(已解决,漏写ipfw路径)我漏掉了什么:导致Py防火墙脚本在crontab中得不到正确结果?
本帖最后由 ljwsy 于 2012-05-21 11:35 编辑环境
fb# uname -a
FreeBSD fb.ljzx.gx.cn 7.2-RELEASE FreeBSD 7.2-RELEASE #1: Thu May 21 16:52:12 CST 2009 www@fb.xxxx.yyyy.xxx:/usr/obj/usr/src/sys/FBi386
fb# pkg_info | grep python
python25-2.5.4 An interpreted object-oriented programming language
python26-2.6.1 An interpreted object-oriented programming language
python30-3.0 An interpreted object-oriented programming language
fb# pkg_info | grep MySQL
freeradius-mysql-1.1.7_3 A free RADIUS server implementation with MySQL support
phpMyAdmin-3.1.2 A set of PHP-scripts to manage MySQL over the web
py25-MySQLdb-1.2.2Access a MySQL database through Python
fb# python -V
Python 2.5.4
fb# crontab -l
...
* * * * * /root/python/sshipfw.py
Py防火墙脚本#!/usr/local/bin/python
import MySQLdb
import datetime
import commands
log=open('/var/log/sshdipfw.log','a')
#脚本日志
...
#/var/log/auth.log入mysql库代码,主要记录:时间、IP、登陆关键字及其他辅助字段
...
splittime=[(2,1,10),(5,1,10),(10,1,10),(30,2,10),(60,2,20),(120,2,20),(720,4,20),(1440,4,20),(2880,4,20),(7200,8,20),(21600,16,20)]
#策略定义 [(minute,times,limit)...],在minute分钟内有times个记录则该IP被认为是“黑名单”(经过去重),每个策略只提取不多于limit个记录,以防止防火墙规则表过大
done=['60.29.0.22', '221.238.132.123', '220.165.5.7', '218.26.114.75', '124.219.23.68', '122.226.122.250', '122.226.146.166', '122.226.34.150', '61.152.188.85', '110.76.38.87', '60.195.252.242', '222.221.2.210', '221.182.2.16', '221.236.10.76', '220.182.50.83', '220.85.73.53', '200.107.9.140', '114.255.122.10']
#done[]是从库中提出的“黑名单”,上面是我提取到的实时IP
a=[
'ipfw -q -f flush',
'ipfw -q add 100 allow ip from any to any via lo0',
'ipfw -q add 400 deny ip from any to ::1',
'ipfw -q add 500 deny ip from ::1 to any',
'ipfw -q add 600 allow ipv6-icmp from :: to ff02::/16',
'ipfw -q add 700 allow ipv6-icmp from fe80::/10 to fe80::/10',
'ipfw -q add 800 allow ipv6-icmp from fe80::/10 to ff02::/16',
'ipfw -q add 900 allow ipv6-icmp from any to any ip6 icmp6types 1',
'ipfw -q add 1000 allow ipv6-icmp from any to any ip6 icmp6types 2,135,136',
'ipfw -q add 65000 allow ip from any to any'
]
#常规规则
for sql in a :
(t,tmp)=commands.getstatusoutput(sql)
if t<0 : print >> log,"%s ipfw RUN error(%s): %s" % ( datetime.datetime.now(),t,sql)
# print >> log,"(%s) %s" % (t,sql)
sql=1
for line in done :
a="ipfw -q add %d deny log ip from %s to 10.0.0.251 22" % (10000+sql*10,line)
(t,tmp)=commands.getstatusoutput(a)
if t<0 :
print >> log,"%s ipfw RUN error(%s): %s" % ( datetime.datetime.now(),t,a)
else :
sql+=1
print >> log,"(%s) %s" % (t,a)
print >> log,"%s Total ipfw: %s" % (datetime.datetime.now(),sql-1)
结果
fb# date && tail -1 /var/log/sshdipfw.log
