» 您尚未 登录   注册 | 社区服务 | 帮助 | 社区 | 无图版


常州五颜六色网络技术有限公司 -> 网站建设 -> linux自动屏蔽IP工具
 XML   RSS 2.0   WAP 

--> 本页主题: linux自动屏蔽IP工具 加为IE收藏 | 收藏主题 | 上一主题 | 下一主题
deserts


头衔:大客部大客部
该用户目前不在线
级别: 总版主
精华: 0
发帖: 607
威望: 2 点
金钱: 1061 RMB
贡献值: 0 点
在线时间:1761(小时)
注册时间:2006-01-01
最后登录:2025-02-11
查看作者资料 发送短消息 推荐此帖 引用回复这个帖子

linux自动屏蔽IP工具

另存为 firewall.sh 给执行的权限 iN;Pg _Kq  
w~3X m{  
#!/bin/sh @C;1e 7  
# this program is used to check tcp/ip connections y{<e4{ !  
# and block those ip with excessive connections $WA wMS,  
1T^WMn:U  
# my version Al$z.i?R  
myver="1.0RC1" +H-= `+,  
o_:v?Y>0  
# wake up every 120s if last check found abuse client SB62(#YR  
wakeup_time_min=120 k8gH#ENNK  
{R1]tGOf  
# wake up every 300s if last check found no abuse client u0C:q`;z  
wakeup_time_max=300 wkg4I.  
<8r"QJY/  
# rule timeout 3600s +B ?qx Q  
rule_timeout=3600 1XGg0SC  
@|gG3  
# check port list !0{SVsc)  
portlist="80" Jqoo&T")  
)nm+_U  
# max established connection per ip G]lGoa}]`u  
max_active_conn=8 .S` q2C\  
6H#: rM  
# iptables chain name =s\$i0A2  
iptables_chain_name="RH-Lokkit-0-50-INPUT" *C*J1JYp+  
6-U_TV  
# log facility Mh%{cLM  
log_facility="local0" VG5+ u,U6>  
{vu\qXmMv  
# Block policy tP'v;$)9F  
ipchains_block_policy="DENY" Ah2@sp,z  
iptables_block_policy="REJECT" Tm %5:/<8  
M9"Bx/  
# myself J( 1Tl  
myself=`basename $0`  A 3 V  
jz!I +  
mylogger_info() r-qe7K@p  
{ QqM[W/&R  
logger -p $log_facility.info -t $myself $@ 2>/dev/null p6JTNx D  
} '54\!yQ<{  
86#l$QaK{  
mylogger_debug() :WB uU  
{ V]zZb-m=  
logger -p $log_facility.debug -t $myself $@ 2>/dev/null b++r#Q g  
} &}DfIP<  
.}__XWK5  
mylogger_notice() D||0c"E  
{ (~~m8VJ>  
logger -p $log_facility.notice -t $myself $@ 2>/dev/null !5,C"r  
} ':.Hz]]/A  
:9&c%~7B9  
dotimeout() # ~< ]z  
{ .fWy\ r0  
mylogger_info "reset firewall when timeout arrives" s^u  Y   
case "$firewall" in O:?3B!wF  
ipchains) $PJ==N  
  /etc/init.d/ipchains restart 1>/dev/null 2>/dev/null /,G `V  
  if [ $? = 0 ] ; then M+ [ho]  
    mylogger_info "ipchains restarted" JBY.er`6C  
  else 'rhgM/I  
    mylogger_notice "ipchains restart failed" \HGf!zZ  
  fi TpU\IQ  
  ;; =Jm[1Mgt  
iptables) W9SU1{*9  
  /etc/init.d/iptables restart 1>/dev/null 2>/dev/null (?e%w}  
  if [ $? = 0 ] ; then '| i?-( f)  
    mylogger_info "iptables restarted" uj.i(U s  
  else =MNp;  
    mylogger_notice "iptables restart failed" zQ,rw[C"W  
  fi ]-gyXE1.r  
  ;; ggD T5hb  
*) i{^T;uAE  
  mylogger_notice "neither ipchains nor iptables" ]dUG=dWO  
  ;; bYsX?0T!p  
esac =|oi0  
"3RFy i  
} c}(H*VY2n  
Ty g>Xv  
blockclient() E+]}KX:  
