高手来解决下求一个高难度正则表达式 [复制链接]

论坛徽章:: 0

11楼 [报告]

发表于 2009-05-02 15:53 |只看该作者

那如何能删除其中的重复行

iptables -A INPUT -s 58.22.21.46/32 -j DROP
iptables -A INPUT -s 58.22.21.46/32 -j DROP
iptables -A INPUT -s 12.222.212.146/32 -j DROP
iptables -A INPUT -s 58.22.21.46/32 -j DROP

awk -F '-s|/' '!a[$2]++' file

谢谢

新的问题
dmesg | grep "bad checksum" >cccc
awk -F 'From|:' '/bad checksum/&&!a[$3]++{print "iptables -A INPUT -s"$3"/32 -j DROP"}' cccc >>/var/tmp/activefirewall
awk -F '-s|/' '!a[$2]++' /var/tmp/activefirewall >activefirewall2

sh /var/tmp/activefirewall2
rm -f /var/tmp/activefirewall2

我写成上边的shell
然后执行了

iptables -L 时发现还是会重复的，因为crontab -e 时设定每分钟运行一次，每分钟就会添加一次，不知道该如何避免这种东西的重复添加

DROP    all  --  58.22.21.46       anywhere
DROP    all  --  199.245.227.121.broad.sz.js.dynamic.163data.com.cn  anywhere
DROP    all  --  58.22.21.46       anywhere
DROP    all  --  199.245.227.121.broad.sz.js.dynamic.163data.com.cn  anywhere
DROP    all  --  58.22.21.46       anywhere
DROP    all  --  199.245.227.121.broad.sz.js.dynamic.163data.com.cn  anywhere
DROP    all  --  58.22.21.46       anywhere
DROP    all  --  199.245.227.121.broad.sz.js.dynamic.163data.com.cn  anywhere
DROP    all  --  58.22.21.46       anywhere
DROP    all  --  199.245.227.121.broad.sz.js.dynamic.163data.com.cn  anywhere
DROP    all  --  58.22.21.46       anywhere
DROP    all  --  199.245.227.121.broad.sz.js.dynamic.163data.com.cn  anywhere

这个有办法删除吗（iptables -A INPUT -s  58.22.21.46/32 -j DROP
                        iptables -A INPUT -s  199.245.227.121/32 -j DROP
）

实战分享：从技术角度谈机器学习入门| 【大话IT】RadonDB低门槛向MySQL集群下战书 | ChinaUnix打赏功能已上线！ | 新一代分布式关系型数据库RadonDB知多少？

ywlscpl

富甲一方

论坛徽章:: 0

12楼 [报告]

发表于 2009-05-02 16:13 |只看该作者

iptables -L | awk '/DROP/{print $4}' >/tmp/droped.list
dmesg |awk -F 'From|:' '/bad checksum/&&!a[$3]++{print $3}' >/tmp/needdrop.list
awk 'NR==FNR{a[$1]=1}NR>FNR&&!($1 in a){print "iptables -A INPUT -s "$1"/32 -j DROP"}' /tmp/droped.list /tmp/needdrop.list |sh
rm -rf /tmp/droped.list /tmp/needdrop.list

复制代码

[ 本帖最后由 ywlscpl 于 2009-5-2 16:20 编辑 ]

实战分享：从技术角度谈机器学习入门| 【大话IT】RadonDB低门槛向MySQL集群下战书 | ChinaUnix打赏功能已上线！ | 新一代分布式关系型数据库RadonDB知多少？

razar

白手起家

论坛徽章:: 0

13楼 [报告]

发表于 2009-05-02 17:04 |只看该作者

原帖由 ywlscpl 于 2009-5-2 16:13 发表

iptables -L | awk '/DROP/{print $4}' >/tmp/droped.list
dmesg |awk -F 'From|:' '/bad checksum/&&!a[$3]++{print $3}' >/tmp/needdrop.list
awk 'NR==FNR{a[$1]=1}NR>FNR&&!($1 in a){print "iptables ...

