Ipset and Iptables cooperate to automatically seal and compromise the problematic IP

Source: Internet
Author: User

Iptables a small amount of IP processing is not a problem, but when there are a large number of IP attacks, performance will not keep up, Iptables is O (N) performance. And Ipset is like a collection, the need to close the IP address into this set, Ipset is O (1) performance, with the hash method so particularly fast.

First, software and installation

1, Iptables (General Linux has been installed)

2, Ipset:

Ubuntu:apt-get Install Ipset

Second, the use of Ipset

1. View list information for IP sets

Ipset List

2. Create IP set

Ipset Create XXXX hash:ip maxelem 100000 Timeout 3600

The name of the XXXX:IP set

HASH:IP: For the specified type, there are many other types, such as hash:net,hash:net,net, can be man Ipset

100000: Number of maximum saved IPs

Timeout: The default time for the enclosing IP, this parameter can not be written, so it will never be closed, unless manually unpacked

3. Add IP address to IP set

Ipset add xxxx 1.1.1.1

Increase Network Segment

Ipset add xxxx 1.1.1.0/24

4. Delete the specified IP or network segment

Ipset del xxxx 1.1.1.1 ipset del xxxx 1.1.1.0/24


5. Save IP set to file

Ipset Save Xxxx>ipset_list.txt

6. Restore IP Set

Ipset Restore <ipset_list.txt

III. Automatic block and seal

1. Create IP set

Ipset Create Forbidip hash:ip timeout 172800

2. Create Iptables entry

Iptables-a input-p tcp-m Set--match-set forbidip src-m multiport--dports 443,80-j DROP

Or

Iptables-a input-p tcp-m Set--match-set forbidip src-m multiport-j DROP


3, according to the conditions to determine the need to close the IP

Condition: In the last minute Nginx request, the single IP request number exceeds 1000 and the IP that contains the passwd string in Request_uri is banned directly, 1 hours after the automatic unblock. The script is as follows

#!/bin/bashfiles= "/data/nginx_log/xxxxx/access.log" date= ' date-d ' 1 minutes ago ' +%y:%h:%m ' grep ${date} ${FILES}|awk- F ' | ' ' {print $} ' |sort-n|uniq-c |sort-nr|head-1>/tmp/ipsgrep ${date} ${files}|grep-i passwd|awk-f ' | ' ' {print $} ' |sort-n|uniq>/tmp/ippwdnum= ' awk ' {print $} '/tmp/ips ' ip= ' awk ' {print $} '/tmp/ips ' ip2= ' cat/tmp/ippwd ' Threshold=1000if [[$NUM-gt $threshold]];then/sbin/ipset-! Add Forbidip $IP timeout 3600fiif [-s/tmp/ippwd];thenfor i in $IP 2do/sbin/ipset-! Add Forbidip $idonefi

4. Automatic script Running

Add the automatic run of this script in crontab

*/1 * * * * bash/path/to/script.sh


This article is from the "Operation Utopia" blog, please make sure to keep this source http://joeyang.blog.51cto.com/9092193/1878862

Ipset and Iptables cooperate to automatically seal and compromise the problematic IP

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.