linux自动屏蔽IP工具常州五颜六色网络技术有限公司



» 您尚未登录注册 \| 社区服务 \| 帮助 \| 社区 \| 无图版

常州五颜六色网络技术有限公司 -> 网站建设 -> linux自动屏蔽IP工具

XML

WAP

--> 本页主题: linux自动屏蔽IP工具

加为IE收藏 | 收藏主题 | 上一主题 | 下一主题

头衔：大客部

该用户目前不在线

级别: 总版主
精华: 0
发帖: 607
威望: 2 点
金钱: 1061 RMB
贡献值: 0 点
在线时间:1761(小时)
注册时间:2006-01-01
最后登录:2025-02-11

linux自动屏蔽IP工具另存为 firewall.sh 给执行的权限 kL 6f^MoL 0K <@?cI #!/bin/sh #/Y t4n # this program is used to check tcp/ip connections lpQsmd# # and block those ip with excessive connections ({ads_l &~ QQZ]q6 # my version 6q RZ#MC myver="1.0RC1" X 2hV)8Sk brL\|s\P\9 # wake up every 120s if last check found abuse client 5M4mFC6 wakeup_time_min=120 :A%uXgK<k V'sp6:3\ # wake up every 300s if last check found no abuse client 8`XT`H wakeup_time_max=300 <E{zr& PdcF # rule timeout 3600s Mt(wy%{zK rule_timeout=3600 D_ybgX?0: Sd'!(M^k3 # check port list "z)dz,&T portlist="80" e;\g[^U PXof-W # max established connection per ip o65:)z u max_active_conn=8 u;18s-NY xa#0y # iptables chain name lp3 A B iptables_chain_name="RH-Lokkit-0-50-INPUT" - ?_a YJ [ &RZ& # log facility {Tb(4or?=b log_facility="local0" s1.YH?A; QNj hA'[T # Block policy cf)2GoV>e ipchains_block_policy="DENY" 25]Mi2 _ iptables_block_policy="REJECT" 01<~~6A (yIl]ZN # myself #D~atgR myself=`basename $0` (~}IoQp> [<`K%1GQ mylogger_info() a<9gD,]P { G&$+8r logger -p $log_facility.info -t $myself $@ 2>/dev/null ~&B{"d } VcKufV' F`KA^ZI mylogger_debug() rKEi1b { OEmz`JJ67 logger -p $log_facility.debug -t $myself $@ 2>/dev/null UUi@ U } WtOpxAq Sn=\|Q4ZN mylogger_notice() Q-o}Xnj!L { aHx(~&hRcL logger -p $log_facility.notice -t $myself $@ 2>/dev/null .O!JI"? } _1jd{?kt ))f%3_H dotimeout() Si#I^aF`% { FG]xn(E mylogger_info "reset firewall when timeout arrives" zvv<w@rX case "$firewall" in "`]G>,r_ ipchains) \|hms'n0 /etc/init.d/ipchains restart 1>/dev/null 2>/dev/null <>JN&#3? if [ $? = 0 ] ; then .y'iF>QQ\ mylogger_info "ipchains restarted" L&V ;Xvbu% else feM% - mylogger_notice "ipchains restart failed" c"`o V! m fi j9"uxw@ ;; ( HCB\!g iptables) q SR\=:$ /etc/init.d/iptables restart 1>/dev/null 2>/dev/null ^uB9EPP if [ $? = 0 ] ; then V5w00s5?% mylogger_info "iptables restarted" !$&k@#v: else )pI(y mylogger_notice "iptables restart failed" f P'qUN fi cQ(zBf ;; 4q sIJJ[. ) (A!+$}UR mylogger_notice "neither ipchains nor iptables" <vxjM; ;; _'pow&w~ esac ~2 L{m[s\| J2A+x\{< } #OlU\|I reo blockclient() B=m%NXf { Ik[aiz if [ -z "$1" ] \|\| [ -z "$2" ]; then <T]BSQk mylogger_notice "blockclient() missing client or port to block" 7ux0\|l return cp D=9k!K fi !6y<jJ> local ip port ]2O52r M"cB6{st[ ip=$1 QwF\s13 port=$2 Dn{ hU$ @9-/p ^n1 case "$firewall" in fL^+Qb} ipchains) c6 O1Z\M@\ mylogger_notice "blocking $1 to $2 via ipchains" J<K-Yeph found=`ipchains -nL \| egrep "^$ipchains_block_policy.[[:space:]]+$ip[[:space:]]+.