逐步操作，一步一步调试
iptables -L | awk '/DROP/{print $4}' >/tmp/droped.list

cat /tmp/droped.list

192.168.0.0/16
172.16.0.0/12
127.0.0.0/8
192.168.0.0/16
172.16.0.0/12
127.0.0.0/8
anywhere
192.168.0.0/16
172.16.0.0/12
127.0.0.0/8
192.168.0.0/16
172.16.0.0/12
127.0.0.0/8
123.132.197.104
125.36.101.246
113.8.1.15
114.240.171.119
99.41.50.60.kmr04-home.tm.net.my
222.132.97.125
60.8.5.66
61.181.213.141
221.10.182.134
pc0.zz.ha.cn
115.56.122.222
221.206.178.6
222.132.92.50
pc0.zz.ha.cn
60.211.255.30
114.245.147.136
221.212.211.26
219.238.88.228
124.161.68.254
221.212.211.26
211.215.167.220.broad.hx.qh.dynamic.163data.com.cn
hn.kd.ny.adsl
222.58.8.11
119.114.225.25
61.180.213.251
202.130.8.89
123.114.149.114
221.205.120.75
41.207.32.120.board.xm.fj.dynamic.163data.com.cn
60.7.134.172
221.207.158.97
123.191.210.191
hn.kd.ny.adsl
122.195.252.142
221.204.77.152
120.5.47.205
116.112.103.40
120.83.166.39
110.6.70.221
115.48.60.87
115.51.172.64
110.6.70.221
220.202.61.140
218.59.236.115
119.112.70.40
15.202.32.120.board.xm.fj.dynamic.163data.com.cn
123.13.119.116
p3232-ipbf4404marunouchi.tokyo.ocn.ne.jp
221.214.180.166
218.59.231.34
61.134.102.34
hn.kd.ny.adsl
117.13.101.232
123.132.197.104
115.56.101.198
60.211.91.71
117.13.101.232
222.134.80.10
60.211.91.71
114.243.33.36
115.62.68.62
61.136.115.75
pc0.zz.ha.cn
120.68.157.177
60.221.203.108
218.69.104.130
125.32.76.239
60.215.148.210
60.211.28.49
218.25.19.174
anywhere
anywhere
anywhere
anywhere
我只想取出其中127.0.0.0/8之后的、anywhere之前的数据，只要ip地址

实战分享：从技术角度谈机器学习入门| 【大话IT】RadonDB低门槛向MySQL集群下战书 | ChinaUnix打赏功能已上线！ | 新一代分布式关系型数据库RadonDB知多少？

ywlscpl

富甲一方

论坛徽章:: 0

14楼 [报告]

发表于 2009-05-02 17:07 |只看该作者

回复 #13 razar 的帖子

最好把iptables -L的输出贴一下，然后说明下想取那段内容

实战分享：从技术角度谈机器学习入门| 【大话IT】RadonDB低门槛向MySQL集群下战书 | ChinaUnix打赏功能已上线！ | 新一代分布式关系型数据库RadonDB知多少？

razar

白手起家

论坛徽章:: 0

15楼 [报告]

发表于 2009-05-02 17:41 |只看该作者

iptables -L | awk '/DROP/{print $4}' >/tmp/droped.list (这步生成已经加载的攻击ip)

                                          >/tmp/todroped_ip.list       请教？？（处理上边的文件使之成为纯ip地址）
dmesg | grep "bad" >/tmp/attacklog.list       （生成包含正在攻击的ip日志）

awk -F 'From|:' '/bad checksum/&&!a[$3]++{print "$3"}'  /tmp/attacklog.list >>/tmp/attacking.list  （注意有修改，只生成正在攻击的ip地址  请教？？是否正确）

处理 todroped_ip.list  和 attacking.list

1）生成最新的 attacking文件  （合并操作）
   cat /tmp/todroped_ip.list >>/tmp/attacking2.list
      cat /tmp/attacking.list >>/tmp/attacking2.list          生成最新的攻击ip列表
            attacking2.list 文件内容格式
            220.167.208.173
                  221.212.211.26
                  220.167.215.211
                  219.157.127.135                            请教？？具体如何生成下列格式文件（awk和sed我不会）
   生成屏蔽攻击ip脚本  noattack.sh 格式如下
               iptables -A INPUT -s 220.167.208.173/32 -j DROP
                        iptables -A INPUT -s 221.212.211.26/32 -j DROP
                        iptables -A INPUT -s 220.167.215.211/32 -j DROP
                        iptables -A INPUT -s 219.157.127.135/32 -j DROP

