| deserts |
2008-01-26 02:12 |
另存为 firewall.sh 给执行的权限
MT�UJsH\�
"[�M k5t�M
#!/bin/sh t9��(s�Sl�
# this program is used to check tcp/ip connections JMIS�*njq^
# and block those ip with excessive connections /��+{�]?y,
�c�"x-_U�k
# my version �s%p,cz;
,
myver="1.0RC1" �e~iPN.�'1
_8e��N^oc%
# wake up every 120s if last check found abuse client BiI}JEp4o�
wakeup_time_min=120 Z{gJ���m�9
4�kqg�Ztg.
# wake up every 300s if last check found no abuse client ��8�M�9}os
wakeup_time_max=300 i!k�5P".o^
4~
��YP�Lu
# rule timeout 3600s 6}xFE]Df-Y
rule_timeout=3600 x8q3 Njr��
xHo
iu�$i6
# check port list uBXl� lt�U
portlist="80" M);@�Xc�S�
&�9:���"X�
# max established connection per ip ZlxJY%o�eu
max_active_conn=8 U9Z��WS�Ds
3$Y���(swc
# iptables chain name JVx
�,1lth
iptables_chain_name="RH-Lokkit-0-50-INPUT" �1P1"x��
T
1O{x9a5Z?O
# log facility 8LZmr|/F*�
log_facility="local0"
S_E�N,2'e
K9 tuiD+j�
# Block policy f�Z)M
�Dq�
ipchains_block_policy="DENY" �vn0}l6n3s
iptables_block_policy="REJECT" f�3u^:6�U~
H�*M�)<"X�
# myself &!E+�l<.RF
myself=`basename $0` }VUrn2@-4�
4?3*%_bDJ,
mylogger_info() ?�h*Ngb�j>
{ %1Pn;�bUU!
logger -p $log_facility.info -t $myself $@ 2>/dev/null ��M�],�}.l
} (E.,kc�A�J
S�K���@�%r
mylogger_debug() ��,( ���?q
{ ��n��M?mdb
logger -p $log_facility.debug -t $myself $@ 2>/dev/null �TrBB�V]�4
} .*bu:�FuDE
p[zKc2�TPk
mylogger_notice() ���� 3
~mi
{ ^l�p#j;�Df
logger -p $log_facility.notice -t $myself $@ 2>/dev/null j
m]d:=4_
} !((J-��:�=
#EO@<
>��I
dotimeout() Tf���bB�1�
{
�<Xs�y�{7
mylogger_info "reset firewall when timeout arrives" d�V( "g]�,
case "$firewall" in
*88Q6�=Mm
ipchains) ��(zO)J`z>
/etc/init.d/ipchains restart 1>/dev/null 2>/dev/null v%=@_�`�Ht
if [ $? = 0 ] ; then /ehmy
(zL
mylogger_info "ipchains restarted" ey�~5D��Y7
else xxsa
x�/h�
mylogger_notice "ipchains restart failed" �DLWG0$�#!
fi >+�P�5Zm(_
;; ^Pq4� �n%x
iptables) ��j!�It1�B
/etc/init.d/iptables restart 1>/dev/null 2>/dev/null �h
"Mi��
D
if [ $? = 0 ] ; then [T(XwA���)
mylogger_info "iptables restarted" '�nrX�RD�b
else $ e<1�08)]
mylogger_notice "iptables restart failed" �s��?�:&�#
fi bI_6';hq
!
;; rY�~�!�h�Z
*) _��DlX F��
mylogger_notice "neither ipchains nor iptables" k"��kGQk4�
;; CWTP�f1?eB
esac 7O=�N�7�8M
�e|t@"MxvC
} ]��W�sQ=��
u��X!5G:x]
blockclient() / b�xu{|�.