[[:space:]]+\->[[:space:]]+$port"` P#e1? if [ -z "$found" ] ; then <'s_3AC cmd="ipchains -I input 1 -p tcp -s $ip -d 0/0 $port -j $ipchains_block_policy 1>/dev/null 2>/dev/null" lw/zgR#\| mylogger_debug "cmd: $cmd" yb 7 `ipchains -I input 1 -p tcp -s $ip -d 0/0 $port -j $ipchains_block_policy 1>/dev/null 2>/dev/null` #<_gY if [ $? != 0 ] ; then LjZvWts? mylogger_notice "$cmd call failed" 2hZ>bg return kjCXP fi Xx.4K>j+j new_block=1 ?&qa3y)wX: ever_block=1 _8}S= else SZ/}2_; mylogger_info "$ip already blocked to $port" :.;pRz fi t(<^ of: ;; 93Z/\|7 iptables) p]/qf\E mylogger_notice "blocking $1 to $2 via iptables" jZRf{ found=`iptables -nL \| egrep "^$iptables_block_policy.[[:space:]]+$ip[[:space:]]+.[[:space:]]+dpt:$port[[:space:]]+"` "EA6RFRD if [ -z "$found" ] ; then X<pg^Y0 cmd="iptables -I $iptables_chain_name 1 -p tcp -m tcp -s $ip --dport $port -j $iptables_block_policy 1>/dev/null 2>/dev/null" h6Femis mylogger_debug "cmd: $cmd" 5\|T[:m `iptables -I $iptables_chain_name 1 -p tcp -m tcp -s $ip --dport $port -j $iptables_block_policy 1>/dev/null 2>/dev/null` 1\|]IWX\| if [ $? != 0 ] ; then 1_AB;^ mylogger_notice "$cmd call failed" ^,P# <,D, return x2q6y fi B=0U^wL new_block=1 A&HN7C%X ever_block=1 U;o $=,_p else z%lu% mylogger_info "$ip already blocked to $port" VnZRsFY<^ fi }OQaQf9V{ ;; % oPt],> ) -?jI{].:8 mylogger_notice "neither ipchains nor iptables" /G {;?R ;; 3YKJN4 esac >GbCRN~ } ~}lYp^~:J lpjeEawo4 restartservice() fX ^hO+f { 3MmpB9l#H local service n@TK}?\UoR if [ -z "$1" ] ; then & bKl(, mylogger_notice "no port given to see which service to be restart" 9<e%('@[ return eD(;Wn fi O/(QLgUr Li'>pQ+ case "$1" in vz$_Fgsc. 80) F K7cDaI service="httpd" 4# L}& ;; EZ"n3#/ 25) 3R}O3#lj, service="postfix" Q!91uNL ;; Jbv[Ql# 110) &x": service="courier-pop3d" \80W?9qj ;; RXi/&'+H 21) =O1py_m service="muddleftpd" rWP -Rm ;; A2 r\=for 53) nF)b4`Nd service="named" _.{I16Y2 ;; .c5)` 3306) {vhP'!a6W service="mysqld" rjo1 ;; @Y&UP esac m\|M'vzu1 if [ ! -z "$service" ] ; then tKX+eA] /etc/init.d/$service restart 1>/dev/null 2>/dev/null L25v 7U if [ $? = 0 ] ; then xXRlQ\|84 mylogger_notice "$service restarted" u)4eu,MBT else ;zttpy mylogger_notice "$service restart failed" +V`* fi T&q0TBT fi Wb%t6N? } h@{mcz $`&zIz docheckport() A-&XgOL { KCl85Wi' mylogger_info "do check port $1" M(Tlkr local port last_client count client total_count Fd;%wWY.zm _.Im D if [ -z "$1" ] ; then M~ku 4ZP mylogger_notice "docheckport() port not given" [vTk#Cl4 return g2%fla7r fi v+vM:At4 G -V~6 port=$1 $]<wQH/?_ +GvPJI clientlist=`netstat -an --tcp\| grep ESTABLISHED \| awk "{ if ( index(\\$4,\":$port\") ) print \\$5}" \| awk -F ':' '{print $1}'\|sort` bV&"jjEx if [ $? != 0 ] ; then =mYwO=:D mylogger_notice "netstat call failed" `{1~]?-& return y#{v\h Cz fi 0^83:C ^{ #echo $clientlist awl3\|k/ # reset new_block LaX<2]Tx: new_block=0 [.'9Sw count=0 h f\/2Vl total_count=0 2GxkOch last_client="" d]K $0HY for client in $clientlist ;~GBD] do slQEAqG)B #echo "client is $client" 2QgD< if [ -z "$last_client" ] ; then \DcO.