对于数量比较小的可以屏蔽IP,但对于数量大的成批抓取就力不从心了。
回复于:2004-06-02 12:37:58可以啊。
送你个shell文件。
#!/bin/bash
#
# 这支程式最早在 2002/06/11 由 VBird 开发的!
#
# 说明
# 这支程式的最大用途在于保护你的 WWW 主机免于被砍站软体所困扰!
# 所以如果没有 WWW 服务在您的主机上面,那么这支程式就不必要执行了!
#
# 抵挡原理
# 有些很讨厌的程式例如 Teleport 之类的软体,由于会一直尝试砍站,
# 因此会一直的要求与你的主机来连线,这样的情况下,你的主机可能
# 会相当的耗系统的资源啊!因此造成当机!
# 由于当使用 Teleport 时,他会造成很多条的连线,这些连线可以
# 使用 netstat 来观察到!因此,我们就使用 netstat 来统计
# 『重复的连线 IP 』,将这些来自同一 IP 的连线统计一下,
# 如果超过一个设定值(您自己选择的!),那么该 IP 就会被你的
# iptables 机制挡掉了!
# 由于这样一回事,所以,您在使用本程式之前,注意核心版本。
#
# 注意事项:
# 1. 关于这支程式:
# 由于这支程式使用 netstat 计算出重复的 IP 连线数后,
# 超过一定的连线值时,该 IP 会以 iptables 来抵挡,因此,
# 你的系统核心必须要高于 2.4 版本,并且不要使用 ipchains 的啦!
# 2. 关于其他的相关程式:
# 由于我是与 iptables.rule 那支程式一起作用的,所以
# 除非您对于 shell scripts 已经相当的有概念,否则,
# 最好到下面的网站上面 download 那支程式吧!
# /download/#linux_security
#
# 安装:
# 1. 放置程式到适当的目录下
# mkdir -p /usr/local/virus/httpd-err
# cp /完整路径/http-netstat.sh /usr/local/virus/httpd-err
# chmod 755 /usr/local/virus/httpd-err/http-netstat.sh
# 2. 修改本程式的相关内容:
# 在后面的几个设定项目需要修改,包括:
# email (后面请接讯息要寄给谁呢?)
# access_log (后面请接 apache 的登录档)
# 3. 修改 crontab
# vi /etc/crontab (加入底下这几行)
# ----------- Start -----------------------------------------------------------------
# * * * * * root /usr/local/virus/httpd-err/http-netstat.sh start >; /dev/null 2>;&1
# 18 */2 * * * root /usr/local/virus/httpd-err/http-netstat.sh day >; /dev/null 2>;&1
# 12 04 * * 0,4 root /usr/local/virus/httpd-err/http-netstat.sh week >; /dev/null 2>;&1
# ----------- End -------------------------------------------------------------------
#
#====================================================================
# 版权宣告:
# 本程式为 GPL 授权,任何人皆可使用本程式,
# 不过,使用本程式前,建议先对 BASH Shell 有一定程度的瞭解比较好!
# 另外,使用本程式出现的任何问题,本人概不负责!
# VBird ;
#====================================================================
# History:
#--------------------------------------------------------------------
# 2002/06/11 VBird
# First time to setup this program!!
# 2002/06/29 VBird
# Adding some output control line!
# 2002/07/01 VBird
# 1. Add "Using netstat -an" to find out
# the large connect IP and deny it!
# The number of connection is [25].
# 2. By the way, the limited error log is
# changed from [20] to [15].
# 3. The running frequency is changed from
# 30 minutes to 15 minutes.
# 2002/09/26 VBird
# 1. Adding the "netstat -an" for check
# the Apache is live ?
# 2002/11/04 VBird
# 1. change the netstat error from 25 to 15
# 2003/02/27 VBird
# modified the detect method from connection number to the
# "SYN_RECV" signle!
# 2003/03/03 VBird
# 1. The SYN_RECV signle is come from "Brother's settings"
# not only from teleport~ Thus, the last modified is
# error's settings....
