基本原理: 通過過濾ip_conntrack表得到ESTABLISHED狀態過多的ip, 然後用iptabels封掉一段時間,同時用hping工具將這些ip從表中清理掉,最後將被封的ip和一些其他信息寫到一個Html頁中,做簡單的發布 關於hping: 下載: http://www.hping.org/download.html 安裝: ./configure;make;make install 相關聯接: http://chinaunix.net/jh/4/367999.html 默認功能: 1, 當一個ip在ip_conntrack表中的ESTABLISHED狀態在30-50之間時, 此ip被封10分鐘,同時在ip_conntrack表中的記錄被清除;50-100之間封15分鐘,同時清表;100以上封30分鐘,同時清表, 2, 然後生成web頁 /var/www/html/wwy/drop/index.html --- 顯示被封的ip, 和cpu狀態等信息 /var/www/html/wwy/all/index.html --- 每一個ip的連接情況 3, 生成簡單的日志 /tmp/killip/tmp.log.txt 使用方法: 1, 需要安裝hping 2, 建議將腳本放到計劃任務中 3, 建議安裝並開啟apache, 為支持簡單的web發布,默認為 http://127.0.0.1/l/wwy/drop/index.htm 4, 如果表的大小大於20mb請慎用==================================================== 代碼:
#!/bin/bash
#
#---------------------------------------------------------------------------------------
#Scrip name: killip, base on ip_conntrack, write by wwy.
#---------------------------------------------------------------------------------------
cpu=`sar -u 1 1 awk '{print $7}' tail -1`%
#
while [ "`pidof sleep`" ];do
echo "she is running, sorry"
exit 1
done
if [ ! "`lsmod grep ip_conntrack`" ]; then
modprobe ip_conntrack
fi
####################################
##---------------------- functions -----------------------------##
####################################
function make_clr {
while read clr33;do
cat /tmp/tmp111.txt grep $clr33 >> /tmp/tmp33-3-clr.txt
done < /tmp/tmp33-3.txt
while read clr22;do
cat /tmp/tmp111.txt grep $clr22 >> /tmp/tmp33-2-clr.txt
done < /tmp/tmp33-2.txt
while read clr11;do
cat /tmp/tmp111.txt grep $clr11 >> /tmp/tmp33-1-clr.txt
done < /tmp/tmp33-1.txt
}
function clr_conns {
S_IP=$1
D_IP=$2
S_PORT=$3
D_PORT=$4
hping2 $D_IP -R -s $S_PORT -p $D_PORT -a $S_IP -k -c 1 >/dev/null 2>/dev/null &
}
function kill() {
SLEEP_TIME=$1
CLR_LIST=$2
BLACK_LIST=$3
while read blackip;do
iptables -I FORWARD 2 -i eth0 -s $blackip/32 -j DROP
done < $BLACK_LIST
sleep $SLEEP_TIME
#-----------------------------------#
while read clr3;do
clr_conns $clr3
done < $CLR_LIST
#-----------------------------------#
sleep 1
while read reblackip;do
iptables -D FORWARD -i eth0 -s $reblackip/32 -j DROP
done < $BLACK_LIST
}
#####################################
##--------------- To make a "black list" ----------------------##
#####################################
echo > /tmp/tmp11.txt
echo > /tmp/tmp111.txt
echo > /tmp/ip_conntrack.tmp
echo > /tmp/tmp33-3-clr.txt
echo > /tmp/tmp33-2-clr.txt
echo > /tmp/tmp33-1-clr.txt
echo > /tmp/tmp22-3.txt
echo > /tmp/tmp22-2.txt
echo > /tmp/tmp22-1.txt
echo > /tmp/tmp33-3.txt
echo > /tmp/tmp33-2.txt
echo > /tmp/tmp33-1.txt
if [ ! -e /var/www/html/wwy/index.html ];then
mkdir /var/www/html/wwy/
mkdir /var/www/html/wwy/all
mkdir /var/www/html/wwy/drop
5B
toUCh /var/www/html/wwy/index.html
fi
#----------------------------------------------------------------------------#
echo -e "cp /proc/net/ip_conntrack /tmp/ip_conntrack.tmp ......\c"
cp /proc/net/ip_conntrack /tmp/ip_conntrack.tmp
echo -e "done!\n"
sleep 1
#----------------------------------------------------------------------------#
wc=`cat /tmp/ip_conntrack.tmpgrep ESTABLISHEDawk -F= '{print $2,$3,$4,$5}'grep ^172. sortawk '{print $1,$3,$5,$7}'tee /tmp/tmp111.txtawk '{print $1}'uniq -ctee /tmp/tmp11.txtwc -l`
date=`date '+%m/%d %H:%M'`
cpu2=`sar -u 1 1 awk '{print $7}' tail -1`%
date2=`date '+%H'`
#----------------------------------------------------------------------------#