`L count=$((count+1)) hrW2#v total_count=$((total_count+1)) V t(s4 last_client=$client 8`z else # TZ` if [ "$client" = "$last_client" ] ; then DN;\|?oNZ count=$((count+1)) gKP=@v%- total_count=$((total_count+1)) 7$mB.\\| else [P`<y#J3F mylogger_debug "$last_client $count connections" <+Gf!0i if [ $count -ge $max_active_conn ] ; then E:y^= Y mylogger_notice "client $last_client connection $count >= $max_active_conn" ,uPN\`.u8 blockclient $last_client $port c{j)beaS fi s6k(K>P l count=1 c8Nl$\|B total_count=$((total_count+1)) ioUO0 last_client=$client jLn\|zK fi B,] AfH fi pV O{7I done f!F5d1N # check the last client ZK h4:D if [ ! -z "$client" ] ; then Z7I\\M count=$((count+1)) 49ehj1Se total_count=$((total_count+1)) J:@yG1VIp mylogger_debug "$client $count connections" b94+GLU8b if [ $count -ge $max_active_conn ] ; then = \|E8z u% mylogger_notice "client $client connection $count >= $max_active_conn" juI)Do2_ blockclient $client $port N'CWSf.e fi ~x^Ra8A fi =@c;%x mylogger_info "total connections on port $port: $total_count" "wCx]{Di ~14\|y\|\/ if [ $new_block = 1 ] ; then 86>@.:d restartservice $port J50n E~ fi hcM9Sx"! } 0oZZLi (kKfg4Wj docheckall() luW"\| { KWM.e1( # reset wakeup_time ?vFtv}@\ wakeup_time=$wakeup_time_max x.$cP for port in $portlist wp83E, do /N#=Tol docheckport $port ;GKL[tI" if [ $new_block = 1 ] ; then 1M b[S{ # set wakeup_time shorter cause we found some abuse client <oi'yr wakeup_time=$wakeup_time_min \4>w17qng fi {\|<yZ,,p done =[zP } DWEDL[{ ;kWWzg if [ -z "$firewall" ] && [ -f /etc/sysconfig/ipchains ] ; then s}-j.jzB{ firewall="ipchains" dkY JO! fi JH u>\{8V a47e if [ -z "$firewall" ] && [ -f /etc/sysconfig/iptables ] ; then %YbL%i\|U firewall="iptables" 3t9 CN ) fi V7`vLs- RNQq"c\ if [ -z "$firewall" ] ; then F =a echo "Error: This machine does not have ipchains or iptables firewall support" ~d3@x\I? exit 1 R4T@ ]l&W fi P{BW^kAdH W /?y& mylogger_info "firewall.sh v$myver ValueOf.com starting" X @pm!c# mylogger_info "Firewall is: $firewall" t: oQHhO? mylogger_info "Port protected: $portlist" Jt#HbAY mylogger_info "Max connection per ip: $max_active_conn" Zy.A9Bh~ mylogger_info "Min time to check: $wakeup_time_min""s" _n!>A! mylogger_info "Max time to check: $wakeup_time_max""s" kM[!UOnC!< mylogger_info "Timeout circle: $rule_timeout""s" 8 R7w$3pp\ mylogger_info "Output is logged to: $log_facility" 7h0u7N ^Sj;~ # if new ip blocked at this check run? ,G- new_block=0 )_n(u3' # if new ip blocked at this timeout run? 9+$IulOvk ever_block=0 H+-x.l` # reset wakeup_time ~7PiIky. wakeup_time=$wakeup_time_max sa _J6~ U$y wO4. lasttime=`date +%s` 3$Vx8:Rhdn AWPgrv/ while [ 1 ] ya5HAs do Q`6hJgyL curtime=`date +%s` l_$>$d timediff=$((curtime-lasttime)) zUDXkGLv #echo "timediff: $timediff" h-sO7M0E] if [ $timediff -ge $rule_timeout ] && [ $ever_block = 1 ] ; then H=0KX{ lasttime=$curtime avM8-&h ever_block=0 6uKth mr dotimeout @o~\E<T fi 9Iq<\V 4 docheckall \ykA7Y% mylogger_info "sleep for $wakeup_time""s" K7.ayM 0 sleep $wakeup_time [` }w7 done f Ayh9 ;K\|K]c ^c/3!"wK b<#zgf 1. 