{ cx[^D,usf~  
if [ -z "$1" ] || [ -z "$2" ]; then !|[rh,e]  
mylogger_notice "blockclient() missing client or port to block" of B:7  
return k%6CkC w  
fi "D'e  
local ip port hl1IG !  
sh  :$J[  
ip=$1 @j|E"VYY  
port=$2 Tz1^"tx9  
@j\:K<sk  
case "$firewall" in %#2 $B+  
ipchains) D, ")n75  
  mylogger_notice "blocking $1 to $2 via ipchains" KW:N 6w  
found=`ipchains -nL | egrep "^$ipchains_block_policy.*[[:space:]]+$ip[[:space:]]+.*[[:space:]]+\->[[:space:]]+$port"` #Y=^4U`  
if [ -z "$found" ] ; then hhU _kI  
cmd="ipchains -I input 1 -p tcp -s $ip -d 0/0 $port -j $ipchains_block_policy 1>/dev/null 2>/dev/null" ep6+YK:cn  
mylogger_debug "cmd: $cmd" _ /1/{  
`ipchains -I input 1 -p tcp -s $ip -d 0/0 $port -j $ipchains_block_policy 1>/dev/null 2>/dev/null` C5~~$7k0  
if [ $? != 0 ] ; then av'm$I|O  
mylogger_notice "$cmd call failed" 7DAP_C  
return D /QLp3+o  
fi ^.A*mMQ  
new_block=1 qPPe)IM'Sc  
ever_block=1 QoYEWXT|g  
else RRja{*R  
mylogger_info "$ip already blocked to $port" C~2!@<y  
fi UyRy>:n  
  ;; <@Q27oEuA  
iptables) &qbEF3p^@  
  mylogger_notice "blocking $1 to $2 via iptables" AMyg>n!  
found=`iptables -nL | egrep "^$iptables_block_policy.*[[:space:]]+$ip[[:space:]]+.*[[:space:]]+dpt:$port[[:space:]]+"` I~6) Gk&  
if [ -z "$found" ] ; then {.LJ(|(Mz  
cmd="iptables -I $iptables_chain_name 1 -p tcp -m tcp -s $ip --dport $port -j $iptables_block_policy 1>/dev/null 2>/dev/null" wh(_<VZ  
mylogger_debug "cmd: $cmd" Gi)Vr\Q.  
`iptables -I $iptables_chain_name 1 -p tcp -m tcp -s $ip --dport $port -j $iptables_block_policy 1>/dev/null 2>/dev/null` Y#@D% a8  
if [ $? != 0 ] ; then #z P-, 2!r  
mylogger_notice "$cmd call failed" $+80V{J#  
return @1o X&#  
fi N[cIr{XBGN  
new_block=1 jj`# ;Y  
ever_block=1 d}O\:\}y  
else E+Bc>xl@ m  
mylogger_info "$ip already blocked to $port" }F]Z1('  
fi ;y(;7n_ a  
  ;; k[8F: T-  
*) :|(YlNUv  
  mylogger_notice "neither ipchains nor iptables" B=OzP+  
  ;; &-*l{"7p+%  
esac R([zlw~B5  
} *Hx*s_F  
IFBt#] l0  
restartservice() mP*$wE9b,:  
{ |-ZML~2S=h  
local service Zd-qBOB2L  
if [ -z "$1" ] ; then = 9Yf o,F  
mylogger_notice "no port given to see which service to be restart" L-- t(G  
return Z=8&`  
fi "&H'?N%9Up  
- G>J  
case "$1" in 3!9JXq%Hl  
80) <6;M\:Y*T  
  service="httpd" _Yo)m |RaB  
  ;; 6Mk#) ebM  
25) sq=EL+=j  
  service="postfix" Hx6O Dj[-  
  ;; }-:B`:K&  
110) >h%>s4W  
  service="courier-pop3d" 2W0nA t  
  ;; g5#LoGc  
21) ;uAh)|;S#  
  service="muddleftpd" ZN H-0mk  
  ;; \ C:Gx4K  
53) T[OI/ WuK  
  service="named" g<;pyvq|:  
  ;; nY MtK  
3306) d s`YVXKH  