# 2. The program have been modified to do the following:
# a. using netstat and grep the TIME_WAIT process
# If the Time_wait connection is over 5 and continue
# 15 seconds then drop the IP!
# b. Analysis the log file, if find the Teleport then
# Drop the IP!
# 2003/03/23 VBird
# 将 TIME_WAIT 的封包由原本的 9 个拉长成为 12 个!
# 因为有太多的朋友发生被抵挡的问题了!真糟糕!
# 2003/03/24 VBird
# 将 TIME_WAIT 的封包由原本的 12 个拉长成为 15 个!
# 因为有太多的朋友发生被抵挡的问题了!真糟糕!
# 2003/04/03 VBird
# 因为又被砍了!所以将以拉长的 15 个改回来成为 13 个!
# 2003/04/24 VBird
# 突然认为抵挡个一天实在是粉恶劣,会让很多人无法进入本站,
# 所以又多开放了几个资料出来!除了 Teleport 罪证确凿,
# 所以仍然不给他进入(挡三~四天)之外,其他的抵挡会在 2 小时开放!
# 所以,抵挡的机制可以设定的更为严格啰!
# 因此又将原本拉长的 13 个改回来 12 个了!
# 2003/04/28 VBird
# 将程式丢出来给大家使用了!
# 2003/05/18 VBird
# 修改了每日输出的 E-Mail 格式!
#====================================================================
#####################################################################
# you must input some parameters
# 底下的资料是您必须要填写的!
email="root@localhost"
basedir="/usr/local/virus/httpd-err"
iptables_rule="/usr/local/virus/iptables/iptables.rule"
access_log="/var/log/httpd/access_log"
### Program starting ! You don't change anything for nothing! ^_^ ###
#####################################################################
# The program version and somethings.
lastdate="2003-05-18"
versions="Version 1.1"
hosthome=`hostname`
logfile="$basedir/mail.netstat"
oldlogfile="$basedir/mail.netstat.old"
#####################################################################
# The following is about ethernet interface's IP and check if the http live?
PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin; export PATH
LANG=en; LC_TIME=en; export LC_TIME LANG
ethface=`route -n | awk '{print $1 , $8}'| grep '0.0.0.0'| cut -d' ' -f2`
ethIP=`ifconfig "$ethface" | grep 'inet addr'| awk '{print $2}'| cut -d':' -f2`
export ethIP
case $1 in
start)
# 1. Get the TIME_WAIT signle
#=== Part A, about the TIME WAIT signle ===#
netstat -an|grep 80|grep TIME| awk '{print $5}'| cut -d':' -f1| sort |uniq -c| \
awk '{if ($1 >;= 12) print $2}' >; $basedir/netstat1
sleep 12s
netstat -an|grep 80|grep TIME| awk '{print $5}'| cut -d':' -f1| sort |uniq -c| \
awk '{if ($1 >;= 12) print $2}' >; $basedir/netstat2
sleep 12s
netstat -an|grep 80|grep TIME| awk '{print $5}'| cut -d':' -f1| sort |uniq -c| \
awk '{if ($1 >;= 12) print $2}' >; $basedir/netstat3
cat $basedir/netstat1 $basedir/netstat2 $basedir/netstat3 | sort | uniq -c | \
awk '{ if ( $1 == 3 ) print $2 }' >; $basedir/netstat.now
denyip_netstat=`cat $basedir/netstat.now`
#=== Part B, about the log file ===#
tail -n 1000 $access_log | grep "Teleport" | cut -d' ' -f1|sort|uniq >; $basedir/loga.now