{ i�1(��}E�#
if [ -z "$1" ] || [ -z "$2" ]; then |2�$
wJ$�I
mylogger_notice "blockclient() missing client or port to block" VP7�g::Ab�
return B#|c$���s{
fi fA��M�k<?�
local ip port Skb���d'j
vky@L!��&,
ip=$1 ,��esryFRG
port=$2 �B$��Z%_j&
u{6b>c|,X�
case "$firewall" in TH�VF(M�4v
ipchains) \6{w#HsP8�
mylogger_notice "blocking $1 to $2 via ipchains"
��!nBE�[&
found=`ipchains -nL | egrep "^$ipchains_block_policy.*[[:space:]]+$ip[[:space:]]+.*[[:space:]]+\->[[:space:]]+$port"` �,w9:)�B�7
if [ -z "$found" ] ; then �Z�7="o�n4
cmd="ipchains -I input 1 -p tcp -s $ip -d 0/0 $port -j $ipchains_block_policy 1>/dev/null 2>/dev/null" cbton<��r~
mylogger_debug "cmd: $cmd" e�T�e
Z^�G
`ipchains -I input 1 -p tcp -s $ip -d 0/0 $port -j $ipchains_block_policy 1>/dev/null 2>/dev/null` �HG�wSso�S
if [ $? != 0 ] ; then c�*k�%r2�'
mylogger_notice "$cmd call failed" 8JFn��s�-5
return yx��@%x?�B
fi �At0�ahy+�
new_block=1 �F�x3CY �W
ever_block=1 �(2SmB`g��
else Cwh*�AK�q(
mylogger_info "$ip already blocked to $port" S�qF ��`xw
fi Y�UGE�GX�w
;; B%�.vEk)�*
iptables) w
|k?2 ?&�
mylogger_notice "blocking $1 to $2 via iptables" S�{0i�PdUC
found=`iptables -nL | egrep "^$iptables_block_policy.*[[:space:]]+$ip[[:space:]]+.*[[:space:]]+dpt:$port[[:space:]]+"` BM
vG����w
if [ -z "$found" ] ; then <�27�:O,I�
cmd="iptables -I $iptables_chain_name 1 -p tcp -m tcp -s $ip --dport $port -j $iptables_block_policy 1>/dev/null 2>/dev/null" ��Rs +)��,
mylogger_debug "cmd: $cmd" <TDp8�t9bU
`iptables -I $iptables_chain_name 1 -p tcp -m tcp -s $ip --dport $port -j $iptables_block_policy 1>/dev/null 2>/dev/null` }Mi�EbLduN
if [ $? != 0 ] ; then �q�;)+O#CR
mylogger_notice "$cmd call failed" �;h-W&i7��
return vg"$�&YX9"
fi J�-k�/#A4o
new_block=1 Xa�����xM$
ever_block=1 �Bn�<1�zg5
else �jY�+u��OH
mylogger_info "$ip already blocked to $port" YjR�`}rdwo
fi #$
�^vP/"$
;; ,�O'�#7D�j
*) 0XWhSrH�M
mylogger_notice "neither ipchains nor iptables" J�S^QfT,zE
;; %@~;P�S3kd
esac �&<>N�P?j}
} ^a�ON�uG9�
GL^84[f-T
restartservice() P�e,:FIp,�
{ xe&w.aB�I>
local service ��N �fB��H
if [ -z "$1" ] ; then �@4]} J-3�
mylogger_notice "no port given to see which service to be restart" ]�F�#}8��$
return �"|^�-Yk\U
fi ���v[�+ �]
TCL�XO���0
case "$1" in @k��m�@\w�
80) N��E)Yd7m-
service="httpd" |\<L7�|hb9
;; oO4��hBM([
25) R8�%�%EEB�
service="postfix" M->�BV���9
;; &`�%J�1[dy
110) �nX�T/�zfS
service="courier-pop3d" PY76;D�*�`
;; +/n<]�?(T�
21) H��Pc~��wX
service="muddleftpd" �[e f&|Pi-
;; cf��C}"As�
53) $z[@D�B�[�
service="named" PSHzB!
H=n
;; �3]li3B��'
3306) Y.b?�.)�u&
service="mysqld" 7ND4Booul�
;; ^�u:bgw�P�
esac hlB�MRx4�9
if [ ! -z "$service" ] ; then {HtW`r1)Tt
/etc/init.d/$service restart 1>/dev/null 2>/dev/null
@�g��nLY�
if [ $? = 0 ] ; then �;S�l%I+?�
mylogger_notice "$service restarted" �7DPxz'7):
else /d*[za'��0
mylogger_notice "$service restart failed" ��$U4�[�a:
fi �Gzc`5n�{"
fi �UB,0c�) �
} sL��d%m+*p
}z� F,�dst
docheckport() -
VdCj%r�>
{ NXMZT�ZpB7
mylogger_info "do check port $1" 8[H ���bg�
local port last_client count client total_count �c"�diNbm[
�3M�q%3jX�
if [ -z "$1" ] ; then ?