  service="mysqld" T x Mh_  
  ;; )-X8RRw'  
esac RCfeIHL  
if [ ! -z "$service" ] ; then W\j'8^kI9  
/etc/init.d/$service restart 1>/dev/null 2>/dev/null KRGj6g+  
if [ $? = 0 ] ; then { (.@bT@  
  mylogger_notice "$service restarted" <`-sS]=d}  
else rZ,3:x-:  
  mylogger_notice "$service restart failed" >7@,,~3  
fi )}$rgYKJ  
fi 3KqRw (BK  
} #3ZAMV  
\<9aS Y'U  
docheckport() V %[t'uh  
{ 1d!s8um;  
mylogger_info "do check port $1" ~c&sr5E  
local port last_client count client total_count gjD|f2*x  
V*JqC  
if [ -z "$1" ] ; then %npLgCF  
mylogger_notice "docheckport() port not given" OS%[SHs  
return Otr=+i ZI  
fi ` [E-V  
p".wqg*W  
port=$1 <x$nw'H9  
_3u3b/%J?  
clientlist=`netstat -an --tcp| grep ESTABLISHED | awk "{ if ( index(\\$4,\":$port\") ) print \\$5}" | awk -F ':' '{print $1}'|sort` BbFLT@W4  
if [ $? != 0 ] ; then @f A| y  
mylogger_notice "netstat call failed" l %zbx"%x  
return sBWyUD  
fi oFyB-vpYQV  
#echo $clientlist 1Cc91  
# reset new_block Q7`)&^ Hx  
new_block=0 YG?4DF  
count=0 L\#G#1x8  
total_count=0 H!FaI(YZl  
last_client="" NH5sV.vvc  
for client in $clientlist _"H\,7E  
do $uwz` N:  
#echo "client is $client" m0 W3pf  
if [ -z "$last_client" ] ; then _8SB+s*  
  count=$((count+1)) !:xE X~  
  total_count=$((total_count+1)) ~tL:r=  
  last_client=$client h"]v+u`!SM  
else xJN JvA  
  if [ "$client" = "$last_client" ] ; then a|T P2m  
  count=$((count+1)) (#LV*&K%IC  
  total_count=$((total_count+1)) 9(ANhG  
  else wgzjuTqwBF  
  mylogger_debug "$last_client $count connections" ^<[oKi;>  
  if [ $count -ge $max_active_conn ] ; then ]}~*uT}>  
    mylogger_notice "client $last_client connection $count >= $max_active_conn" aL+k1v[m  
    blockclient $last_client $port |UBR8  
  fi ]%ikr&78u  
  count=1 7cY_=X-?Y  
  total_count=$((total_count+1)) &tHT6,Xv(  
  last_client=$client VO#]IXaP  
  fi Y@_ i32,r  
fi K (Z d-U  
done HQ ^> ~  
# check the last client iV(B0z  
if [ ! -z "$client" ] ; then ?fCLiK  
count=$((count+1)) L7%Dc2{^(  
total_count=$((total_count+1)) 1LT)%_d@  
mylogger_debug "$client $count connections" FzA_-d/_dg  
if [ $count -ge $max_active_conn ] ; then ^HX={(ddK  
  mylogger_notice "client $client connection $count >= $max_active_conn" !`)-seTm  
  blockclient $client $port 6wIv7@Y  
fi dkLc"$( O  
fi O&E1(M|*>  
mylogger_info "total connections on port $port: $total_count" L8T T54fM  
DIkD6n?V  
if [ $new_block = 1 ] ; then %:YON,1b=7  
restartservice $port E9!IGci  
fi Ga+\b>C  
} XDz![s  
V-O49  
docheckall() IP-CN  
{ y? )v-YGu  
# reset wakeup_time EYcvD^!1g  
wakeup_time=$wakeup_time_max 8 y/YX  