Mon May 21 09:39:02 CST 2012
2012-05-21 09:39:00.998383 Total ipfw: 18
上面是当前时间及脚本日志输出。下面是防火墙,是空的,没有效果:
fb# ipfw list
65535 allow ip from any to any
然而在终端上直接运行脚本则完全正常:
fb# date && ipfw list && ./sshipfw.py && ipfw list
Mon May 21 09:41:46 CST 2012
65535 allow ip from any to any
00100 allow ip from any to any via lo0
00400 deny ip from any to ::1
00500 deny ip from ::1 to any
00600 allow ipv6-icmp from :: to ff02::/16
00700 allow ipv6-icmp from fe80::/10 to fe80::/10
00800 allow ipv6-icmp from fe80::/10 to ff02::/16
00900 allow ip6 from any to any proto ipv6-icmp ip6 icmp6types 1
01000 allow ip6 from any to any proto ipv6-icmp ip6 icmp6types 2,135,136
10010 deny log logamount 100 ip from 60.29.0.22 to 10.0.0.251 dst-port 22
10020 deny log logamount 100 ip from 221.238.132.123 to 10.0.0.251 dst-port 22
10030 deny log logamount 100 ip from 220.165.5.7 to 10.0.0.251 dst-port 22
10040 deny log logamount 100 ip from 218.26.114.75 to 10.0.0.251 dst-port 22
10050 deny log logamount 100 ip from 124.219.23.68 to 10.0.0.251 dst-port 22
10060 deny log logamount 100 ip from 122.226.122.250 to 10.0.0.251 dst-port 22
10070 deny log logamount 100 ip from 122.226.146.166 to 10.0.0.251 dst-port 22
10080 deny log logamount 100 ip from 122.226.34.150 to 10.0.0.251 dst-port 22
10090 deny log logamount 100 ip from 61.152.188.85 to 10.0.0.251 dst-port 22
10100 deny log logamount 100 ip from 110.76.38.87 to 10.0.0.251 dst-port 22
10110 deny log logamount 100 ip from 60.195.252.242 to 10.0.0.251 dst-port 22
10120 deny log logamount 100 ip from 222.221.2.210 to 10.0.0.251 dst-port 22
10130 deny log logamount 100 ip from 221.182.2.16 to 10.0.0.251 dst-port 22
10140 deny log logamount 100 ip from 221.236.10.76 to 10.0.0.251 dst-port 22
10150 deny log logamount 100 ip from 220.182.50.83 to 10.0.0.251 dst-port 22
10160 deny log logamount 100 ip from 220.85.73.53 to 10.0.0.251 dst-port 22
10170 deny log logamount 100 ip from 200.107.9.140 to 10.0.0.251 dst-port 22
10180 deny log logamount 100 ip from 114.255.122.10 to 10.0.0.251 dst-port 22
65000 allow ip from any to any
65535 allow ip from any to any
fb#
我漏掉了什么?
:curse: 请达人给个方向,非常感谢你的围观和指点。 我真的是漏掉什么关键的东西了,这一定是与crontab有关,与Py无关。
我在Py中生成ipfw.sh的shell脚本,并赋予可执行属性,在crontab中每两分钟运行一次,晕,也是不出想要的结果,ipfw规则表还是空的,但在控制台中运行ipfw.sh又正常。 晕,只检查ipfw的返回值,没看返回提示,返回提示明确说:ipfw: not found
哈哈,加上ipfw命令的绝对路径就OK了。
真晕!!! 问题描述的很好。 :wink: 本帖最后由 ljwsy 于 2012-05-21 11:50 编辑
:shutup: 阴沟翻船! 本帖最后由 lsstarboy 于 2012-05-22 11:31 编辑
:lol
FreeBSD的cron这点确实不好,为什么必须写绝对路径?在PATH里搜一下不就得了?反正cron也是按用户的。 已成能用的脚本,欢迎围观:http://bbs.chinaunix.net/thread-3749217-1-1.html
页:
[1]