linux自动屏蔽IP工具网站建设常州五颜六色网络技术有限公司

常州五颜六色网络技术有限公司 -> 网站建设 -> linux自动屏蔽IP工具

登录 -> 注册 -> 回复主题 -> 发表主题

deserts

2008-01-26 02:12

另存为 firewall.sh 给执行的权限 F'CJN$6Mw/
;+bF4r@:+
#!/bin/sh iP@FXJJ
# this program is used to check tcp/ip connections E~VV19Bv]/
# and block those ip with excessive connections 1K(mdL{m5
(?TK P 7
# my version <H{K&,Z(ZM
myver="1.0RC1" k7j[tB#
My Ky*wD
# wake up every 120s if last check found abuse client $$EEhy
wakeup_time_min=120 4S4g K
><xmw=
# wake up every 300s if last check found no abuse client n5;@}Rai
wakeup_time_max=300 Z>3m-:-e
?\(qA+iP0
# rule timeout 3600s FnI}N;"
rule_timeout=3600 oE6`]^^
&5XEjY>@
# check port list +H*6:
portlist="80" <Q"G aqZ
iX<" \pV
# max established connection per ip NHe)$%a=H
max_active_conn=8 )l.uj
:U=3*f.{
# iptables chain name ru6M9\h*
iptables_chain_name="RH-Lokkit-0-50-INPUT" VW*?(,# j{
kjB'WzZ8
# log facility bsr]Z&9rrk
log_facility="local0" `&h-+
!]E]Xd<
# Block policy r:$*pC&{
ipchains_block_policy="DENY" e| 5@7~Vi
iptables_block_policy="REJECT" %NJ0Y(:9(
Gqc6]{
# myself V6'u\Ch|
myself=`basename $0` z^jmf_
~d1=_p:~T
mylogger_info() XjP&
{ zwRF-{s
logger -p $log_facility.info -t $myself $@ 2>/dev/null z5@i"%f
} '+ZJf&Ox
Rm}5AJ
mylogger_debug() jDTG15_=
{ :T?WN+3
logger -p $log_facility.debug -t $myself $@ 2>/dev/null &4sz:y4T>
} 5uahfJk
;%(sbA
mylogger_notice() FG+pR 8aA$
{ ^Y;,cLXJ
logger -p $log_facility.notice -t $myself $@ 2>/dev/null FN<>L0
} S[yrGX8lu
@ext6cFe3<
dotimeout() oNw=O>v
{ .0RQbc9
mylogger_info "reset firewall when timeout arrives" P0(LdZH6u
case "$firewall" in ?u?mSO/
ipchains) 9` UbsxFl
/etc/init.d/ipchains restart 1>/dev/null 2>/dev/null rNo/H<J%+j
if [ $? = 0 ] ; then .9=4Af
mylogger_info "ipchains restarted" ,7:-V<'Yv
else 1 I.P7_/
mylogger_notice "ipchains restart failed" FXn98UFY
fi 3.hFYA w
;; q+oc^FD?@
iptables) !l0"nPM=
/etc/init.d/iptables restart 1>/dev/null 2>/dev/null vzbGLap#
if [ $? = 0 ] ; then j<~T:Tk
mylogger_info "iptables restarted" d0ht*b
else + jeOZ
mylogger_notice "iptables restart failed" &fWC-|
fi _>;MQ)Km~
;; yvzH}$!]