�=I']$MH
mylogger_notice "docheckport() port not given" >V�ppM � `
return i1 c[Gk.�o
fi B9wQ;[g�QB
?_d��3�|]N
port=$1 %6��
�la@i
1�}�~ZsrF�
clientlist=`netstat -an --tcp| grep ESTABLISHED | awk "{ if ( index(\\$4,\":$port\") ) print \\$5}" | awk -F ':' '{print $1}'|sort` �P�2F8[o!<
if [ $? != 0 ] ; then (6i4N2
���
mylogger_notice "netstat call failed" %<|cWYM="z
return !p Q*m`X�o
fi |�-TxX:O-�
#echo $clientlist IdCE<Oj�\�
# reset new_block TQykXZ2Yb)
new_block=0 K� j~!E
H"
count=0 6,!$S�2(zT
total_count=0 ,/"0t�P&_;
last_client="" d4)�0G��-|
for client in $clientlist 1.5R`vKn]�
do ,u9�>c*Ss\
#echo "client is $client" ���&�[
�,*
if [ -z "$last_client" ] ; then �.LG��A
�0
count=$((count+1)) b��Ald'z�#
total_count=$((total_count+1)) ;M�"[dy`dY
last_client=$client �yH9&HFD�p
else 4�?]s%2�U6
if [ "$client" = "$last_client" ] ; then �>�3}N���;
count=$((count+1)) ^a$L�9�p(�
total_count=$((total_count+1)) 4�wWfaL�5"
else 1�B
eh&pl^
mylogger_debug "$last_client $count connections" �a*t>K�s'C
if [ $count -ge $max_active_conn ] ; then ��Q��n.3�B
mylogger_notice "client $last_client connection $count >= $max_active_conn" 1~E�;�@eK'
blockclient $last_client $port 3�S1{r
)[j
fi NN5��G
'|i
count=1 �T-]U�AN"O
total_count=$((total_count+1)) w_Dal�dK*
last_client=$client L��* ScSxw
fi g`~;"%u7cn
fi Io �t��c>!
done .��.w$p-�1
# check the last client Hz=�s)6$ey
if [ ! -z "$client" ] ; then 2`>� �(�LH
count=$((count+1)) or�bz`I�Qc
total_count=$((total_count+1)) 93�ggCOaYA
mylogger_debug "$client $count connections" Cq3�A�u�%7
if [ $count -ge $max_active_conn ] ; then x�=X&b�%09
mylogger_notice "client $client connection $count >= $max_active_conn" @!�|h!�p;�
blockclient $client $port mo,�"�3YW�
fi 1:_}`x=�hM
fi �V�t-V'�`Y
mylogger_info "total connections on port $port: $total_count" �eR/X���9<
%d<UMbS�^
if [ $new_block = 1 ] ; then l�@]F�zl��
restartservice $port s@�Loax6@B
fi 2�sVDv@�2�
} �j^�e�M��i
*�~�w?�@,}
docheckall() C4��t�~��k
{ i8D�Y��C=r
# reset wakeup_time j 2
0m�Z��
wakeup_time=$wakeup_time_max XpA|���
<s
for port in $portlist F=f9##Y?7M
do ldc`Y/��:{
docheckport $port l�E*��.9T�
if [ $new_block = 1 ] ; then K�XUJ*l�-5
# set wakeup_time shorter cause we found some abuse client Hq>�r���K`
wakeup_time=$wakeup_time_min R�i}�JM3\J
fi 6;Mv)|�FJF
done y�+�i��zC+
} q!q=a�xfMD
�pB��n;:
�
if [ -z "$firewall" ] && [ -f /etc/sysconfig/ipchains ] ; then -qLNs_
_k�
firewall="ipchains" ��qQS�&K%F
fi �}�����/g1
�ZB5NTN�f>
if [ -z "$firewall" ] && [ -f /etc/sysconfig/iptables ] ; then R�hE|0N=��
firewall="iptables" Lo"��s12fr
fi 6c}n�P[6|
�s5X51#J#~
if [ -z "$firewall" ] ; then ENf(E��9O�
echo "Error: This machine does not have ipchains or iptables firewall support" N��I�C.�c3
exit 1 ��t3!~�=�U
fi 0f;|0siTAm
wqyF"�^It"
mylogger_info "firewall.sh v$myver ValueOf.com starting" '47E�8PIJ|
mylogger_info "Firewall is: $firewall" 0��iz\<'
p
mylogger_info "Port protected: $portlist" ={{q_G\�WD
mylogger_info "Max connection per ip: $max_active_conn" Owh:(E
J"d
mylogger_info "Min time to check: $wakeup_time_min""s" <,9rXje�Rl
mylogger_info "Max time to check: $wakeup_time_max""s" d2g7�,�axi
mylogger_info "Timeout circle: $rule_timeout""s" =�'�:�B���
mylogger_info "Output is logged to: $log_facility" }w)w��W�1&
t<�+�g
yAW
# if new ip blocked at this check run? @~IZ%lEQsD
new_block=0 ��<I�n+�V�
# if new ip blocked at this timeout run? �IN"6�=2�:
ever_block=0 Q*/jQC����
# reset wakeup_time c���2yZ�vi
wakeup_time=$wakeup_time_max �-V||1@
|�
&=lh����Kt
lasttime=`date +%s` O�q�95z�o�
p�Acu{�5#7
while [ 1 ] 1*B'o<?�P1
do �PB@jh}���
curtime=`date +%s` "GAKi}y">v
timediff=$((curtime-lasttime)) 8ya|e�J]/L
#echo "timediff: $timediff" YKa9�]�Q��
if [ $timediff -ge $rule_timeout ] && [ $ever_block = 1 ] ; then � �+qyx3c+
lasttime=$curtime ^i17M�vT'
ever_block=0 N�\x�<'P4q
dotimeout prVqV-S6TY
fi ABhQ7
x�|�
docheckall t},71R���y
mylogger_info "sleep for $wakeup_time""s" DXfQy6�
k'
sleep $wakeup_time "D
�ivsq�^
done ��QH�6_nZY
!]#���;�'�
�>):>�Pz%U
u:\DqdlU`�
1. 说明 v�79\�(�BX
firewall.sh是一个shell脚本程序,每隔一段时间检查tcp连接的统计信息,如果来自某个ip对某个端口的活动连接超过规定的最大数量, �
�v$R7��"
则自动将该IP对该端口的访问屏蔽,并重新启动相应的服务。再每隔一段时间,会重设防火墙到初始状态。 \�p� J<�@�
该程序可以同时保护多个端口 p��4�l�B�#
�A�Jt4I
W@
2. 安装 c nV2}U/�\
tar zxf firewall-1.0b.tar.gz R�,�W
w/D�
cd firewall-1.0b q��]�m$�%>
install -m 700 firewall.sh /usr/prima/sbin/firewall.sh 5�f#�]dgBe
-2y��>X`1Y
3. 配置 4Nm�LbM&C8
主要配置项目如下: (e�[�8`C��
# 最小检查周期,缺省为120秒 ��4G=KyRKh
wakeup_time_min=120 b�H_�zW��k
. AX�6xc6
# 最大检查周期,缺省为300秒 =�' #yG(h�
wakeup_time_max=600 E�%��\Ohs7
�&,� WQ�r�
# 重设防火墙状态的时间,缺省为3600秒 �w�Rj&k(?*
rule_timeout=3600 %�w�eG}gCM
Y
��f;Slps
# 保护的端口列表,缺省为80和25,支持的其他端口包括21(ftp), 110(pop3), 53(named), 3306(mysql) 0-zIohSJdQ
# 一般的网络攻击都是针对80和25,又以80居多 n
Sh}1Arp/
portlist="80 25" X?��q,m4�+
NEX{vZkgw�
# 每个ip可占用的最大活动(Established)连接数 �%8T����"h
max_active_conn=8 ��dO\i�rv)
0]`�%i�G|�
# iptables防火墙规则链名称,必须和/etc/sysconfig/iptables中一致 )nA fT0()0
# 如果用的是ipchains,可以忽略此项 Y����@[D�y
iptables_chain_name="RH-Lokkit-0-50-INPUT" ;Fm7!@u�^0
y4��~�;H{!