   开机调用
2）处理最新的 attacking文件并与原来已有的对比，如果存在，不添加，否则添加，对比todroped_ip.list 和 attacking.list ，取出 todroped_ip.list 中不存在的ip列表 newdrop.list  请教如何对比？  新调用脚本nonewattack.sh生成方式和noattack.sh一样

实战分享：从技术角度谈机器学习入门| 【大话IT】RadonDB低门槛向MySQL集群下战书 | ChinaUnix打赏功能已上线！ | 新一代分布式关系型数据库RadonDB知多少？

razar

白手起家

论坛徽章:: 0

16楼 [报告]

发表于 2009-05-02 17:43 |只看该作者

iptables -L

Chain INPUT (policy ACCEPT)
target    prot opt source             destination
ACCEPT    all  --  anywhere          anywhere
ACCEPT    all  --  anywhere          anywhere
ACCEPT    all  --  anywhere          anywhere
ACCEPT    all  --  anywhere          anywhere          state RELATED,ESTABLISHED
ACCEPT    icmp --  anywhere          anywhere
DROP    all  --  192.168.0.0/16    anywhere
DROP    all  --  172.16.0.0/12       anywhere
DROP    all  --  127.0.0.0/8       anywhere
DROP    all  --  192.168.0.0/16    anywhere
DROP    all  --  172.16.0.0/12       anywhere
DROP    all  --  127.0.0.0/8       anywhere
ACCEPT    tcp  --  anywhere          anywhere          state RELATED,ESTABLISHED
ACCEPT    tcp  --  anywhere          anywhere          state RELATED,ESTABLISHED
LOG       all  --  anywhere          anywhere          limit: avg 3/min burst 3 LOG level info prefix `IPT INPUT packets died:'
LOG       all  --  anywhere          anywhere          limit: avg 3/min burst 3 LOG level info prefix `IPT INPUT packets died:'
ACCEPT    tcp  --  anywhere          anywhere          tcp dpt:ssh
ACCEPT    tcp  --  anywhere          anywhere          tcp dpt:ssh
ACCEPT    tcp  --  anywhere          anywhere          tcp dpt:6780
ACCEPT    tcp  --  anywhere          anywhere          tcp dpt:6780
REJECT    tcp  --  anywhere          anywhere          reject-with tcp-reset
REJECT    tcp  --  anywhere          anywhere          reject-with tcp-reset
REJECT    udp  --  anywhere          anywhere          reject-with icmp-port-unreachable
REJECT    udp  --  anywhere          anywhere          reject-with icmp-port-unreachable
ACCEPT    icmp --  anywhere          anywhere          limit: avg 10/min burst 5
DROP    icmp --  anywhere          anywhere
ACCEPT    icmp --  anywhere          anywhere
DROP    all  --  192.168.0.0/16    anywhere
DROP    all  --  172.16.0.0/12       anywhere
DROP    all  --  127.0.0.0/8       anywhere
DROP    all  --  192.168.0.0/16    anywhere
DROP    all  --  172.16.0.0/12       anywhere
DROP    all  --  127.0.0.0/8       anywhere
ACCEPT    tcp  --  anywhere          anywhere          state RELATED,ESTABLISHED
ACCEPT    tcp  --  anywhere          anywhere          state RELATED,ESTABLISHED
LOG       all  --  anywhere          anywhere          limit: avg 3/min burst 3 LOG level info prefix `IPT INPUT packets died:'
LOG       all  --  anywhere          anywhere          limit: avg 3/min burst 3 LOG level info prefix `IPT INPUT packets died:'
ACCEPT    tcp  --  anywhere          anywhere          tcp dpt:ssh
ACCEPT    tcp  --  anywhere          anywhere          tcp dpt:ssh
ACCEPT    tcp  --  anywhere          anywhere          tcp dpt:6780
ACCEPT    tcp  --  anywhere          anywhere          tcp dpt:6780
DROP    all  --  123.132.197.104    anywhere
DROP    all  --  125.36.101.246    anywhere
