总是有一些非常讨厌的人扫描我的服务器 只能屏蔽了之。研究了下,虽然有fail2ban这个工具,但好像搞得太大了些。自己写了一个,给大家共享
1.IPMonitor10.sh
这个东西,每隔10分钟跑一次,如果有人多次攻击,自动屏蔽。屏蔽的IP超过了15分钟自动解锁。
#!/bin/bash
IDWORD="IPMT10"
curbanIP=/tmp/curBanInputIps.txt
curLog=/tmp/curlogIn20mins.txt
lastIPTables='/tmp/lastiptables'$IDWORD'.txt'
msglog=/var/log/secure
WANDev=eth1
expiredMins=180
#15Mins
MaxRetries=20
#Check expired rules
iptables -L INPUT -nv --line-number | grep $IDWORD |awk '{print $1,$9,substr($12,8),$2}' | tac > $curbanIP
num=`cat $curbanIP | wc -l`
if [ $num -gt 0 ] ;then
#>0
exipredTMSTAMP=`date -d "$expiredMins min ago" +%s`
cat $curbanIP | while read idx IP TMSTMP pkgs
do
if [ $TMSTMP -gt $exipredTMSTAMP ] ;then
if grep $IP $lastIPTables > /dev/null ;then
lastPkgs=`grep $IP $lastIPTables|head -n1|cut -f3`
if [ $pkgs = $lastPkgs ] ;then
#no more banded pkgs in INPUT chain
#removed
iptables -D INPUT $idx
echo `date '+%b %e %T'` $0 ": iptables -D INPUT $idx release the $IP in the baned-IP-list,no more baned pkgs" >> $msglog
fi
else
#removed
iptables -D INPUT $idx
echo `date '+%b %e %T'` $0 ": iptables -D INPUT $idx release the $IP in the baned-IP-list,else" >> $msglog
fi
#removed
fi
done
fi
#check the attacking IP
min1=`date -d '10 mins ago' '+%b %e %T'|cut -c1-11`
min2=`date '+%b %e %T'|cut -c1-11`
cat /var/log/secure | egrep "$min1|$min2" |grep 'authentication failure' | awk -F'rhost=' '{print $2}' | cut -d' ' -f1 | sort | uniq -c | awk '{if (length($2)>0) print $1,$2}' > $curLog
num=`cat $curLog | wc -l`
if [ $num -gt 0 ] ;then
#>0
cat $curLog | while read failtimes IP
do
if [ $failtimes -gt $MaxRetries ] ;then
if ! [[ $IP =~ '^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$' ]] ; then
tmpIP=`ping -c1 -W1 $IP | head -n1 | cut -d'(' -f2 | cut -d')' -f1`
IP=$tmpIP
fi
if ! iptables -L INPUT -n|grep $IP > /dev/null; then
tmpStr=`date '+%F %T'`
tmpStmp=`date +%s`
iptables -i $WANDev -A INPUT -s $IP -j DROP -m comment --comment "tmstmp:$tmpStmp ,add at $tmpStr,baned by $IDWORD"
fi
fi
done
fi
iptables --line-numbers -L INPUT -nv | grep $IDWORD | awk '{print $1"\t"$9"\t"$2"\t"strftime("%F %T") }' > $lastIPTables
rm -f $curbanIP $curLog
2. IPMonitorDaily.sh
跑了几天,发现几个变态IP,每隔45分钟折腾一次,持续了好几天。算下来折腾了2000多次,简直就是神经病,偷窥狂。只能再折腾一次
#!/bin/bash
export PATH=$PATH:/sbin:/usr/sbin
WANDev=eth1
IDWORD="IPMTPERMANENT"
curbanIP=/tmp/curBanInputIps.txt
curLog=/tmp/curPermanentIPS.txt
lastIPTables='/tmp/lastiptables'$IDWORD'.txt'
msglog=/var/log/secure
#Check expired rules
iptables -L INPUT -nv --line-number | grep $IDWORD |awk '{print $1,$9,substr($12,8),$2}' | tac > $curbanIP
num=`cat $curbanIP | wc -l`
if [ $num -gt 0 ] ;then
#>0
cat $curbanIP | while read idx IP TMSTMP pkgs
do
if ! grep $IP /var/log/secure > /dev/null ;then
if grep $IP $lastIPTables > /dev/null ;then
lastPkgs=`grep $IP $lastIPTables|head -n1|cut -f3`
if [ $pkgs = $lastPkgs ] ;then
#no more banded pkgs in INPUT chain
#removed
iptables -D FORWARD $idx
echo `date '+%b %e %T'` $0 ": iptables -D INPUT $idx release the $IP in the baned-IP-list,no more baned pkgs" >> $msglog
fi
else
#removed
iptables -D INPUT $idx
echo `date '+%b %e %T'` $0 ": iptables -D INPUT $idx release the $IP in the baned-IP-list,else " >> $msglog
fi
#removed
fi
done
fi
#check the attacking IP
cat /var/log/secure | grep 'authentication failure' | awk -F'rhost=' '{print $2}' | cut -d' ' -f1 | sort | uniq -c | awk '{if ($1>100) print $2}' > $curLog
num=`cat $curLog | wc -l`
if [ $num -gt 0 ] ;then
#>0
cat $curLog | while read IP
do
attackdays=`cat /var/log/secure | grep $IP | cut -c1-6 | uniq -c | wc -l`
if [ $attackdays -gt 1 ] ;then
if ! iptables -L INPUT -n|grep $IP > /dev/null ; then
tmpStr=`date '+%F %T'`
tmpStmp=`date +%s`
iptables -i $WANDev -A INPUT -s $IP -j DROP -m comment --comment "tmstmp:$tmpStmp ,add at $tmpStr,baned by $IDWORD"
fi
fi
done
fi
iptables --line-numbers -L INPUT -nv | grep $IDWORD | awk '{print $1"\t"$9"\t"$2"\t"strftime("%F %T") }' > $lastIPTables
rm -f $curbanIP $curLog
把以上两个放到crontab 里面,效果很好,一个10分钟跑一次。一个每天23:30跑一次 。终于都杀掉了
平时可以看看 iptables -L INPUT -n 看看效果。讨厌的IP都在里面。
以上脚本在CentOS 5.x 通过
希望大家有用处
更新日志:
2012-06-28: 增加了监测功能,如果屏蔽的IP仍在发包,则该IP不予删除。只有在规则时间内不发送IP包了,该屏蔽IP规则才予以解除。否则会出现阶段性持续攻击尝试