# 日志输出目标 c�*`=�o(�S
log_facility="local0" 8yn}|Y9F�u
&�\�/�p5RX
**** 关于检查周期 **** [5�TGCGxP{
程序定义了两个检查周期,如果上次检查中屏蔽了某个IP,则程序会更频繁地检查连接情况,反之则等待更长时间。通过检查周期 (u�skVK>L
的动态调整,可以有效调度在遭受攻击和正常状态下程序的运行次数。 U<mFwJ� C]
@E�zO
bE{
**** ipchains vs iptables ****
u�j9�I�
K
目前该程序支持ipchains和iptables两种软件防火墙,使用何种是由程序启动时自动检测的。如果/etc/sysconfig/ipchains和 or]kX�efG3
/etc/sysconfig/iptables都没有检测到,则报错退出。
7�>�>6c7e
~�V��<imF�
**** 日志输出 **** �!`?*�zf��
程序的输出信息记录在系统日志中,目标是local0。如果没有特殊配置,可以在/var/log/messages中看到。建议在/etc/syslog.conf /4PV<
[
:_
中加入一条: E8s&.:;�+�
local0.* /var/log/firewall.log ����1Ydym2
然后重新启动syslog j�^�'op|�l
/etc/init.d/syslog restart V8{5 y
<Y>
这样,可以将firewall.sh输出的日志单独记到文件/var/log/firewall.log里。 UN6Du\)�]d
R�#
UcwX}o
4. 运行 |T@\�-8�Ok
/usr/prima/sbin/firewall.sh & 7Ta"��,S@m
�W�bW@V_rr
范例输出: yC]X&1,:�z
*** firewall.sh v1.0b ValueOf.com*** :RE
.m�d��
Firewall is: ipchains 5??�\[C^"}
Port protected: 80 25 Z U^dLN-�N
Max connection per ip: 8 k�xp, �Z�P
Min time to check: 120s Eax�^1 |6
Max time to check: 300s 3
�A��(sT}
Timeout circle: 3600s �8Vb.%f�&I
Output is logged to: local0 ZfYva(zP{Q
6�*n<e��mP
察看/var/log/firewall.log,可以看到: bEJ�z>oyW"
Oct 16 14:08:55 server firewall.sh: do check port 80 // 检查80端口 ��<cn��{S`
Oct 16 14:08:55 server firewall.sh: 192.168.0.60 2 connections // 有两个来自192.168.0.60的连接 (�79y!&9�p
Oct 16 14:08:55 server firewall.sh: total connections on port 80: 2 // 80端口总共2个连接 dM
n�J)��R
Oct 16 14:08:55 server firewall.sh: do check port 25 // 检查25端口 K9YD)35�1t
Oct 16 14:08:55 server firewall.sh: total connections on port 25: 0 // 25端口没有连接 ymxYE�#q�
Oct 16 14:08:55 server firewall.sh: sleep for 300s // 等待300秒 o�`��8dqP�
dDAI�fe2y
5. 停止 �?x|�8"*�N
先用ps命令察看firewall.sh进程的进程号,然后用kill命令将其终止,如 ;%_fQ�NF�b
# ps auxww|grep firewall.sh _�ZnVQ,�zY
root 27932 0.0 0.5 2312 1060 pts/2 S 12:38 0:00 /bin/sh /usr/prima/sbin/firewall.sh b`=\<��u�8
root 27967 0.0 0.3 1732 592 pts/2 S 12:39 0:00 grep firewall.sh H��|1owmbD
第一行即firewall.sh的进程,用kill命令: 9b�L`0�L��
# kill 27932 sMq*X^z
)?
[1] Terminated /usr/prima/sbin/firewall.sh `�Ei�jy3>h
即将其终止 |
|