DROP    all  --  113.8.1.15          anywhere
DROP    all  --  114.240.171.119    anywhere
DROP    all  --  99.41.50.60.kmr04-home.tm.net.my  anywhere
DROP    all  --  222.132.97.125    anywhere
DROP    all  --  60.8.5.66          anywhere
DROP    all  --  61.181.213.141    anywhere
DROP    all  --  221.10.182.134    anywhere
DROP    all  --  pc0.zz.ha.cn       anywhere
DROP    all  --  115.56.122.222    anywhere
DROP    all  --  221.206.178.6       anywhere
DROP    all  --  222.132.92.50       anywhere
DROP    all  --  pc0.zz.ha.cn       anywhere
DROP    all  --  60.211.255.30       anywhere
DROP    all  --  114.245.147.136    anywhere
DROP    all  --  221.212.211.26    anywhere
DROP    all  --  219.238.88.228    anywhere
DROP    all  --  124.161.68.254    anywhere
DROP    all  --  221.212.211.26    anywhere
DROP    all  --  211.215.167.220.broad.hx.qh.dynamic.163data.com.cn  anywhere
DROP    all  --  hn.kd.ny.adsl       anywhere
DROP    all  --  222.58.8.11       anywhere
DROP    all  --  119.114.225.25    anywhere
DROP    all  --  61.180.213.251    anywhere
DROP    all  --  202.130.8.89       anywhere
DROP    all  --  123.114.149.114    anywhere
DROP    all  --  221.205.120.75    anywhere
DROP    all  --  41.207.32.120.board.xm.fj.dynamic.163data.com.cn  anywhere
DROP    all  --  60.7.134.172       anywhere
DROP    all  --  221.207.158.97    anywhere
DROP    all  --  123.191.210.191    anywhere
DROP    all  --  hn.kd.ny.adsl       anywhere
DROP    all  --  122.195.252.142    anywhere
DROP    all  --  221.204.77.152    anywhere
DROP    all  --  120.5.47.205       anywhere
DROP    all  --  116.112.103.40    anywhere
DROP    all  --  120.83.166.39       anywhere
DROP    all  --  110.6.70.221       anywhere
DROP    all  --  115.48.60.87       anywhere
DROP    all  --  115.51.172.64       anywhere
DROP    all  --  110.6.70.221       anywhere
DROP    all  --  220.202.61.140    anywhere
DROP    all  --  218.59.236.115    anywhere
DROP    all  --  119.112.70.40       anywhere
DROP    all  --  15.202.32.120.board.xm.fj.dynamic.163data.com.cn  anywhere
DROP    all  --  123.13.119.116    anywhere
DROP    all  --  p3232-ipbf4404marunouchi.tokyo.ocn.ne.jp  anywhere
DROP    all  --  221.214.180.166    anywhere
DROP    all  --  218.59.231.34       anywhere
DROP    all  --  61.134.102.34       anywhere
DROP    all  --  hn.kd.ny.adsl       anywhere
DROP    all  --  117.13.101.232    anywhere
DROP    all  --  123.132.197.104    anywhere
DROP    all  --  115.56.101.198    anywhere
DROP    all  --  60.211.91.71       anywhere
DROP    all  --  117.13.101.232    anywhere
DROP    all  --  222.134.80.10       anywhere
DROP    all  --  60.211.91.71       anywhere
DROP    all  --  114.243.33.36       anywhere
DROP    all  --  115.62.68.62       anywhere
DROP    all  --  61.136.115.75       anywhere
DROP    all  --  pc0.zz.ha.cn       anywhere
DROP    all  --  120.68.157.177    anywhere
DROP    all  --  60.221.203.108    anywhere
DROP    all  --  218.69.104.130    anywhere
DROP    all  --  125.32.76.239       anywhere
DROP    all  --  60.215.148.210    anywhere
DROP    all  --  60.211.28.49       anywhere
DROP    all  --  218.25.19.174       anywhere

