有一天、Linux服务器上的网站总是打不开或者打开极慢、登录服务器检查连接状态(netstat -tl)时,发现有同一个IP的大量80连接,试着禁止该IP(iptables -I INPUT -s $black_ip -j DROP)之后,网站访问就正常了,但是过一段时间,又会出现另一个IP的大量80连接,于是就写了以下脚本来防止DDos攻击。
1. 主程序(DenyIP.sh)
#!/bin/bash
######################################
## ##
## Web_Halt_To_IPTables ##
## ##
## Ver:0.0.1 ##
## ##
## Code:Zhojie ##
## ##
## Date:2017.8 ##
## ##
######################################
WORK_PATH="/Run/Bash/DenyIP"
WORK_SIGN=$WORK_PATH"/work.sign"
LOG_TXT=$WORK_PATH"/txt.log"
DENY_TXT=$WORK_PATH"/deny.log"
WHITE_IP_TXT=$WORK_PATH"/white_ip.txt"
BLACK_IP_TXT=$WORK_PATH"/black_ip.txt"
#取得参数$1为并发阈值,若留空则默认允许单IP最大100并发(实际测试发现,2M带宽,十来个并发服务器就已经无法访问了!)
SCAN_NUM=500
if [ ! -f $WHITE_IP_TXT ]
then
echo "White IP File not Find! Create File $WHITE_IP_TXT !"
touch $WHITE_IP_TXT
chmod 600 $WHITE_IP_TXT
fi
if [ ! -f $BLACK_IP_TXT ]
then
echo "Black IP File not Find! Create File $BLACK_IP_TXT !"
touch $BLACK_IP_TXT
chmod 600 $BLACK_IP_TXT
fi
cd $WORK_PATH
#取得参数$1为并发阈值,若留空则默认允许单IP最大50并发(实际测试发现,2M带宽,十来个并发服务器就已经无法访问了!)
if [[ -z $1 ]];then
num=500
else
num=$1
fi
#主函数
function check(){
iplist=`netstat -an |grep ^tcp.*:80|egrep -v 'LISTEN|127.0.0.1'|awk -F"[ ]+|[:]" '{print $6}'|sort|uniq -c|sort -rn|awk -v str=$num '{if ($1>str){print $2}}'`
if [[ ! -z $iplist ]];
then
>./black_ip.txt
for black_ip in $iplist
do
#白名单过滤中已取消IP段的判断功能
#exclude_ip=`echo $black_ip | awk -F"." '{print $1"."$2"."$3}'`
#grep -q $exclude_ip ./white_ip.txt
grep -q $black_ip ./white_ip.txt
if [[ $? -eq 0 ]];then
echo "$black_ip (white_ip)" >>./black_ip.txt
else
echo $black_ip >>./black_ip.txt
iptables -nL | grep $black_ip ||(iptables -I INPUT -s $black_ip -j DROP & echo "$black_ip `date +%Y-%m-%d_%H:%M:%S`">>./deny.log & echo 1 >./sendmail)
fi
done
#存在并发超过阈值的单IP就发送邮件
if [[ `cat ./sendmail` == 1 ]];then sendmsg;fi
fi
}
#发邮件函数
function sendmsg(){
netstat -nutlp | grep "sendmail" >/dev/null 2>&1 || /etc/init.d/sendmail start >/dev/null 2>&1
echo -e "From: zhojie@gmail.com\nTo:7101969@qq.com\nSubject:Server(SIE.WHU.EDU.CN) DenyIP !!! \n Deny IP is" >./message
cat ./black_ip.txt >>./message
/usr/sbin/sendmail -f zhojie@gmail.com -t 7101969@qq.com -i <./message
>./sendmail
}
#间隔10s无限循环检查函数
while [ -f $WORK_SIGN ]
do
check
#每隔10s检查一次,时间可根据需要自定义
sleep 10
done
2. 运行、停止、重启、状态查询脚本(DenyIP)
#!/bin/bash
######################################
## ##
## Deny_IP_To_IPTables ##
## ##
## Ver:0.0.1 ##
## ##
## Code:Zhojie ##
## ##
## Date:2017.8 ##
## ##
######################################
WORK_PATH="/Run/Bash/DenyIP"
WORK_SIGN=$WORK_PATH"/work.sign"
WORK_CMD=$WORK_PATH"/DenyIP.sh"
function start(){
if [ -f "$WORK_SIGN" ]; then
echo "DenyIP Runing ..."
exit 2
else
touch $WORK_SIGN
chmod 600 $WORK_SIGN
cd $WORK_PATH
$WORK_CMD &
echo "DenyIP Start ..."
exit 0
fi
}
function stop(){
rm $WORK_SIGN
echo "DenyIP Stop ..."
exit 0
}
function status(){
if [ -f "$WORK_SIGN" ]; then
echo "DenyIP Runing ..."
exit 0
else
echo "DenyIP Stop ..."
exit 0
fi
}
case "$1" in
start)
start
;;
stop)
stop
;;
status)
status
;;
restart)
stop
start
;;
*)
echo $"Usage: $0 {start|stop|status|restart}"
exit 2
esac
exit $?
网友评论