denyip_log=`cat $basedir/loga.now`
# 2. Exit if non IP in this problem !
if [ "$denyip_netstat" == "" ] && [ "$denyip_log" == "" ]; then
exit 0
fi
# 3. adding the IP into the deny files dailyerr
[ -e $basedir/dailynet ] || touch $basedir/dailynet
[ -e $basedir/dailylog ] || touch $basedir/dailylog
[ -e $basedir/dailyerr ] || touch $basedir/dailyerr
cat $basedir/netstat.now $basedir/dailynet | sort +0n | uniq >; $basedir/dailynet.1
cat $basedir/loga.now $basedir/dailylog | sort +0n | uniq >; $basedir/dailylog.1
cp $basedir/dailynet.1 $basedir/dailynet
cp $basedir/dailylog.1 $basedir/dailylog
sleep 1s
num_new=`cat $basedir/dailynet $basedir/dailylog | sort | uniq | wc -l`
num_old=`cat $basedir/dailyerr | wc -l`
if [ "$num_new" == "$num_old" ]; then
exit 0
fi
cat $basedir/dailynet $basedir/dailylog | sort | uniq >; $basedir/dailyerr
echo '#!/bin/bash' >; $basedir/iptables.http
echo '#' >;>; $basedir/iptables.http
echo "# This file is automatic created by $0" >;>; $basedir/iptables.http
echo '#' >;>; $basedir/iptables.http
echo '# Please to see the web page is any questions:' >;>; $basedir/iptables.http
echo '# ' >;>; $basedir/iptables.http
echo '################################################' >;>; $basedir/iptables.http
cat $basedir/dailyerr | \
/bin/awk -v ethIP="$ethIP" '{ printf( "\%-42s \%-18s \%-19s\n", "/sbin/iptables -A INPUT -p TCP -i eth0 -s", $1, "--dport 80 -j DROP")}' \
>;>; $basedir/iptables.http
chmod 700 $basedir/iptables.http
if [ -f "$iptables_rule" ]; then
sh $iptables_rule
[ -e "$basedir/dailyerr.number" ] || echo 0 >; $basedir/dailyerr.number
declare -i daynumber=`cat $basedir/dailyerr.number`+1
sleep 1s
echo $daynumber >; $basedir/dailyerr.number
fi
;;
day)
# 1. Get the uptime of your Linux system
timeset1=`uptime | grep day`
timeset2=`uptime | grep min`
if [ "$timeset1" == "" ]; then
if [ "$timeset2" == "" ]; then
UPtime=`/usr/bin/uptime | awk '{print $3}'`
else
UPtime=`/usr/bin/uptime | awk '{print $3 " " $4}'`
fi
else
if [ "$timeset2" == "" ]; then
UPtime=`/usr/bin/uptime | awk '{print $3 " " $4 " " $5}'`
else
UPtime=`/usr/bin/uptime | awk '{print $3 " " $4 " " $5 " " $6}'`
fi
fi
# 2. Send the information to you!
if [ ! -f $logfile ]; then
echo "################################################" >; $logfile
echo "欢迎使用本程式来查验您的 HTTP 登录档" >;>; $logfile
echo "本程式目前版本为: $versions" >;>; $logfile
echo "最后更新日期为: $lastdate" >;>; $logfile
echo "若在您的系统中发现本程式有问题" >;>; $logfile
echo "欢迎与 VBird 联络!" >;>; $logfile
echo "鸟哥的首页 " >;>; $logfile
echo "################################################" >;>; $logfile
echo "=============== 系统汇整 =======================" >;>; $logfile
echo "核心版本 : `cat /proc/version | awk '{print $1 " " $2 " " $3 " " $4}'`" \
>;>; $logfile
echo "CPU 资讯 : `cat /proc/cpuinfo | grep "model name" | \
awk '{print $4 " " $5 " " $6}'`">;>; $logfile
echo " : `cat /proc/cpuinfo | grep "cpu MHz" | \
awk '{print $4 " MHz"}'`" >;>; $logfile
echo "主机名称 : `/bin/hostname`" \
>;>; $logfile
echo "================================================" >;>; $logfile
echo " " >;>; $logfile
fi
echo "目前时间: "`date +%Y/%m/%d' '%H:%M` >;>; $logfile
ipnumber=`cat $basedir/dailyerr | wc -l`
echo "过去两小时内被本程式抵挡的 IP 数量: $ipnumber" >;>; $logfile
daynumber=`cat $basedir/dailyerr.number`
echo "过去两小时内本程式防火墙启动的次数: $daynumber" >;>; $logfile
echo " " >;>; $logfile
cat $basedir/dailyerr >;>; $basedir/dailytotal
rm $basedir/dailynet
rm $basedir/iptables.http
rm $basedir/dailyerr.number
if [ -f "$iptables_rule" ]; then
sh $iptables_rule
fi
sendor=`date +%H`
if [ "$sendor" == "05" ] || [ "$sendor" == "06" ]; then
echo "本日抵挡的 IP 统计" >;>; $logfile
sort -n $basedir/dailytotal |uniq -c | \
awk '{printf("\%-16s \%-3d\n", $2, $1)}' >;>; $logfile
mail -s "The deny IPs in your system ." $email < $logfile
[ -f "$oldlogfile" ] && rm $oldlogfile
mv $logfile $oldlogfile
rm $basedir/dailytotal
fi
sync; sync; sync
;;
week)
cat $basedir/dailylog >;>; $basedir/teleport.ip
rm $basedir/dailylog
;;
*)
echo "Usage command is {start|day|week}, such as [$0 start]"
;;
esac
阅读(445) | 评论(0) | 转发(0) |
