Iptables a small amount of IP processing is not a problem, but when there are a large number of IP attacks, performance will not keep up, Iptables is O (N) performance. And Ipset is like a collection, the need to close the IP address into this set, Ipset is O (1) performance, with the hash method so particularly fast.
First, software and installation
1, Iptables (General Linux has been installed)
2, Ipset:
Ubuntu:apt-get Install Ipset
Second, the use of Ipset
1. View list information for IP sets
Ipset List
2. Create IP set
Ipset Create XXXX hash:ip maxelem 100000 Timeout 3600
The name of the XXXX:IP set
HASH:IP: For the specified type, there are many other types, such as hash:net,hash:net,net, can be man Ipset
100000: Number of maximum saved IPs
Timeout: The default time for the enclosing IP, this parameter can not be written, so it will never be closed, unless manually unpacked
3. Add IP address to IP set
Ipset add xxxx 1.1.1.1
Increase Network Segment
Ipset add xxxx 1.1.1.0/24
4. Delete the specified IP or network segment
Ipset del xxxx 1.1.1.1 ipset del xxxx 1.1.1.0/24
5. Save IP set to file
Ipset Save Xxxx>ipset_list.txt
6. Restore IP Set
Ipset Restore <ipset_list.txt
III. Automatic block and seal
1. Create IP set
Ipset Create Forbidip hash:ip timeout 172800
2. Create Iptables entry
Iptables-a input-p tcp-m Set--match-set forbidip src-m multiport--dports 443,80-j DROP
Or
Iptables-a input-p tcp-m Set--match-set forbidip src-m multiport-j DROP
3, according to the conditions to determine the need to close the IP
Condition: In the last minute Nginx request, the single IP request number exceeds 1000 and the IP that contains the passwd string in Request_uri is banned directly, 1 hours after the automatic unblock. The script is as follows
#!/bin/bashfiles= "/data/nginx_log/xxxxx/access.log" date= ' date-d ' 1 minutes ago ' +%y:%h:%m ' grep ${date} ${FILES}|awk- F ' | ' ' {print $} ' |sort-n|uniq-c |sort-nr|head-1>/tmp/ipsgrep ${date} ${files}|grep-i passwd|awk-f ' | ' ' {print $} ' |sort-n|uniq>/tmp/ippwdnum= ' awk ' {print $} '/tmp/ips ' ip= ' awk ' {print $} '/tmp/ips ' ip2= ' cat/tmp/ippwd ' Threshold=1000if [[$NUM-gt $threshold]];then/sbin/ipset-! Add Forbidip $IP timeout 3600fiif [-s/tmp/ippwd];thenfor i in $IP 2do/sbin/ipset-! Add Forbidip $idonefi
4. Automatic script Running
Add the automatic run of this script in crontab
*/1 * * * * bash/path/to/script.sh
This article is from the "Operation Utopia" blog, please make sure to keep this source http://joeyang.blog.51cto.com/9092193/1878862
Ipset and Iptables cooperate to automatically seal and compromise the problematic IP