總是有一些非常討厭的人掃描我的伺服器 只能屏蔽了之。研究了下,雖然有fail2ban這個工具,但好像搞得太大了些。自己寫了一個,給大家共用
1.IPMonitor10.sh
這個東西,每隔10分鐘跑一次,如果有人多次攻擊,自動屏蔽。屏蔽的IP超過了15分鐘自動解鎖。
#!/bin/bashIDWORD="IPMT10"curbanIP=/tmp/curBanInputIps.txtcurLog=/tmp/curlogIn20mins.txtlastIPTables='/tmp/lastiptables'$IDWORD'.txt'msglog=/var/log/secureWANDev=eth1expiredMins=180#15MinsMaxRetries=20#Check expired rulesiptables -L INPUT -nv --line-number | grep $IDWORD |awk '{print $1,$9,substr($12,8),$2}' | tac > $curbanIPnum=`cat $curbanIP | wc -l`if [ $num -gt 0 ] ;then#>0exipredTMSTAMP=`date -d "$expiredMins min ago" +%s`cat $curbanIP | while read idx IP TMSTMP pkgsdoif [ $TMSTMP -gt $exipredTMSTAMP ] ;thenif grep $IP $lastIPTables > /dev/null ;thenlastPkgs=`grep $IP $lastIPTables|head -n1|cut -f3`if [ $pkgs = $lastPkgs ] ;then#no more banded pkgs in INPUT chain#removed iptables -D INPUT $idxecho `date '+%b %e %T'` $0 ": iptables -D INPUT $idx release the $IP in the baned-IP-list,no more baned pkgs" >> $msglogfielse#removed iptables -D INPUT $idxecho `date '+%b %e %T'` $0 ": iptables -D INPUT $idx release the $IP in the baned-IP-list,else" >> $msglogfi#removedfidonefi#check the attacking IPmin1=`date -d '10 mins ago' '+%b %e %T'|cut -c1-11`min2=`date '+%b %e %T'|cut -c1-11`cat /var/log/secure | egrep "$min1|$min2" |grep 'authentication failure' | awk -F'rhost=' '{print $2}' | cut -d' ' -f1 | sort | uniq -c | awk '{if (length($2)>0) print $1,$2}' > $curLognum=`cat $curLog | wc -l`if [ $num -gt 0 ] ;then#>0cat $curLog | while read failtimes IPdoif [ $failtimes -gt $MaxRetries ] ;thenif ! [[ $IP =~ '^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$' ]] ; thentmpIP=`ping -c1 -W1 $IP | head -n1 | cut -d'(' -f2 | cut -d')' -f1`IP=$tmpIPfiif ! iptables -L INPUT -n|grep $IP > /dev/null; thentmpStr=`date '+%F %T'`tmpStmp=`date +%s`iptables -i $WANDev -A INPUT -s $IP -j DROP -m comment --comment "tmstmp:$tmpStmp ,add at $tmpStr,baned by $IDWORD"fifidonefiiptables --line-numbers -L INPUT -nv | grep $IDWORD | awk '{print $1"\t"$9"\t"$2"\t"strftime("%F %T") }' > $lastIPTablesrm -f $curbanIP $curLog
2. IPMonitorDaily.sh
跑了幾天,發現幾個變態IP,每隔45分鐘折騰一次,持續了好幾天。算下來折騰了2000多次,簡直就是神經病,偷窺狂。只能再折騰一次
#!/bin/bashexport PATH=$PATH:/sbin:/usr/sbinWANDev=eth1IDWORD="IPMTPERMANENT"curbanIP=/tmp/curBanInputIps.txtcurLog=/tmp/curPermanentIPS.txtlastIPTables='/tmp/lastiptables'$IDWORD'.txt'msglog=/var/log/secure#Check expired rulesiptables -L INPUT -nv --line-number | grep $IDWORD |awk '{print $1,$9,substr($12,8),$2}' | tac > $curbanIPnum=`cat $curbanIP | wc -l`if [ $num -gt 0 ] ;then#>0cat $curbanIP | while read idx IP TMSTMP pkgsdoif ! grep $IP /var/log/secure > /dev/null ;thenif grep $IP $lastIPTables > /dev/null ;thenlastPkgs=`grep $IP $lastIPTables|head -n1|cut -f3`if [ $pkgs = $lastPkgs ] ;then#no more banded pkgs in INPUT chain#removed iptables -D FORWARD $idxecho `date '+%b %e %T'` $0 ": iptables -D INPUT $idx release the $IP in the baned-IP-list,no more baned pkgs" >> $msglogfielse#removed iptables -D INPUT $idxecho `date '+%b %e %T'` $0 ": iptables -D INPUT $idx release the $IP in the baned-IP-list,else " >> $msglogfi#removedfidonefi#check the attacking IPcat /var/log/secure | grep 'authentication failure' | awk -F'rhost=' '{print $2}' | cut -d' ' -f1 | sort | uniq -c | awk '{if ($1>100) print $2}' > $curLognum=`cat $curLog | wc -l`if [ $num -gt 0 ] ;then#>0cat $curLog | while read IPdoattackdays=`cat /var/log/secure | grep $IP | cut -c1-6 | uniq -c | wc -l`if [ $attackdays -gt 1 ] ;thenif ! iptables -L INPUT -n|grep $IP > /dev/null ; thentmpStr=`date '+%F %T'`tmpStmp=`date +%s`iptables -i $WANDev -A INPUT -s $IP -j DROP -m comment --comment "tmstmp:$tmpStmp ,add at $tmpStr,baned by $IDWORD"fifidonefiiptables --line-numbers -L INPUT -nv | grep $IDWORD | awk '{print $1"\t"$9"\t"$2"\t"strftime("%F %T") }' > $lastIPTablesrm -f $curbanIP $curLog
把以上兩個放到crontab 裡面,效果很好,一個10分鐘跑一次。一個每天23:30跑一次 。終雩都殺掉了
平時可以看看 iptables -L INPUT -n 看看效果。討厭的IP都在裡面。
以上指令碼在CentOS 5.x 通過
希望大家有用處
更新日誌:
2012-06-28: 增加了監測功能,如果屏蔽的IP仍在發包,則該IP不予刪除。只有在規則時間內不發送IP包了,該屏蔽IP規則才予以解除。否則會出現階段性持續攻擊嘗試