*) Iy4%,8C]g
mylogger_notice "neither ipchains nor iptables" ",vK~m2W_
;; 8q{|nH
esac &g5PPQ18
9_jiUZFje
} Ug546Bz
na~ FT[3C
blockclient() z#PaQp5F
{ .81Y/Gad_
if [ -z "$1" ] || [ -z "$2" ]; then ?<W|Ya
mylogger_notice "blockclient() missing client or port to block" U?{oxy_[2
return X"q[rsB
fi u=W[ S)w
local ip port $H)!h^7^9
Kx)PK
ip=$1 ys`oHSf
port=$2 o/VT"cT
/J_],KdU
case "$firewall" in C,eP!_O
ipchains) 9@ fSO<
mylogger_notice "blocking $1 to $2 via ipchains" Jh&DL8`
found=`ipchains -nL | egrep "^$ipchains_block_policy.*[[:space:]]+$ip[[:space:]]+.*[[:space:]]+\->[[:space:]]+$port"` xxl|j$m
if [ -z "$found" ] ; then Q Kr/
cmd="ipchains -I input 1 -p tcp -s $ip -d 0/0 $port -j $ipchains_block_policy 1>/dev/null 2>/dev/null" }}]Lf3;
mylogger_debug "cmd: $cmd" W3>9GY90R
`ipchains -I input 1 -p tcp -s $ip -d 0/0 $port -j $ipchains_block_policy 1>/dev/null 2>/dev/null` wn.6l `
if [ $? != 0 ] ; then EZI#CLT[
mylogger_notice "$cmd call failed" SZ[?2z
return Q"{Dijc%
fi &}P#<"Fo8Q
new_block=1 p~8O6h@J
ever_block=1 9XDSL[[
else `f&::>5tD
mylogger_info "$ip already blocked to $port" ^(C4Q?[2m
fi >]ux3F3\
;; D>W&#A8&y
iptables) 4Ps;Cor+
mylogger_notice "blocking $1 to $2 via iptables" ~?aFc)
found=`iptables -nL | egrep "^$iptables_block_policy.*[[:space:]]+$ip[[:space:]]+.*[[:space:]]+dpt:$port[[:space:]]+"` M _%KhK
if [ -z "$found" ] ; then 8r+u!$i!H
cmd="iptables -I $iptables_chain_name 1 -p tcp -m tcp -s $ip --dport $port -j $iptables_block_policy 1>/dev/null 2>/dev/null" p\;8?x
mylogger_debug "cmd: $cmd" yeta)@nH
`iptables -I $iptables_chain_name 1 -p tcp -m tcp -s $ip --dport $port -j $iptables_block_policy 1>/dev/null 2>/dev/null` ^ /G ;
if [ $? != 0 ] ; then +VW8{=$
mylogger_notice "$cmd call failed" ;DnUeE8
return dz/@] a
fi g7hI9(8+
new_block=1 S WTZ6(!oW
ever_block=1 >/4[OPB0R
else 52o^]
mylogger_info "$ip already blocked to $port" 2Ul8<${c{
fi qfCZ [D
;; #Ox@[Z1I
*) @o?Y[BR
mylogger_notice "neither ipchains nor iptables" 'JdK0w#
;; L#a!fd
esac G?,3Zn0
} GQYn |vm
/2=9i84
restartservice() ,Il) tH
{ @UdF6:T
local service ~Y~M}4
if [ -z "$1" ] ; then %?+Lkj&
mylogger_notice "no port given to see which service to be restart" zTMLE~w
return T'lycc4~a
fi zq$L[X
.7Yox1,
case "$1" in M'R ] ''
80) 4*f+np
service="httpd" |LLpG37_
;; 9wf"5c
25) _0^>^he
service="postfix" R%2.N!8v
;; 2o[ceEg
110) p]y.N) a
service="courier-pop3d" G,<d;:
;; {)b
21) 9L-jlAo<
service="muddleftpd" ~$^>Vo
;; +C7W2!I[G2
53) V,& OO
service="named" -\%5aXr
;; j$6Q]5KdoS
3306) WZ!zUUp}V
service="mysqld" vA6onYjA
;; vAop#V
esac v \;/P
if [ ! -z "$service" ] ; then RRQv<x
/etc/init.d/$service restart 1>/dev/null 2>/dev/null B9 ?58v&
if [ $? = 0 ] ; then NB^Al/V@
mylogger_notice "$service restarted" L|(U%$
else hCgk78O?
mylogger_notice "$service restart failed" H~fF; I
fi `?l /HUw
fi {/5aF_0D.
} x7gd6"10^
WQ:Y NmQ1p
docheckport() :YkAp9civ
{ PC255
mylogger_info "do check port $1" 2$t%2>1>@
local port last_client count client total_count Jwj=a1I 53
KC:6^h'.
if [ -z "$1" ] ; then d>MDC . j
mylogger_notice "docheckport() port not given" b-<@3N.9]
return 3PLA*n+%
fi B2LXF3#/
p0CPeH
port=$1 8sI$
~@@$-,}X
clientlist=`netstat -an --tcp| grep ESTABLISHED | awk "{ if ( index(\\$4,\":$port\") ) print \\$5}" | awk -F ':' '{print $1}'|sort` k5Q1.;fW76
if [ $? != 0 ] ; then sy4Nm0m
mylogger_notice "netstat call failed" !OPHS^L
return {(Mmv[y
fi ?uJX
#echo $clientlist :w|=o9J
# reset new_block [wQJVYv
new_block=0 8D?$@!-
count=0 Ml?KnSb
total_count=0 EASmB
last_client="" lMg#zT!?
for client in $clientlist uz$p'Q
do :.a184ax
#echo "client is $client" 5X5UUdTM
if [ -z "$last_client" ] ; then rHOhi|+
count=$((count+1)) ^Ojg}'.Ygv
total_count=$((total_count+1)) +`V<& Y-5l
last_client=$client [[N${C
else PVljb=8F
if [ "$client" = "$last_client" ] ; then w"QZ7EyJ
count=$((count+1)) }o[<1+W(.
total_count=$((total_count+1)) CS-jDok
else _T8S4s8q
mylogger_debug "$last_client $count connections" #QSSpsF@
if [ $count -ge $max_active_conn ] ; then R@_3?Z!W=
mylogger_notice "client $last_client connection $count >= $max_active_conn" <X& fs*x&
blockclient $last_client $port oaILh
fi \>n[x;$
count=1 ^si[L52BZ
total_count=$((total_count+1)) 2:nI4S
last_client=$client >w.%KVBJ
fi >*!^pbZfX
fi A9"!=/~
done GY0OVAW6'c
# check the last client Zv-1*hhHf
if [ ! -z "$client" ] ; then ),j6tq[
count=$((count+1)) tw\1&*:
total_count=$((total_count+1)) E m+&I
mylogger_debug "$client $count connections" &2q<#b
if [ $count -ge $max_active_conn ] ; then ZB/1I;l`c
mylogger_notice "client $client connection $count >= $max_active_conn" UK,sMKbl1
blockclient $client $port ZZCm438
fi ^~@3X[No
fi Xrpvq(]
mylogger_info "total connections on port $port: $total_count" 5tZ0zr
cN&:V2,
if [ $new_block = 1 ] ; then elpTak@
restartservice $port }Ujgd2(U
fi FCKyKn
} ji.?bKqHE
Ip)u6We>I
docheckall() nXI8`7D
{ CQrP%}`r
# reset wakeup_time Q1|zX@,
wakeup_time=$wakeup_time_max D.x8=|;
for port in $portlist unbIfl=
do gMkSl8[
docheckport $port VEn3b
if [ $new_block = 1 ] ; then 8pftc)k
# set wakeup_time shorter cause we found some abuse client Ryxu#]s
wakeup_time=$wakeup_time_min s@y;b0$gk
fi tLq]#9kL
done ^&8hhxCPu|
} [/VpvQ'
6%>'n?
if [ -z "$firewall" ] && [ -f /etc/sysconfig/ipchains ] ; then Fav++z
firewall="ipchains" k_zn>aR$F
fi J]{<Z?%
YPNW%N!$|
if [ -z "$firewall" ] && [ -f /etc/sysconfig/iptables ] ; then Q4a7g$^
firewall="iptables" _2{_W9k
fi h{$k%YJ?
w%\{4T~
if [ -z "$firewall" ] ; then !cM<&3/
echo "Error: This machine does not have ipchains or iptables firewall support" SBs!52
exit 1 BT_XqO
fi .y3E@0a
]j6 K3
mylogger_info "firewall.sh v$myver ValueOf.com starting" .>.GQUr
mylogger_info "Firewall is: $firewall" G +41D
mylogger_info "Port protected: $portlist" /~f[>#
mylogger_info "Max connection per ip: $max_active_conn" ABkDOG2br
mylogger_info "Min time to check: $wakeup_time_min""s" :D-D+x
mylogger_info "Max time to check: $wakeup_time_max""s" _od /)#
mylogger_info "Timeout circle: $rule_timeout""s" tgi%#8ZDpz
mylogger_info "Output is logged to: $log_facility" S<cz2FlV
L%Rw]=v }v
# if new ip blocked at this check run? D M+MBK
new_block=0 cRD;a?0/6s
# if new ip blocked at this timeout run? dg|x(p#
ever_block=0 T#E$sZ
# reset wakeup_time v~T)g"_|
wakeup_time=$wakeup_time_max @SiV3k
h-;> v.