sleep 1
#----------------------------------------------------------------------------#
#if [ "$wc" -gt 2500 ] && [ "$date2" -gt 10 ]
if [ "$wc" -ge 0 ]
then
#------------------------------
awk '{$1}{if ($1>30 && $1<50) print $2}' /tmp/tmp11.txt > /tmp/tmp22-1.txt
awk '{$1}{if ($1>=50 && $1<100) print $2}' /tmp/tmp11.txt > /tmp/tmp22-2.txt
awk '{$1}{if ($1>=100) print $2}' /tmp/tmp11.txt > /tmp/tmp22-3.txt
cut -c1-15 /tmp/tmp22-1.txt > /tmp/tmp33-1.txt
cut -c1-15 /tmp/tmp22-2.txt > /tmp/tmp33-2.txt
cut -c1-15 /tmp/tmp22-3.txt > /tmp/tmp33-3.txt
wcblackip1=`cat /tmp/tmp33-1.txt wc -l`
wcblackip2=`cat /tmp/tmp33-2.txt wc -l`
wcblackip3=`cat /tmp/tmp33-3.txt wc -l`
######################################
##---------------- To make a index.html -----------------------##
######################################
echo "<b>If the total IPs >2500 <font color=\"#ff0000\">(total $wc at $date)</font> AND if:</b>" > /var/www/html/wwy/drop/index.html
echo "<p>you connect <b>\">100\"</b>, you ip will be killed in <b>30min</b>.</p>" >>/var/www/html/wwy/drop/index.html
echo "<p>you connect <b>\"50-100\"</b>, you ip will be killed in <b>15min</b>.</p>" >>/var/www/html/wwy/drop/index.html
echo "<p>you connect <b>\"30-50\"</b>, you ip will be killed in <b>10min</b>.</p>" >>/var/www/html/wwy/drop/index.html
echo "<hr color=\"#ff8000\">" >> /var/www/html/wwy/drop/index.html
echo "<p><b><font color=\"#ff0000\">These IPs (total $wcblackip3 + $wcblackip2 + $wcblackip1) were killed, at <font size=5>$date</font></font> <a href=../all>(look-up all IPs)</a></b></p>" >> /var/www/html/wwy/drop/index.html
awk '{$1}{if ($1>=100) print $1, $2}' /tmp/tmp11.txtsort -nrawk '{print "<p>""<font color=\"#ff0000\">"$1"</font>""\t","<b>"$2"</b>""\t""kill 30min""</p>"}' >> /var/www/html/wwy/drop/index.html
awk '{$1}{if ($1>=50 && $1<100) print $1, $2}' /tmp/tmp11.txtsort -nrawk '{print "<p>"$1"\t","<b>"$2"</b>""\t""kill 15min""</p>"}' >> /var/www/html/wwy/drop/index.html
awk '{$1}{if ($1>30 && $1<50) print $1, $2}' /tmp/tmp11.txtsort -nrawk '{print "<p>"$1"\t","<b>"$2"</b>""\t""kill 10min""</p>"}' >> /var/www/html/wwy/drop/index.html
echo "<p><b>You can \"ctrl + F\" to find your ip's connects.(total $wc IPs at $date)</b></p>" > /var/www/html/wwy/all/index.html
echo "<p><a href=../drop> <-- back </a></p>" >> /var/www/html/wwy/all/index.html
cat /tmp/tmp11.txt sort -nr awk '{print "<p>"$1"\t",$2"\t""</p>"}' >> /var/www/html/wwy/all/index.html
#####################################
##----------------- Use iptables to DROP ---------------------##
#####################################
make_clr
if [ -s /tmp/tmp33-3.txt ];then
kill 30m /tmp/tmp33-3-clr.txt /tmp/tmp33-3.txt &
sleep 1s
fi
if [ -s /tmp/tmp33-2.txt ];then
kill 15m /tmp/tmp33-2-clr.txt /tmp/tmp33-2.txt &
sleep 1s
fi
if [ -s /tmp/tmp33-1.txt ];then
kill 10m /tmp/tmp33-1-clr.txt /tmp/tmp33-1.txt &
sleep 1s
fi
#-------------------------------
elif [ "$date2" -lt 5 ] && [ "$date2" -gt 3 ]
then
while read clrall;do
clr_conns $clrall
done < /tmp/tmp111.txt
echo "clr at $date " >> /tmp/killip/tmp.log.txt
fi
#####################################
##------------------- make system log ------------------------##
#####################################
if [ ! -e /tmp/killip/tmp.log.txt ]; then
mkdir /tmp/killip
touch /tmp/killip/tmp.log.txt
fi
echo "$wc $date $cpu $cpu2 $wcblackip3 + $wcblackip2 + $wcblackip1" >> /tmp/killip/tmp.log.txt