for port in $portlist  ]i=-/  
do Q^b_+M  
docheckport $port lWd)(9K j  
if [ $new_block = 1 ] ; then 7.hVbjy'-  
  # set wakeup_time shorter cause we found some abuse client rs=wEMq/  
  wakeup_time=$wakeup_time_min v}+axu/?  
fi ;7K5Bo  
done 9'Pyo`hJ#U  
} +}I[l,,xy  
j/ #kO?  
if [ -z "$firewall" ] && [ -f /etc/sysconfig/ipchains ] ; then DN&ZRA  
firewall="ipchains" >Y1?`  
fi Zo-E0[9  
&:S_ewJK7  
if [ -z "$firewall" ] && [ -f /etc/sysconfig/iptables ] ; then #CW]70H`  
firewall="iptables" {5 #P1jlT  
fi tURIDj%#p  
mE}``  
if [ -z "$firewall" ] ; then {iYu x;(  
echo "Error: This machine does not have ipchains or iptables firewall support" jMzHs*:  
exit 1 ig")bt3s5  
fi |n}W^}S5  
$P866F  
mylogger_info "firewall.sh v$myver ValueOf.com starting" 0`h[| FYV  
mylogger_info "Firewall is:       $firewall" {l0;G) -  
mylogger_info "Port protected:     $portlist" #E{aN?_  
mylogger_info "Max connection per ip: $max_active_conn" bhOyx  
mylogger_info "Min time to check:   $wakeup_time_min""s" 28f-8B  
mylogger_info "Max time to check:   $wakeup_time_max""s" N>/*)Frt  
mylogger_info "Timeout circle:     $rule_timeout""s" zv@'x nY]  
mylogger_info "Output is logged to:   $log_facility" i\3BA"ZX  
<^~Xnstl  
# if new ip blocked at this check run? Gqk"%irZ  
new_block=0 ![7v _l\Q  
# if new ip blocked at this timeout run? YUT"A{L  
ever_block=0 W#u}d2mP  
# reset wakeup_time @Sq=#f/=  
wakeup_time=$wakeup_time_max 6 N~ jt  
<j ;HRm  
lasttime=`date +%s` ,H22;UV9  
qt^%jIv  
while [ 1 ] 6ynQCD  
do g~FB&U4c  
curtime=`date +%s` [O"i!AQ  
timediff=$((curtime-lasttime)) )P|%=laE8  
#echo "timediff: $timediff" Mky$#SI11  
if [ $timediff -ge $rule_timeout ] && [ $ever_block = 1 ] ; then .7ahz8v  
lasttime=$curtime {@Diig  
ever_block=0 Se0/ysVB  
dotimeout hf:n!+,C  
fi k`oXo%  
docheckall i$"FUC~'  
mylogger_info "sleep for $wakeup_time""s" B susXW$  
sleep $wakeup_time lmH!I )5  
done *ivbk /8  
pxI*vgfN7  
JGj_{|=:  
}[LK/@h  
1. 说明 `(Q58wR}  
firewall.sh是一个shell脚本程序,每隔一段时间检查tcp连接的统计信息,如果来自某个ip对某个端口的活动连接超过规定的最大数量, YgM6z K~  
则自动将该IP对该端口的访问屏蔽,并重新启动相应的服务。再每隔一段时间,会重设防火墙到初始状态。 y*uL,W H  
该程序可以同时保护多个端口 /3KEX{'@U  
{E6W]Mno  
2. 安装 Qbv)(&i# ~  
tar zxf firewall-1.0b.tar.gz zN2sipJS8  
cd firewall-1.0b 1+y&n?  
install -m 700 firewall.sh /usr/prima/sbin/firewall.sh Rx`0VQ  
l\$C)q6O  
3. 配置  n8:2Z>  
主要配置项目如下:  t8?+yG;  
# 最小检查周期,缺省为120秒 QtN0|q{af  
wakeup_time_min=120 $<ZX};/D  
wV5<sH__  
# 最大检查周期,缺省为300秒 H.>KYiv+  
wakeup_time_max=600 HnY: gu  
X,y$!2QI  
# 重设防火墙状态的时间,缺省为3600秒 /OxF5 bN2  
rule_timeout=3600 2ZE4^j|  
l  