lasttime=`date +%s` S Z/yijf
p5vQ.Ni*\-
while [ 1 ] Us'JMZ~
do Ax;?~v4Z
curtime=`date +%s` etiUt~W
timediff=$((curtime-lasttime)) :/szA?:W
#echo "timediff: $timediff" -Pt E+R[A
if [ $timediff -ge $rule_timeout ] && [ $ever_block = 1 ] ; then eF.nNu
lasttime=$curtime @<pd@Mpf]
ever_block=0 RMT9tXe*5
dotimeout rA B=H*|6
fi stUv!
docheckall m?B=?;B9#
mylogger_info "sleep for $wakeup_time""s" 2\k!DF
sleep $wakeup_time zNrn|(Y%Y
done r/a@ x9
Tc||96%2 ^
f~a 7E;y
{S9gOg
1. 说明 Ji9o0YR
firewall.sh是一个shell脚本程序，每隔一段时间检查tcp连接的统计信息，如果来自某个ip对某个端口的活动连接超过规定的最大数量， \:1$E[3v
则自动将该IP对该端口的访问屏蔽，并重新启动相应的服务。再每隔一段时间，会重设防火墙到初始状态。 ^" g?m
该程序可以同时保护多个端口 Oh CdBO
!]g[u3O
2. 安装 1) 2-UT
tar zxf firewall-1.0b.tar.gz kJf0..J[#<
cd firewall-1.0b hOZTD0
install -m 700 firewall.sh /usr/prima/sbin/firewall.sh 2SD Z
Aqf91 [c
3. 配置 YQd($
主要配置项目如下： C za}cF
# 最小检查周期，缺省为120秒 ]f&]E ~i
wakeup_time_min=120 x z F
,pTZ/#vP#
# 最大检查周期，缺省为300秒 X{Vs
wakeup_time_max=600 Y96<c" t
?r &~(<^z
# 重设防火墙状态的时间，缺省为3600秒 DeF`#a0E
rule_timeout=3600 z5iCQ4C<
kDmuj>D
# 保护的端口列表，缺省为80和25，支持的其他端口包括21(ftp), 110(pop3), 53(named), 3306(mysql) oi7k#^
# 一般的网络攻击都是针对80和25，又以80居多 dS 4/spNq
portlist="80 25" *lLCH,
H9TeMY
# 每个ip可占用的最大活动（Established）连接数 j1{`}\e
max_active_conn=8 t-C|x)J+
>E4,zs@7t
# iptables防火墙规则链名称，必须和/etc/sysconfig/iptables中一致 F{ vT^/
# 如果用的是ipchains，可以忽略此项 6<S -o|Xw
iptables_chain_name="RH-Lokkit-0-50-INPUT" jmq^98jB
Pz2Q]}(w
# 日志输出目标 iY@}Q "
log_facility="local0" <eSg%6z
LNk :PD0m
**** 关于检查周期 **** Z*q&^/N
程序定义了两个检查周期，如果上次检查中屏蔽了某个IP，则程序会更频繁地检查连接情况，反之则等待更长时间。通过检查周期 yxpv;v:)=
的动态调整，可以有效调度在遭受攻击和正常状态下程序的运行次数。 pwHe&7e#
#M w70@6
**** ipchains vs iptables **** )^qXjF
目前该程序支持ipchains和iptables两种软件防火墙，使用何种是由程序启动时自动检测的。如果/etc/sysconfig/ipchains和 o ?05bv
/etc/sysconfig/iptables都没有检测到，则报错退出。 #| gh
xh#_K@8
**** 日志输出 **** /O.q4p
程序的输出信息记录在系统日志中，目标是local0。如果没有特殊配置，可以在/var/log/messages中看到。建议在/etc/syslog.conf KV;q}EyG
中加入一条： ;t9_*)[
local0.* /var/log/firewall.log \oxf_4X
然后重新启动syslog 8irTGA
/etc/init.d/syslog restart R'B_YKHBY
这样，可以将firewall.sh输出的日志单独记到文件/var/log/firewall.log里。 m!<FlEkN
^5~x*=_
4. 运行 E3S0u7Es
/usr/prima/sbin/firewall.sh & n>Oze7hVY
%|JL=E}%|
范例输出： oM@%2M_O(
*** firewall.sh v1.0b ValueOf.com*** pQ7elv]
Firewall is: ipchains OC,yLQ
Port protected: 80 25 h|'|n/F
Max connection per ip: 8 'cS| BT
Min time to check: 120s 3My}u>
Max time to check: 300s [N[4\W!!
