Using Linux Shell to disable host ports in LAN in batches

Using Linux Shell to disable host ports in LAN in batches

Assume that there are multiple hosts in the LAN, and only the ssh service (port 22) can be activated. If other services are opened, all are disabled. Run a shell script to complete the above functions. In actual O & M, you can use puppet and other tools to perform this function faster and better. Therefore, this case is only used to train your hands to familiarize yourself with common shell commands such as sed, awk, and grep.

1. Use the nmapcommand to query all ports opened by the local network and store them in the nmap1.txt file.

# Use the nmapcommand to query all ports opened by regions in the local network and store them in the nmap1.txt File
Mkdir-p/wuhao/sh/files
Nmap $1>/wuhao/sh/files/nmap1.txt

Taking nmap 192.168.20.1-10 as an example, the output result is:

Starting Nmap 5.51 (http://nmap.org) at CST
Nmap scan report for oos01 (192.168.20.1)
Host is up (0.0000040 s latency ).
Not shown: 997 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp filtered http

Nmap scan report for oos02 (192.168.20.2)
Host is up (0.000099 s latency ).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
3306/tcp open mysql
MAC Address: 00: 1C: 42: FF: 5A: B5 (Parallels)

Nmap scan report for oos03 (192.168.20.3)
Host is up (0.000097 s latency ).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
3306/tcp open mysql
MAC Address: 00: 1C: 42: 38: 94: 3C (Parallels)

Nmap done: 10 IP addresses (3 hosts up) scanned in 1.57 seconds

2、extract the required information (Host ip address and port status) from the file nmap1.txt ).

# Extract the required information (Host ip address and port status) from the file nmap1.txt)
Sed-n'/\ (Nmap scan report \ | ^ [0-9] \ + \/\) /P'/wuhao/sh/files/nmap1.txt>/wuhao/sh/files/nmap2.txt
Hosts = ($ (grep-on '(. *)'/wuhao/sh/files/nmap2.txt | sed-n's/(\ |) // gp '))
Declare-I len =$ {# hosts [*]}
Declare-I = 0
While [[$ I-lt $ len]
Do
Lines [$ I] = $ (echo $ {hosts [$ I]} | awk-F': ''{print $1 }')
Ips [$ I] =$ (echo $ {hosts [$ I]} | awk-F': ''{print $2 }')
I = $ I + 1
Done
# Echo $ {lines [*]} = 1 5 9
# Echo $ {ips [*]} = 192.168.20.1 192.168.20.2 192.168.20.3

3. Copy the corresponding IP information to the beginning of the line in the port State and save the result to the nmap2.txt file.

# Add the corresponding host ip address at the beginning of the port status line
Declare-I j = 0
While [[$ j-lt $ len]
Do
Declare-I k = $ j + 1
If [$ j-ne $ ($ len-1)]; then
Sed-I "$ ($ {lines [$ j]} + 1), $ ($ {lines [$ k]}-1 )) s/^/$ {ips [$ j]}/"/wuhao/sh/files/nmap2.txt
Else
Sed-I "$ ($ {lines [$ j]} + 1 )), $ "" s/^/$ {ips [$ j]}/"/wuhao/sh/files/nmap2.txt
Fi
J = $ j + 1
Done

# Replace multiple spaces and/with one space
Sed-I's/\ + \ | \ // G'/wuhao/sh/files/nmap2.txt

The content of the nmap2.txt file is:

Nmap scan report for oos01 (192.168.20.1)
192.168.20.1 21 tcp open ftp
192.168.20.1 22 tcp open ssh
192.168.20.1 80 tcp filtered http
Nmap scan report for oos02 (192.168.20.2)
192.168.20.2 22 tcp open ssh
192.168.20.2 80 tcp open http
192.168.20.2 3306 tcp open mysql
Nmap scan report for oos03 (192.168.20.3)
192.168.20.3 22 tcp open ssh
192.168.20.3 80 tcp open http
192.168.20.3 3306 tcp open mysql

4. Extract the port to be closed (all ports except port 22 are closed ). Use sshpass to remotely log on to each host and run the close PORT command on iptables.

# Extract the port to be closed (all ports except port 22 are closed if port 22 is enabled)
Awk '{if ($4 ~ /Open/& $2! = 22) print $0} '/wuhao/sh/files/nmap2.txt>/wuhao/sh/files/nmap3.txt

Hostip = ($ (awk-F "" '{print $1}'/wuhao/sh/files/nmap3.txt ))
Port = ($ (awk-F "" '{print $2}'/wuhao/sh/files/nmap3.txt ))
Protocol = ($ (awk-F "" '{print $3}'/wuhao/sh/files/nmap3.txt ))

# Remotely log on to each host using sshpass and run the close PORT command on iptables
For (m = 0; m <$ {# hostip [*]}; m = m + 1 ))
Do
Sshpass-p 123456 ssh root @ $ {hostip [$ m]} "iptables-a input-p $ {protocol [$ m]} -- dport $ {port [$ m]} -j DROP; service iptables save; service iptables restart; exit"
Done

Echo "success! "

5. Run the script and view the result.

[Root @ oos01 sh] # sh shutdownport. sh 192.168.20.1-10
Iptables: Saving firewall rules to/etc/sysconfig/iptables: [OK]
Iptables: Setting chains to policy ACCEPT: filter [OK]
Iptables: Flushing firewall rules: [OK]
Iptables: Unloading modules: [OK]
Iptables: Applying firewall rules: [OK]
Iptables: Saving firewall rules to/etc/sysconfig/iptables: [OK]
Iptables: Setting chains to policy ACCEPT: filter [OK]
Iptables: Flushing firewall rules: [OK]
Iptables: Unloading modules: [OK]
Iptables: Applying firewall rules: [OK]
Iptables: Saving firewall rules to/etc/sysconfig/iptables: [OK]
Iptables: Setting chains to policy ACCEPT: filter [OK]
Iptables: Flushing firewall rules: [OK]
Iptables: Unloading modules: [OK]
Iptables: Applying firewall rules: [OK]
Iptables: Saving firewall rules to/etc/sysconfig/iptables: [OK]
Iptables: Setting chains to policy ACCEPT: filter [OK]
Iptables: Flushing firewall rules: [OK]
Iptables: Unloading modules: [OK]
Iptables: Applying firewall rules: [OK]
Iptables: Saving firewall rules to/etc/sysconfig/iptables: [OK]
Iptables: Setting chains to policy ACCEPT: filter [OK]
Iptables: Flushing firewall rules: [OK]
Iptables: Unloading modules: [OK]
Iptables: Applying firewall rules: [OK]
Success!

For more Nmap tutorials, see the following:

Install Nmap 6.46.1 on Ubuntu 14.04

Port scanning tool nmap in Linux

Nmap-network scanning and sniffing Toolkit

Nmap application skills

A tortuous installation of nmap in RedHat Enterprise Linux 5

Hide and seek nmap commands and firewalls in Linux

Released Nmap 7 and network security audit tool

This article permanently updates the link address: