一:背景要求完成以下功能
1.限制300秒内单个IP访问超过300次加入黑名单封杀这个IP访问80,443,25,110,143,934,935等端口,并邮件通知
2.实现查看黑名单,剔除黑名单
3.实现查看 白名单,新增白名单等功能
4.加入黑名单的IP半个小时后恢复(这个占时还做不了,内核要打补丁。)
基于以上事实我使用shell脚本实现了以上功能
二:脚本第一个脚本是设置iptables用来给300秒内访问超过300次的IP打上标记并记录日志
先修改一下iptables的参数,默认iptables只能记录一定时间内单个ip地址的20个包,如果想做300秒内300次访问的话,需要破除这个限制。
那么就需要修改ip_pkt_list_tot的数值大小
chmod 600 /sys/module/xt_recent/parameters/ip_list_tot
echo 10240 > /sys/module/xt_recent/parameters/ip_list_tot
chmod 600 /sys/module/xt_recent/parameters/ip_pkt_list_tot
echo 500 > /sys/module/xt_recent/parameters/ip_pkt_list_tot
iptables -A INPUT -p tcp -m multiport --destination-ports 25,110,143,80,934,935,443 -m state --state NEW -m recent --set --name Attack
iptables -A INPUT -p tcp -m multiport --destination-ports 25,110,143,80,934,935,443 -m state --state NEW -m recent --update --name Attack --second 300 --hitcount 300 -j LOG --log-prefix "WEB Attack"
[/cce_bash]
默认日志的存放是存放在/var/log/message下的为了让iptables记录的日志单独存放需要配置下日志,配置过程如下:
编辑vim /etc/rsyslog.conf
kern.warning /var/log/iptables.log
添加这条信息。然后重启日志服务
# /etc/init.d/rsyslog restart
第二个脚本是用来读取iptables日志来实现添加黑名单。放到crontab中每分钟执行一次
#!/bin/bash
LogFile="/var/log/iptables.log"
Size=`wc -l $LogFile|cut -d" " -f1`
if [ $Size == '0' ];then
exit 0
else
IP=`cat /var/log/iptables.log |grep "WEB Attack"|awk -F" " '{print $10}'|uniq`
for i in $IP
do
ip=`echo $i|cut -d"=" -f2`
/sbin/iptables -I INPUT -s $ip -p tcp -m multiport --destination-ports 25,110,143,80,934,935,443 -j DROP
echo $ip >> BlackIp.log
service iptables save &> /dev/null
done
echo $IP | mail -s "Ip Attack" yfzhang7@iflytek.com
cat /dev/null > $LogFile
fi
第三个脚本是一个iptables的工具用来实现黑名单的查看,***,白名单的查看,***等
#!/bin/bash
function ShowBlackIp(){
IP=`/sbin/iptables -n -L|grep "^DROP"|awk -F" " '{print $4}'|uniq`
echo $IP
}
function AddwhiteIp(){
if iptables -n -L|grep "^ACCEPT"|grep "\<$1\>" &> /dev/null;then
echo -e "\033[40;31m The White Ip have exists \033[0m"
else
/sbin/iptables -I INPUT -s $1 -j ACCEPT &> /dev/null
if [ ! $? -eq 0 ];then
echo -e "\033[40;31m IP ERROR\033[0m"
else
echo -e "\033[40;32m ADD succes\033[0m"
fi
fi
service iptables save &> /dev/null
}
function DeleteBlackIp(){
/sbin/iptables -D INPUT -s $1 -p tcp -m multiport --destination-ports 25,110,143,80,934,935,443 -j DROP &> /dev/null
if [ ! $? -eq 0 ];then
echo -e "\033[40;31m Command ERROR\033[0m"
else
echo -e "\033[40;32m Delete succes\033[0m"
fi
service iptables save &> /dev/null
}
function DeleteWhiteIp(){
/sbin/iptables -D INPUT -s $1 -j ACCEPT
if [ ! $? -eq 0 ];then
echo -e "\033[40;31m Command ERROR\033[0m"
else
echo -e "\033[40;32m Delete succes\033[0m"
fi
service iptables save &> /dev/null
}
function AboutIpTools(){
echo -e "\033[40;32m Create By Zyf(jeff)---Iflytek\033[0m"
echo -e "\033[40;32m Time: 2014/05/26\033[0m"
echo -e "\033[40;32m QQ:445188383\033[0m"
echo -e "\033[40;32m if this program have some error please contact me\033[0m"
}
function ShowWhiteIp(){
IP=`/sbin/iptables -n -L|grep "^ACCEPT"|awk -F" " '{print $4}'`
echo $IP
}
function ShowMenu(){
echo -e "\033[40;31m--------------Welcome to Use IpTools-----------------\033[0m"
echo -e "\033[40;32m1.Show Black Ip\033[0m"
echo -e "\033[40;32m2.Show White Ip\033[0m"
echo -e "\033[40;32m3.Add white Ip\033[0m"
echo -e "\033[40;32m4.Delete Black Ip\033[0m"
echo -e "\033[40;32m5.Delete White Ip\033[0m"
echo -e "\033[40;32m6.About IpTools\033[0m"
echo -e "\033[40;32mc/C.Clear Screen\033[0m"
echo -e "\033[40;32mq/Q.Quite Program\033[0m"
echo -e "\033[40;31mplease choose(1/2/3/4/5/6/q/Q): \033[0m"
}
ShowMenu
read -p "#:" CHOOSE
while [ $CHOOSE != 'Q' ] &>/dev/null && [ $CHOOSE != 'q' ] &>/dev/null
do
case $CHOOSE in
1)
ShowBlackIp
;;
2)
ShowWhiteIp
;;
3)
read -p "please input white Ip:" WIP
AddwhiteIp $WIP
;;
4)
read -p "please input black Ip:" BIP
DeleteBlackIp $BIP
;;
5)
read -p "please input white Ip:" WIP
DeleteWhiteIp $WIP
;;
6)
AboutIpTools
;;
'c')
clear
;;
'C')
clear
;;
*)
echo -e "\033[40;32m ###########ERROR CHOOSE:########\033[0m"
;;
esac
ShowMenu
read -p "#:" CHOOSE
done
echo -e "\033[40;32m ###########End Program:########\033[0m"
下面是这个脚本的执行结果:
可以进行功能的选择主要实现了
黑名单的查看和***,白名单的新增,***,查看等