Timeout circle: 3600s @m`H~]AU
Output is logged to: local0 oIj/V|ByK
YT[=o}jS
察看/var/log/firewall.log，可以看到： G;/> N'#
Oct 16 14:08:55 server firewall.sh: do check port 80 // 检查80端口 5HbJE'
Oct 16 14:08:55 server firewall.sh: 192.168.0.60 2 connections // 有两个来自192.168.0.60的连接 6yYd~|T.Fl
Oct 16 14:08:55 server firewall.sh: total connections on port 80: 2 // 80端口总共2个连接 xo ^|d3
Oct 16 14:08:55 server firewall.sh: do check port 25 // 检查25端口 6=Q6J
Oct 16 14:08:55 server firewall.sh: total connections on port 25: 0 // 25端口没有连接 0%\fm W j
Oct 16 14:08:55 server firewall.sh: sleep for 300s // 等待300秒 t^6ams$
i[.7 8K-s
5. 停止 z8D,[`
先用ps命令察看firewall.sh进程的进程号，然后用kill命令将其终止，如 =:R${F
# ps auxww|grep firewall.sh _Y6Ezh.
root 27932 0.0 0.5 2312 1060 pts/2 S 12:38 0:00 /bin/sh /usr/prima/sbin/firewall.sh fyx Q{J
root 27967 0.0 0.3 1732 592 pts/2 S 12:39 0:00 grep firewall.sh BjjuZN&
第一行即firewall.sh的进程，用kill命令： b=WkRj
# kill 27932 ? )IH#kL
[1] Terminated /usr/prima/sbin/firewall.sh R*ex!u60M
即将其终止

deserts

2008-01-26 04:39

http://www.bornin76.cn/?p=31 \88IFE
}/.b@`Dh;
最近很是奇怪，我查看我的服务器日志，居然发现有来自全世界[1]的很多人在锲而不舍的试图猜解我的系统密码（遗憾的是还没人可以成功入侵）。我是穷尽我吃奶的智商也想不通，就这么一个破机器（无屏的IBM T23，开博说明里就已经明确说了），上面只是跑了一个可有可无的Blog程序而已，咋就这么多人感兴趣？莫不是都把我这里当成了入侵中央银行的系统入口？我倒是希望这是那个入口哦！ FBI^}^#_
DzvGR)>/
研究了一下，觉得通过对日志文件进行判断，识别出扫描者的IP地址，然后再对其进行处理，这样也许是一种比较不错的简单的解决办法。经过实践，证明这是可行的。脚本代码如下： }nNCgH
[UaM}-eR
If.hA}
#! /bin/bash zQ,ymfT
:U#4H;kk~j
SCANIP=`grep "\`date \"+ %d %H:%M\" -d \"-1min\"\`" /var/log/secure|awk '/Failed/{print $(NF-3)}'|sort|uniq -c|awk '{print $1"="$2;}'` &#[6a&9#[A
QPwUW
for i in $SCANIP *ps")?tlC
do 9m_Hm')VG
NUMBER=`echo $i|awk -F= '{print $1}'` x-s]3'!L
SCANIP=`echo $i|awk -F= '{print $2}'` ucC'SS
echo $NUMBER t{ScK%S6
echo $SCANIP mE_?E&T`|
if [ $NUMBER -gt 10 ] && [ -z "`iptables -vnL INPUT|grep $SCANIP`" ] -*C+z!?BP
then IH'&W
iptables -I INPUT -s $SCANIP -m state --state NEW,RELATED,ESTABLISHED -j DROP \*$''`b)j
echo "`date` $SCANIP($NUMBER)" >> /var/log/scanip.log ,Tc598D
fi wloQk(T<W
done +}0/ %5 =1
+&hd3
这个世界终于清静了！有遇到类似情况的朋友可以一试，我的系统是Linux，防火墙是用的Iptables。 g)#neEA J
]l4#KI@
ey>V^Fj
------------------------------------------------------- 0SLS;s.GX
sKI{AHJ?X
注释： \"@BZ.y
7ClN-/4
有美国、冰岛、日本、韩国、印度、挪威、唐山、内蒙古、广州等等，不过也许只是同一个人通过IP伪装了而已。