Chain FORWARD (policy ACCEPT)
target    prot opt source             destination
ACCEPT    all  --  10.128.12.0/24    anywhere
DROP    tcp  --  anywhere          anywhere          tcp dpt:krb524
DROP    udp  --  anywhere          anywhere          udp dpt:krb524
DROP    tcp  --  anywhere          anywhere          tcp dpt:microsoft-ds
DROP    udp  --  anywhere          anywhere          udp dpt:microsoft-ds
DROP    tcp  --  anywhere          anywhere          tcp dpt:tftp
DROP    udp  --  anywhere          anywhere          udp dpt:tftp
DROP    tcp  --  anywhere          anywhere          tcp dpt:135
DROP    udp  --  anywhere          anywhere          udp dpt:135
DROP    tcp  --  anywhere          anywhere          tcp dpt:netbios-ssn
DROP    udp  --  anywhere          anywhere          udp dpt:netbios-ssn
ACCEPT    tcp  --  anywhere          anywhere          state RELATED,ESTABLISHED
ACCEPT    udp  --  anywhere          anywhere          state RELATED,ESTABLISHED
ACCEPT    tcp  --  anywhere          anywhere          state RELATED,ESTABLISHED
ACCEPT    udp  --  anywhere          anywhere          state RELATED,ESTABLISHED
ACCEPT    all  --  10.128.12.0/24    anywhere
ACCEPT    all  -f  anywhere          anywhere          limit: avg 100/sec burst 100
ACCEPT    icmp --  anywhere          anywhere          limit: avg 1/sec burst 10
ACCEPT    all  --  10.128.12.0/24    anywhere
ACCEPT    all  -f  anywhere          anywhere          limit: avg 100/sec burst 100
ACCEPT    icmp --  anywhere          anywhere          limit: avg 1/sec burst 10
ACCEPT    tcp  --  anywhere          anywhere          tcp flags:FIN,SYN,RST,ACK/RST limit: avg 1/sec burst 5

Chain OUTPUT (policy ACCEPT)
target    prot opt source             destination
ACCEPT    icmp --  anywhere          anywhere
ACCEPT    tcp  --  anywhere          anywhere          state NEW,ESTABLISHED
ACCEPT    tcp  --  anywhere          anywhere          state NEW,ESTABLISHED
ACCEPT    icmp --  anywhere          anywhere
ACCEPT    tcp  --  anywhere          anywhere          state NEW,ESTABLISHED
ACCEPT    tcp  --  anywhere          anywhere          state NEW,ESTABLISHED

实战分享：从技术角度谈机器学习入门| 【大话IT】RadonDB低门槛向MySQL集群下战书 | ChinaUnix打赏功能已上线！ | 新一代分布式关系型数据库RadonDB知多少？

xiaobaibbb

小富即安

论坛徽章:: 1

17楼 [报告]

发表于 2009-05-02 17:44 |只看该作者

提醒：真实流量攻击，不要iptables
try: route

实战分享：从技术角度谈机器学习入门| 【大话IT】RadonDB低门槛向MySQL集群下战书 | ChinaUnix打赏功能已上线！ | 新一代分布式关系型数据库RadonDB知多少？

razar

白手起家

论坛徽章:: 0

18楼 [报告]

发表于 2009-05-02 17:45 |只看该作者

回复 #17 xiaobaibbb 的帖子

不明白
能解释下吗

实战分享：从技术角度谈机器学习入门| 【大话IT】RadonDB低门槛向MySQL集群下战书 | ChinaUnix打赏功能已上线！ | 新一代分布式关系型数据库RadonDB知多少？

xiaobaibbb

小富即安

论坛徽章:: 1

19楼 [报告]

发表于 2009-05-02 17:50 |只看该作者

root@debian:~/test# ping bbs.chinaunix.net
PING bbs.chinaunix.net.fastcdn.com (221.238.249.177) 56(84) bytes of data.
64 bytes from 221.238.249.177: icmp_seq=1 ttl=51 time=97.8 ms

root@debian:~/test# route add -host bbs.chinaunix.net reject

root@debian:~/test# ping bbs.chinaunix.net
connect: Network is unreachable

root@debian:~/test# netstat -rn
Kernel IP routing table
Destination    Gateway       Genmask       Flags MSS Window  irtt Iface
221.238.249.177 -             255.255.255.255 !H       - -       - -

root@debian:~/test# route del -host bbs.chinaunix.net reject

root@debian:~/test# ping bbs.chinaunix.net
PING bbs.chinaunix.net.fastcdn.com (221.238.249.177) 56(84) bytes of data.
64 bytes from 221.238.249.177: icmp_seq=1 ttl=51 time=89.8 ms