- 论坛徽章:
- 0
|
本帖最后由 ljwsy 于 2012-05-21 11:35 编辑
环境
fb# uname -a
FreeBSD fb.ljzx.gx.cn 7.2-RELEASE FreeBSD 7.2-RELEASE #1: Thu May 21 16:52:12 CST 2009 www@fb.xxxx.yyyy.xxx:/usr/obj/usr/src/sys/FB i386
fb# pkg_info | grep python
python25-2.5.4 An interpreted object-oriented programming language
python26-2.6.1 An interpreted object-oriented programming language
python30-3.0 An interpreted object-oriented programming language
fb# pkg_info | grep MySQL
freeradius-mysql-1.1.7_3 A free RADIUS server implementation with MySQL support
phpMyAdmin-3.1.2 A set of PHP-scripts to manage MySQL over the web
py25-MySQLdb-1.2.2 Access a MySQL database through Python
fb# python -V
Python 2.5.4
fb# crontab -l
...
* * * * * /root/python/sshipfw.py
Py防火墙脚本- #!/usr/local/bin/python
- import MySQLdb
- import datetime
- import commands
- log=open('/var/log/sshdipfw.log','a')
- #脚本日志
- ...
- #/var/log/auth.log入mysql库代码,主要记录:时间、IP、登陆关键字及其他辅助字段
- ...
- splittime=[(2,1,10),(5,1,10),(10,1,10),(30,2,10),(60,2,20),(120,2,20),(720,4,20),(1440,4,20),(2880,4,20),(7200,8,20),(21600,16,20)]
- #策略定义 [(minute,times,limit)...],在minute分钟内有times个记录则该IP被认为是“黑名单”(经过去重),每个策略只提取不多于limit个记录,以防止防火墙规则表过大
- done=['60.29.0.22', '221.238.132.123', '220.165.5.7', '218.26.114.75', '124.219.23.68', '122.226.122.250', '122.226.146.166', '122.226.34.150', '61.152.188.85', '110.76.38.87', '60.195.252.242', '222.221.2.210', '221.182.2.16', '221.236.10.76', '220.182.50.83', '220.85.73.53', '200.107.9.140', '114.255.122.10']
- #done[]是从库中提出的“黑名单”,上面是我提取到的实时IP
- a=[
- 'ipfw -q -f flush',
- 'ipfw -q add 100 allow ip from any to any via lo0',
- 'ipfw -q add 400 deny ip from any to ::1',
- 'ipfw -q add 500 deny ip from ::1 to any',
- 'ipfw -q add 600 allow ipv6-icmp from :: to ff02::/16',
- 'ipfw -q add 700 allow ipv6-icmp from fe80::/10 to fe80::/10',
- 'ipfw -q add 800 allow ipv6-icmp from fe80::/10 to ff02::/16',
- 'ipfw -q add 900 allow ipv6-icmp from any to any ip6 icmp6types 1',
- 'ipfw -q add 1000 allow ipv6-icmp from any to any ip6 icmp6types 2,135,136',
- 'ipfw -q add 65000 allow ip from any to any'
- ]
- #常规规则
- for sql in a :
- (t,tmp)=commands.getstatusoutput(sql)
- if t<0 : print >> log,"%s ipfw RUN error(%s): %s" % ( datetime.datetime.now(),t,sql)
- # print >> log,"(%s) %s" % (t,sql)
- sql=1
- for line in done :
- a="ipfw -q add %d deny log ip from %s to 10.0.0.251 22" % (10000+sql*10,line)
- (t,tmp)=commands.getstatusoutput(a)
- if t<0 :
- print >> log,"%s ipfw RUN error(%s): %s" % ( datetime.datetime.now(),t,a)
- else :
- sql+=1
- print >> log,"(%s) %s" % (t,a)
- print >> log,"%s Total ipfw: %s" % (datetime.datetime.now(),sql-1)
复制代码 结果
fb# date && tail -1 /var/log/sshdipfw.log
Mon May 21 09:39:02 CST 2012
2012-05-21 09:39:00.998383 Total ipfw: 18
上面是当前时间及脚本日志输出。下面是防火墙,是空的,没有效果:
fb# ipfw list
65535 allow ip from any to any
然而在终端上直接运行脚本则完全正常:
fb# date && ipfw list && ./sshipfw.py && ipfw list
Mon May 21 09:41:46 CST 2012
65535 allow ip from any to any
00100 allow ip from any to any via lo0
00400 deny ip from any to ::1
00500 deny ip from ::1 to any
00600 allow ipv6-icmp from :: to ff02::/16
00700 allow ipv6-icmp from fe80::/10 to fe80::/10
00800 allow ipv6-icmp from fe80::/10 to ff02::/16
00900 allow ip6 from any to any proto ipv6-icmp ip6 icmp6types 1
01000 allow ip6 from any to any proto ipv6-icmp ip6 icmp6types 2,135,136
10010 deny log logamount 100 ip from 60.29.0.22 to 10.0.0.251 dst-port 22
10020 deny log logamount 100 ip from 221.238.132.123 to 10.0.0.251 dst-port 22
10030 deny log logamount 100 ip from 220.165.5.7 to 10.0.0.251 dst-port 22
10040 deny log logamount 100 ip from 218.26.114.75 to 10.0.0.251 dst-port 22
10050 deny log logamount 100 ip from 124.219.23.68 to 10.0.0.251 dst-port 22
10060 deny log logamount 100 ip from 122.226.122.250 to 10.0.0.251 dst-port 22
10070 deny log logamount 100 ip from 122.226.146.166 to 10.0.0.251 dst-port 22
10080 deny log logamount 100 ip from 122.226.34.150 to 10.0.0.251 dst-port 22
10090 deny log logamount 100 ip from 61.152.188.85 to 10.0.0.251 dst-port 22
10100 deny log logamount 100 ip from 110.76.38.87 to 10.0.0.251 dst-port 22
10110 deny log logamount 100 ip from 60.195.252.242 to 10.0.0.251 dst-port 22
10120 deny log logamount 100 ip from 222.221.2.210 to 10.0.0.251 dst-port 22
10130 deny log logamount 100 ip from 221.182.2.16 to 10.0.0.251 dst-port 22
10140 deny log logamount 100 ip from 221.236.10.76 to 10.0.0.251 dst-port 22
10150 deny log logamount 100 ip from 220.182.50.83 to 10.0.0.251 dst-port 22
10160 deny log logamount 100 ip from 220.85.73.53 to 10.0.0.251 dst-port 22
10170 deny log logamount 100 ip from 200.107.9.140 to 10.0.0.251 dst-port 22
10180 deny log logamount 100 ip from 114.255.122.10 to 10.0.0.251 dst-port 22
65000 allow ip from any to any
65535 allow ip from any to any
fb#
我漏掉了什么?
请达人给个方向,非常感谢你的围观和指点。 |
|