兴趣?莫不是都把我这里当成了入侵中央银行的系统入口?我倒是希望这是那个入口哦! 3u0RKLc\  
4o5t#qP5$S  
研究了一下,觉得通过对日志文件进行判断,识别出扫描者的IP地址,然后再对其进行处理,这样也许是一种比较不错的简单的解决办法。经过实践,证明这是可行的。脚本代码如下: G18b$z  
La[V$+Y  
]7A'7p $Y  
#! /bin/bash G  01ON0  
&$H!@@09|w  
SCANIP=`grep "\`date \"+ %d %H:%M\" -d \"-1min\"\`" /var/log/secure|awk '/Failed/{print $(NF-3)}'|sort|uniq -c|awk '{print $1"="$2;}'` ^S; -fYW2  
TWX.D`W  
for i in $SCANIP 2&cT~ZX&'  
do #GFr`o0$^  
NUMBER=`echo $i|awk -F= '{print $1}'` <:CkgR$/{  
SCANIP=`echo $i|awk -F= '{print $2}'` r<$y= B  
echo $NUMBER {oL>1h,%3?  
echo $SCANIP ~"A0Rs =  
if [ $NUMBER -gt 10 ] && [ -z "`iptables -vnL INPUT|grep $SCANIP`" ] );YDtGip J  
then BnY&f  
iptables -I INPUT -s $SCANIP -m state --state NEW,RELATED,ESTABLISHED -j DROP BTxrp  
echo "`date` $SCANIP($NUMBER)" >> /var/log/scanip.log o2ECG`^b  
fi 8{ I|$*nB  
done l U]nd[x  
cWm$;`Q#\  
这个世界终于清静了!有遇到类似情况的朋友可以一试,我的系统是Linux,防火墙是用的Iptables。 FP>2C9:d  
!()Qm,1u  
ia? c0xL  
------------------------------------------------------- w32y3~  
fN2lLn9/u  
注释: 7}mFL*  
7j{?az a  
有美国、冰岛、日本、韩国、印度、挪威、唐山、内蒙古、广州等等,不过也许只是同一个人通过IP伪装了而已。

常州电信/网通机房,100M共享/10M独享/1000M共享/100M独享/电信+网通双线路服务器托管

Tel:0519-89991155 企业QQ:4006023839   5y6s Inc.
[1 楼] | Posted: 2008-01-26 04:39 顶端

常州五颜六色网络技术有限公司 -> 网站建设


Copyright © 2005-2009 5y6s Inc. 苏ICP备05001866号 Powered by PHPWind 5.0.1
Total 0.022992(s) query 7, Gzip enabled
会员言论不代表本站立场 本站法律顾问:北京汇泽律师事务所 韩律师
QQ:点击这里给我发消息 /点击这里给我发消息 /点击这里给我发消息