前段时间在公司外网服务器上布署了ossec主机入侵检测系统,效果非常不错,但运行一段时间之后发现,因为我们深圳是采用动态ip上网,这样ossec经常会自动将我们的ip加入hosts.deny与防火墙中,并且ossec好像对动态ip也没有采取的措施,一概是宁可错杀一百也不可放过一个。这也是我写这个脚本的原因。
脚的工作原理是这样的/
因为我们的动态ip会自动留下.broad.sz.gd.163data.com.cn的标记,首先我是让它在/etc/hosts.deny与iptables中查到包含此类似的ip地址,找到了则自动将其清除。其次再在/var/log/secure中查找当天包含此类信息的日志,然后从中提取ip地址,并将其加入hosts.allow中,原理很简单。以下是我脚本的详细类容,没有注释,应该一看就明白。希望大家提供宝贵意见,共同成长。
#!/bin/sh
#Get Rid Of Our Dynamic Ip From /etc/hosts.deny Every 1 hour
#Writed by zhanghuiyun 20080725
#定义脚本变量
#############################################################################################
source /etc/profile
ADMIN="****@gmail.com"
HOSTNAME=`/sbin/ifconfig eth0|/bin/grep -w 'inet'|/bin/awk '{print $2}'|/bin/sed 's/addr://'`
DATE=`date '+%b %e'`
FILENAME="/var/log/secure"
HOSTS_DENY="/etc/hosts.deny"
HOSTS_ALLOW="/etc/hosts.allow"
BAK=".bak"
STRING=".broad.sz.gd.dynamic.163data.com.cn"
TMPALLOWFILE="/tmp/hosts.allow"
TMPDENYFILE="/tmp/hosts.deny"
TMPIPTABLESFILE="/tmp/.iptables"
IPTABLESRULES="/tmp/iptables"
LOGFILE="/var/log/white_list_ip.log"
TMPREVERSEIP="/tmp/.ip"
TMPIP="/tmp/ip"
###############################################################################################
#保存当前iptables值以供后用
/sbin/iptables-save > $TMPIPTABLESFILE
#从日志文件中获取动态ip信息
/bin/grep "$DATE" $FILENAME | /bin/grep -w "$STRING" | /bin/awk '{print $11}' | /bin/sed 's/'$STRING'//' | /usr/bin/uniq > $TMPREVERSEIP
#检查动态ip是否在/etc/hosts.deny文件中,如果在,则清除
IP=`/bin/grep "$STRING" $HOSTS_DENY`
if [ -n "$IP" ]; then
/bin/echo "Delete Our Sz Dynamic Ip From $HOSTS_DENY" > $LOGFILE
/bin/sed '/'$STRING'/d' $HOSTS_DENY > $TMPDENYFILE
/bin/mv $TMPDENYFILE $HOSTS_DENY
/bin/echo "Delete Ip ok From /etc/hosts.deny" >> $LOGFILE
else
/bin/echo "Our Dynamic ip is not in my hosts.dney" > $LOGFILE
fi
#根据上面在日志文件中提取的ip信息反转,(因为直接从日志中提取的ip是一个反解ip,必须反转才是我们正确的动态公网ip,并反转后将反转后ip添加入/etc/hosts.allow文件中
if [ -s "$TMPREVERSEIP" ];then
while read LINE
do
for ip in "$LINE"
do
/bin/echo $ip | /bin/awk -F"." '{print $4"."$3"."$2"."$1}' | /bin/sed 's/[0-9].*/ALL:&:ALLOW/' > $TMPIP
done
done <$TMPREVERSEIP
/bin/echo "Add Our Dynamic ip to $HOSTS_ALLOW">>$LOGFILE
/bin/mv $HOSTS_ALLOW $HOSTS_ALLOW$BAK
/bin/cp $TMPIP $HOSTS_ALLOW
/bin/echo "Add ip into /etc/hosts.allow ok">>$LOGFILE
else
echo "Our dynamic ip is not in $FILENAME">>$LOGFILE
fi
#根据/etc/hosts.allow文件中的ip信息来查寻是否被iptables阻挡,如果是,则清除防火墙规则
/bin/cat $HOSTS_ALLOW|/bin/grep -w 'ALL'|/bin/sed -e 's/ALL://' -e 's/:ALLOW//'> $TMPALLOWFILE
if [ ! -s $TMPALLOWFILE ];then
/bin/echo "Our Dynamic ip is not in $HOSTS_ALLOW">>$LOGFILE
/bin/echo "Our iptables policy as the following">>$LOGFILE
fi
while read LINE
do
IP2=`/bin/grep -w "$LINE" $TMPIPTABLESFILE`
if [ -n "$IP2" ];then
for BLOCK_IP in "$LINE"
do
/bin/echo "Delete Our Sz Dynamic Ip From Iptables" >> $LOGFILE
/bin/sed '/'$BLOCK_IP'/d' $TMPIPTABLESFILE>$IPTABLESRULES
/sbin/iptables-restore<$IPTABLESRULES
/bin/echo "Iptables restore ok">>$LOGFILE
done
else
/bin/echo "Our Dynamic ip is not blocked now">>$LOGFILE
fi
done < $TMPALLOWFILE
#寻出当前/etc/hosts.deny,/etc/hosts.allow,iptables防火墙信息
/bin/echo "">>$LOGFILE
/bin/echo "The following is the Content in Files">>$LOGFILE
/bin/echo "">>$LOGFILE
/bin/echo "List in $HOSTS_DENY">>$LOGFILE
/bin/cat $HOSTS_DENY>>$LOGFILE
/bin/echo "">>$LOGFILE
/bin/echo "List in $HOSTS_ALLOW">>$LOGFILE
/bin/cat $HOSTS_ALLOW>>$LOGFILE
/bin/echo "">>$LOGFILE
/bin/echo "List in Iptables">>$LOGFILE
if [ -f $IPTABLESRULES ];then
/bin/cat $IPTABLESRULES>>$LOGFILE
else
/bin/cat $TMPIPTABLESFILE>>$LOGFILE
fi
#将所有信息通过邮件发送给管理员
# /bin/mail $ADMIN -s "Dynamic Ip Report From $HOSTNAME $DATE"<$LOGFILE
~
阅读(2469) | 评论(0) | 转发(0) |