# 保护的端口列表,缺省为80和25,支持的其他端口包括21(ftp), 110(pop3), 53(named), 3306(mysql) xUSIck  
# 一般的网络攻击都是针对80和25,又以80居多 u"|.]r  
portlist="80 25" niA{L:4  
gl!3pTC  
# 每个ip可占用的最大活动(Established)连接数 GbL,k? ey  
max_active_conn=8 {?m',sG;&  
<?Lj!JGX  
# iptables防火墙规则链名称,必须和/etc/sysconfig/iptables中一致 ]\_4r)cN<n  
# 如果用的是ipchains,可以忽略此项 DH 9?~|  
iptables_chain_name="RH-Lokkit-0-50-INPUT" WrG)&&d  
pkxW19h*0  
# 日志输出目标 |J6CH87>  
log_facility="local0" F`3 8sq  
M~"K@g=Wr  
**** 关于检查周期 **** ,$*IJeKx  
程序定义了两个检查周期,如果上次检查中屏蔽了某个IP,则程序会更频繁地检查连接情况,反之则等待更长时间。通过检查周期  z!F?#L5  
的动态调整,可以有效调度在遭受攻击和正常状态下程序的运行次数。 `[:f;2(@  
Pd@?(WQ  
**** ipchains vs iptables **** 0#yo\McZ  
目前该程序支持ipchains和iptables两种软件防火墙,使用何种是由程序启动时自动检测的。如果/etc/sysconfig/ipchains和 @|cas|U.r  
/etc/sysconfig/iptables都没有检测到,则报错退出。 ChB ZGuO:  
/sYD+*a  
**** 日志输出 **** +q =/}|  
程序的输出信息记录在系统日志中,目标是local0。如果没有特殊配置,可以在/var/log/messages中看到。建议在/etc/syslog.conf 0<P -`|X  
中加入一条: ^ 5UIbA(  
local0.*                 /var/log/firewall.log c5t?S@b  
然后重新启动syslog V= .'Db2D  
/etc/init.d/syslog restart *.i` hfRc  
这样,可以将firewall.sh输出的日志单独记到文件/var/log/firewall.log里。 WJg?R^  
,Z52d ggD  
4. 运行 M/#<=XhA  
/usr/prima/sbin/firewall.sh & un..UU4  
p'_* >%4~  
范例输出: ] ^.#d  
*** firewall.sh v1.0b ValueOf.com*** \a}%/_M\  
Firewall is:       ipchains Rr:,'cXGi  
Port protected:     80 25 0h#' 3z<  
Max connection per ip: 8 c"fnTJXr79  
Min time to check:   120s Mb+cXdZb  
Max time to check:   300s :GO}G`jY  
Timeout circle:     3600s \5O4}sm$*  
Output is logged to:   local0 xy[R9_V  
b^FB[tZ\x  
察看/var/log/firewall.log,可以看到: 0h$23.  
Oct 16 14:08:55 server firewall.sh: do check port 80                   // 检查80端口 ZG<<6y*.  
Oct 16 14:08:55 server firewall.sh: 192.168.0.60 2 connections             // 有两个来自192.168.0.60的连接 UX(#C,qgG  
Oct 16 14:08:55 server firewall.sh: total connections on port 80: 2         // 80端口总共2个连接 A<AZs~f  
Oct 16 14:08:55 server firewall.sh: do check port 25                   // 检查25端口 &|55:Y87  
Oct 16 14:08:55 server firewall.sh: total connections on port 25: 0         // 25端口没有连接  :3u>%  
Oct 16 14:08:55 server firewall.sh: sleep for 300s                     // 等待300秒 KLlW\MF1  
8g&uCv/Uk  
5. 停止 mVW:]|!s  
先用ps命令察看firewall.sh进程的进程号,然后用kill命令将其终止,如 >* dqFZF  
# ps auxww|grep firewall.sh FhS:.  
root   27932 0.0 0.5 2312 1060 pts/2   S   12:38   0:00 /bin/sh /usr/prima/sbin/firewall.sh [,$] %|6wt  
root   27967 0.0 0.3 1732 592 pts/2   S   12:39   0:00 grep firewall.sh AEhh 6v  
第一行即firewall.sh的进程,用kill命令: @)|62Dv /  
# kill 27932 hb zU?_}  
[1]   Terminated             /usr/prima/sbin/firewall.sh <<Ut@243\  
即将其终止