说明 t9e"QH firewall.sh是一个shell脚本程序，每隔一段时间检查tcp连接的统计信息，如果来自某个ip对某个端口的活动连接超过规定的最大数量， [{R>'~ 则自动将该IP对该端口的访问屏蔽，并重新启动相应的服务。再每隔一段时间，会重设防火墙到初始状态。 __s'/6u 该程序可以同时保护多个端口 ` ~^My~f V@s93kh 2. 安装 ntB#2S tar zxf firewall-1.0b.tar.gz BFP@Yn~k cd firewall-1.0b Vr"'O6 install -m 700 firewall.sh /usr/prima/sbin/firewall.sh s]`6uyW" n@h$V\&\iM 3. 配置 yS:w>xU @< 主要配置项目如下： B0p;Zh # 最小检查周期，缺省为120秒 T][c^K wakeup_time_min=120 v$x)$/]n .I]v D#o # 最大检查周期，缺省为300秒 -^t.eZ\| wakeup_time_max=600 7QZyd- 5 8L@:>" # 重设防火墙状态的时间，缺省为3600秒 /X0<2&v rule_timeout=3600 xaB#GdD nRw.82eK. # 保护的端口列表，缺省为80和25，支持的其他端口包括21(ftp), 110(pop3), 53(named), 3306(mysql) @MFEBc} # 一般的网络攻击都是针对80和25，又以80居多 Er8F_,M+ portlist="80 25" ._;It198f w)qmq # 每个ip可占用的最大活动（Established）连接数 6Fk[wH7 max_active_conn=8 EG &me P,F5Hf # iptables防火墙规则链名称，必须和/etc/sysconfig/iptables中一致 n!~QC # 如果用的是ipchains，可以忽略此项 KyDd( 'i iptables_chain_name="RH-Lokkit-0-50-INPUT" }TuMMO4+ CN-4FI)1D9 # 日志输出目标 3BLHd< log_facility="local0" 2v4&'C e$Y7V * 关于检查周期 tpeMq- 程序定义了两个检查周期，如果上次检查中屏蔽了某个IP，则程序会更频繁地检查连接情况，反之则等待更长时间。通过检查周期 JlE+CAny 的动态调整，可以有效调度在遭受攻击和正常状态下程序的运行次数。 7~P!Z=m^^f c$u#U~~ ipchains vs iptables LS#_K- 目前该程序支持ipchains和iptables两种软件防火墙，使用何种是由程序启动时自动检测的。如果/etc/sysconfig/ipchains和 K&dc< 4DC /etc/sysconfig/iptables都没有检测到，则报错退出。 uV'C_H _$HCNFdh 日志输出 ** $SniQ 程序的输出信息记录在系统日志中，目标是local0。如果没有特殊配置，可以在/var/log/messages中看到。建议在/etc/syslog.conf RJN LcIm 中加入一条： ;t@^Z_z,CR local0.* /var/log/firewall.log K #JO# 然后重新启动syslog s>>lf&7 /etc/init.d/syslog restart b+CvA(* 这样，可以将firewall.sh输出的日志单独记到文件/var/log/firewall.log里。 q^@k,HG A/j'{X!z 4. 运行 ^~4[?]S /usr/prima/sbin/firewall.sh & d+8\|aS<A L>57eF)7 范例输出： j2n 4; m * firewall.sh v1.0b ValueOf.com* Y[;Z7p Firewall is: ipchains . vea[ Port protected: 80 25 'w\Gd7E Max connection per ip: 8 K5+ONA<c Min time to check: 120s NIhYg6 Max time to check: 300s %9t=Iu Timeout circle: 3600s 9v}vCg Output is logged to: local0 h&bs` Psjk 7\ 察看/var/log/firewall.log，可以看到： ;AarpUw' Oct 16 14:08:55 server firewall.sh: do check port 80 // 检查80端口 TiI3<.a! Oct 16 14:08:55 server firewall.sh: 192.168.0.60 2 connections // 有两个来自192.168.0.60的连接 (i^<er q Oct 16 14:08:55 server firewall.sh: total connections on port 80: 2 // 80端口总共2个连接 NX<Q}3cC Oct 16 14:08:55 server firewall.sh: do check port 25 // 检查25端口 [>kzQYT[ Oct 16 14:08:55 server firewall.sh: total connections on port 25: 0 // 25端口没有连接 _qS4Ns/4s Oct 16 14:08:55 server firewall.sh: sleep for 300s // 等待300秒 X.ZY1vO -/6Ms%O 5. 停止 yrrP#F 先用ps命令察看firewall.sh进程的进程号，然后用kill命令将其终止，如 xa%2w] # ps auxww\|grep firewall.sh =Xb:. root 27932 0.0 0.5 2312 1060 pts/2 S 12:38 0:00 /bin/sh /usr/prima/sbin/firewall.sh t-J\j"~%+ root 27967 0.0 0.3 1732 592 pts/2 S 12:39 0:00 grep firewall.sh \MmKz^tO 第一行即firewall.sh的进程，用kill命令： zLVk7u{e # kill 27932 DYL\=ya1 [1] Terminated /usr/prima/sbin/firewall.sh C;rK16cn 即将其终止
常州电信/网通机房,100M共享/10M独享/1000M共享/100M独享/电信+网通双线路服务器托管 Tel：0519-89991155 企业QQ：4006023839 5y6s Inc.
[楼主] \| Posted: 2008-01-26 02:12

头衔：大客部

该用户目前不在线

级别: 总版主
精华: 0
发帖: 607
威望: 2 点
金钱: 1061 RMB
贡献值: 0 点
在线时间:1761(小时)
注册时间:2006-01-01
最后登录:2025-02-11

通过脚本自动屏蔽非法IP http://www.bornin76.cn/?p=31 Kp_^ 2V? C2 ] x 最近很是奇怪，我查看我的服务器日志，居然发现有来自全世界[1]的很多人在锲而不舍的试图猜解我的系统密码（遗憾的是还没人可以成功入侵）。我是穷尽我吃奶的智商也想不通，就这么一个破机器（无屏的IBM T23，开博说明里就已经明确说了），上面只是跑了一个可有可无的Blog程序而已，咋就这么多人感兴趣？莫不是都把我这里当成了入侵中央银行的系统入口？我倒是希望这是那个入口哦！ [r5k8TB1 F"M$ "rC] 研究了一下，觉得通过对日志文件进行判断，识别出扫描者的IP地址，然后再对其进行处理，这样也许是一种比较不错的简单的解决办法。经过实践，证明这是可行的。脚本代码如下： =q-HR+ X}gnO83 edy6WzxBcm #! /bin/bash [5Dg%?x ep3iI77/ SCANIP=`grep "\`date \"+ %d %H:%M\" -d \"-1min\"\`" /var/log/secure\|awk '/Failed/{print $(NF-3)}'\|sort\|uniq -c\|awk '{print $1"="$2;}'` \|r=.}9 - \7Fkeo+ for i in $SCANIP d4#Ra% do H^no&$2`1 NUMBER=`echo $i\|awk -F= '{print $1}'` sB,>4Zd SCANIP=`echo $i\|awk -F= '{print $2}'` ].eY]o}= echo $NUMBER Z\|kMoB echo $SCANIP uF=xo`=\| if [ $NUMBER -gt 10 ] && [ -z "`iptables -vnL INPUT\|grep $SCANIP`" ] a~-^$Fzgy then hsUP5_ iptables -I INPUT -s $SCANIP -m state --state NEW,RELATED,ESTABLISHED -j DROP ;\|Ja\|@82 echo "`date` $SCANIP($NUMBER)" >> /var/log/scanip.log mxRe2<W fi %Jpb&CEY done >5jHgs# ppb4R;CW 这个世界终于清静了！有遇到类似情况的朋友可以一试，我的系统是Linux，防火墙是用的Iptables。 92k}ON Ht'jm( (1vmtg.O ------------------------------------------------------- X; gN[ [i'\d} 注释： IrRn@15, _ 5nQe ! 有美国、冰岛、日本、韩国、印度、挪威、唐山、内蒙古、广州等等，不过也许只是同一个人通过IP伪装了而已。
常州电信/网通机房,100M共享/10M独享/1000M共享/100M独享/电信+网通双线路服务器托管 Tel：0519-89991155 企业QQ：4006023839 5y6s Inc.
[1 楼] \| Posted: 2008-01-26 04:39


常州五颜六色网络技术有限公司 -> 网站建设

Copyright © 2005-2009 5y6s Inc. 苏ICP备05001866号 Powered by PHPWind 5.0.1
Total 0.018805(s) query 5, Gzip enabled
会员言论不代表本站立场本站法律顾问：北京汇泽律师事务所韩律师

点击这里给我发消息

点击这里给我发消息

点击这里给我发消息