寫了一個簡單的防止IP攻擊的腳本
由于工作需要我就自己寫了一個簡單的防止IP攻擊的腳本,可以防止linux虛擬主機一些小方面的IP攻擊
系統是基于RHEL的centos,包括3,4,5三個版本,當然自己也初學shell,中間肯定用了很多笨的辦法,效果也不一定怎么樣,請大家給點意見
注意:這個腳本是根據apache服務器的server-status和系統的dmesg分析結果進行防范的,所以非apache用戶和沒有開啟server-status的朋友沒法使用
可以在服務器的crontab里設定每一分鐘運行一次腳本,
復制下面的腳本到autoblock.sh,
root用戶下# chmod u+x autoblock.sh
#!/bin/bash
# author hao32
# basic setting
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
# find? server-status? name
ss_name="/usr/local/autoblock"
if [ -e $ss_name/ss_name ];then
ss_n=`cat $ss_name/ss_name`
else
mkdir /usr/local/autoblock >/dev/null 2>&1
cat `locate httpd.conf|grep -E "httpd/conf/httpd.conf$|apache_ssl/conf/httpd.conf$"`\
|grep "n /server-status"|cut -d/ -f2|cut -d\> -f1 > $ss_name/ss_name
ss_n=`cat $ss_name/ss_name`
fi
# block setting
#設定排除的IP地址
ip_exclude="192.168.1.*|60.195.249.*|222.76.212.*|218.241.156.*|58.215.87.*|218.107.216.110"
ip_amou=25
ss_url="
ss_tmp="/tmp/server-status"
poss_ip="/tmp/poss_ip"
real_ip="/tmp/real_ip"
# block start...
if [ -e "$poss_ip" ];then
echo "" > $poss_ip
fi
if [ -e "$real_ip" ];then
echo "" > $real_ip
fi
# analysedemsg
dmesg |grep "short"|awk '{if($4!="From"){print $4} else {print $5}}'|awk -F: '{print $1}'|sort|uniq>$poss_ip
wget -q -O "$ss_tmp" "$ss_url"
grep "<i>" $ss_tmp|grep -vE $ip_exclude|awk '{print $1}'|sed 's/<i>//g'|sort|uniq -c\
|awk '{if($1>'$ip_amou') print $2}'>>$poss_ip
#iptables -nvL|grep "DROP? "|awk '{print $8}'|sort|uniq|sed 's/0\/24/*/g'>$rule_ip
rule_ip=`iptables -nvL|grep "DROP? "|awk '{print $8}'|sort|uniq|sed 's/0\/24/*/g'|xargs|sed 's/\ /|/g'`
if [ -z $rule_ip ];then
for i in `cat $poss_ip`
do
/sbin/iptables -I INPUT -p all -s $i -j DROP
done
else
cat $poss_ip|grep -vE "$rule_ip" > $real_ip
for i in `cat $real_ip`
do
/sbin/iptables -I INPUT -p all -s $i -j DROP
done
fi