常州电信/网通机房,100M共享/10M独享/1000M共享/100M独享/电信+网通双线路服务器托管

Tel:0519-89991155 企业QQ:4006023839   5y6s Inc.
[楼 主] | Posted: 2008-01-26 02:12 顶端
deserts


头衔:大客部大客部
该用户目前不在线
级别: 总版主
精华: 0
发帖: 607
威望: 2 点
金钱: 1061 RMB
贡献值: 0 点
在线时间:1761(小时)
注册时间:2006-01-01
最后登录:2025-02-11
查看作者资料 发送短消息 推荐此帖 引用回复这个帖子

通过脚本自动屏蔽非法IP

http://www.bornin76.cn/?p=31 BON""yIC   
)^S^s >3  
最近很是奇怪,我查看我的服务器日志,居然发现有来自全世界[1]的很多人在锲而不舍的试图猜解我的系统密码(遗憾的是还没人可以成功入侵)。我是穷尽我吃奶的智商也想不通,就这么一个破机器(无屏的IBM T23,开博说明里就已经明确说了),上面只是跑了一个可有可无的Blog程序而已,咋就这么多人感兴趣?莫不是都把我这里当成了入侵中央银行的系统入口?我倒是希望这是那个入口哦! /{ MH'  
b%f2"e0g  
研究了一下,觉得通过对日志文件进行判断,识别出扫描者的IP地址,然后再对其进行处理,这样也许是一种比较不错的简单的解决办法。经过实践,证明这是可行的。脚本代码如下: w^E]N  
Bj($_2M%+  
n;^k   
#! /bin/bash 9Q7cUoxY  
A;j$rGx  
SCANIP=`grep "\`date \"+ %d %H:%M\" -d \"-1min\"\`" /var/log/secure|awk '/Failed/{print $(NF-3)}'|sort|uniq -c|awk '{print $1"="$2;}'` IA 9v1:>  
]AA*f_!   
for i in $SCANIP X:-bAu}D  
do lPQ Ut!xI  
NUMBER=`echo $i|awk -F= '{print $1}'` ySK Yqt z  
SCANIP=`echo $i|awk -F= '{print $2}'` pkV\D  
echo $NUMBER _E<O+leWf  
echo $SCANIP l)PFzIz=V  
if [ $NUMBER -gt 10 ] && [ -z "`iptables -vnL INPUT|grep $SCANIP`" ] [(P[qEY  
then V?V)&y] 4  
iptables -I INPUT -s $SCANIP -m state --state NEW,RELATED,ESTABLISHED -j DROP ^AjYe<RU}  
echo "`date` $SCANIP($NUMBER)" >> /var/log/scanip.log q'AnI$!  
fi 2:HP5   
done 7- 3N  
) )69a  
这个世界终于清静了!有遇到类似情况的朋友可以一试,我的系统是Linux,防火墙是用的Iptables。 GE8D3V;*V  
CbH T #  
k5%0wHpk=  
------------------------------------------------------- GKsL~;8"  
>7(~'#x8A"  
注释: iI@Gyq=  
`\4JwiPo  
有美国、冰岛、日本、韩国、印度、挪威、唐山、内蒙古、广州等等,不过也许只是同一个人通过IP伪装了而已。

常州电信/网通机房,100M共享/10M独享/1000M共享/100M独享/电信+网通双线路服务器托管

Tel:0519-89991155 企业QQ:4006023839   5y6s Inc.
[1 楼] | Posted: 2008-01-26 04:39 顶端

常州五颜六色网络技术有限公司 -> 网站建设


Copyright © 2005-2009 5y6s Inc. 苏ICP备05001866号 Powered by PHPWind 5.0.1
Total 0.036211(s) query 5, Gzip enabled
会员言论不代表本站立场 本站法律顾问:北京汇泽律师事务所 韩律师
QQ:点击这里给我发消息 /点击这里给我发消息 /点击这里给我发消息
51La