DZ插件网手工扛SYN DDOS攻击之全自动监测高连接数超过阈值自动封锁屏蔽IP并自动放行蜘蛛IP和白名单自动监测执行脚本
DZ插件网手工扛SYN DDOS攻击之全自动监测高连接数超过阈值自动封锁屏蔽IP并自动放行蜘蛛IP和白名单自动监测执行脚本:创建脚本:
vi /usr/local/sbin/auto_block_ip.sh复制DZ插件网优化后的内容:
#!/bin/bash
# 高级IP自动屏蔽脚本 - 针对高连接数攻击
# 功能: 检测ESTABLISHED连接数超标的IP,并自动屏蔽,排除蜘蛛和白名单。
# ===== 配置区域 (请根据您的环境修改) =====
# 连接数阈值
CONNECTION_THRESHOLD=68 # 超过这个数值的IP将被封锁
LOG_ONLY_THRESHOLD=60 # 超过此值但未达封锁阈值的IP,仅记录日志
# 封锁类型
# TEMP: 临时封锁,使用iptables的Recent模块,一段时间后自动解封
# PERM: 永久封锁,使用iptables的DROP规则
BLOCK_TYPE="TEMP"
# 临时封锁的过期时间(秒)(仅在BLOCK_TYPE="TEMP"时有效)
TEMP_BLOCK_EXPIRE=3600 # 3600秒 = 1小时
# 白名单文件路径(每行一个IP或CIDR网段)
WHITELIST_FILE="/etc/ddos/ignore.ip.list"
# 日志文件路径
LOG_FILE="/var/log/auto_block_ip.log"
# 最大日志文件大小(KB),超过则滚动
MAX_LOG_SIZE=10240
# 定义常见搜索引擎蜘蛛的IP段(CIDR格式)
# 这是一个基础列表,您可能需要根据实际情况扩充
SPIDER_NETS=(
#百度
"180.76.15.0/24"
"124.166.232.0/24"
"116.179.32.0/24"
"180.76.5.0/24"
"61.135.168.0/24"
"61.135.186.0/24"
"111.206.221.0/24"
"116.179.37.0/24"
"111.206.198.0/24"
"113.24.225.0/24"
"123.125.71.0/24"
"220.181.108.0/24"
"119.63.198.0/24"
"123.125.68.0/24"
"180.149.133.0/24"
"123.125.66.0/24"
"119.63.195.0/24"
"220.181.32.0/24"
"123.125.143.0/24"
"61.135.165.0/24"
"173.82.106.0/24"
"61.135.162.0/24"
"61.135.169.0/24"
"64.20.40.0/24"
"199.188.107.0/24"
"180.101.52.0/24"
"137.175.22.0/24"
"124.64.200.0/24"
"45.136.113.0/24"
"209.141.35.0/24"
"207.154.236.0/24"
"180.149.143.0/24"
"115.239.212.0/24"
"58.217.202.0/24"
"173.82.206.0/24"
#谷歌
"2001:4860:4801:10::/64"
"2001:4860:4801:11::/64"
"2001:4860:4801:12::/64"
"2001:4860:4801:13::/64"
"2001:4860:4801:14::/64"
"2001:4860:4801:15::/64"
"2001:4860:4801:16::/64"
"2001:4860:4801:17::/64"
"2001:4860:4801:18::/64"
"2001:4860:4801:19::/64"
"2001:4860:4801:1a::/64"
"2001:4860:4801:1b::/64"
"2001:4860:4801:1c::/64"
"2001:4860:4801:1d::/64"
"2001:4860:4801:1e::/64"
"2001:4860:4801:1f::/64"
"2001:4860:4801:20::/64"
"2001:4860:4801:21::/64"
"2001:4860:4801:22::/64"
"2001:4860:4801:23::/64"
"2001:4860:4801:24::/64"
"2001:4860:4801:25::/64"
"2001:4860:4801:26::/64"
"2001:4860:4801:27::/64"
"2001:4860:4801:28::/64"
"2001:4860:4801:29::/64"
"2001:4860:4801:2::/64"
"2001:4860:4801:2a::/64"
"2001:4860:4801:2b::/64"
"2001:4860:4801:2c::/64"
"2001:4860:4801:2d::/64"
"2001:4860:4801:2e::/64"
"2001:4860:4801:2f::/64"
"2001:4860:4801:30::/64"
"2001:4860:4801:31::/64"
"2001:4860:4801:32::/64"
"2001:4860:4801:33::/64"
"2001:4860:4801:34::/64"
"2001:4860:4801:35::/64"
"2001:4860:4801:36::/64"
"2001:4860:4801:37::/64"
"2001:4860:4801:38::/64"
"2001:4860:4801:39::/64"
"2001:4860:4801:3a::/64"
"2001:4860:4801:3b::/64"
"2001:4860:4801:3c::/64"
"2001:4860:4801:3d::/64"
"2001:4860:4801:3e::/64"
"2001:4860:4801:3f::/64"
"2001:4860:4801:40::/64"
"2001:4860:4801:41::/64"
"2001:4860:4801:42::/64"
"2001:4860:4801:43::/64"
"2001:4860:4801:44::/64"
"2001:4860:4801:45::/64"
"2001:4860:4801:46::/64"
"2001:4860:4801:47::/64"
"2001:4860:4801:48::/64"
"2001:4860:4801:49::/64"
"2001:4860:4801:4a::/64"
"2001:4860:4801:4b::/64"
"2001:4860:4801:4c::/64"
"2001:4860:4801:4d::/64"
"2001:4860:4801:4e::/64"
"2001:4860:4801:50::/64"
"2001:4860:4801:51::/64"
"2001:4860:4801:52::/64"
"2001:4860:4801:53::/64"
"2001:4860:4801:54::/64"
"2001:4860:4801:55::/64"
"2001:4860:4801:56::/64"
"2001:4860:4801:57::/64"
"2001:4860:4801:60::/64"
"2001:4860:4801:61::/64"
"2001:4860:4801:62::/64"
"2001:4860:4801:63::/64"
"2001:4860:4801:64::/64"
"2001:4860:4801:65::/64"
"2001:4860:4801:66::/64"
"2001:4860:4801:67::/64"
"2001:4860:4801:68::/64"
"2001:4860:4801:69::/64"
"2001:4860:4801:6a::/64"
"2001:4860:4801:6b::/64"
"2001:4860:4801:6c::/64"
"2001:4860:4801:6d::/64"
"2001:4860:4801:6e::/64"
"2001:4860:4801:6f::/64"
"2001:4860:4801:70::/64"
"2001:4860:4801:71::/64"
"2001:4860:4801:72::/64"
"2001:4860:4801:73::/64"
"2001:4860:4801:74::/64"
"2001:4860:4801:75::/64"
"2001:4860:4801:76::/64"
"2001:4860:4801:77::/64"
"2001:4860:4801:78::/64"
"2001:4860:4801:79::/64"
"2001:4860:4801:7a::/64"
"2001:4860:4801:7b::/64"
"2001:4860:4801:80::/64"
"2001:4860:4801:81::/64"
"2001:4860:4801:82::/64"
"2001:4860:4801:83::/64"
"2001:4860:4801:84::/64"
"2001:4860:4801:85::/64"
"2001:4860:4801:86::/64"
"2001:4860:4801:87::/64"
"2001:4860:4801:88::/64"
"2001:4860:4801:90::/64"
"2001:4860:4801:91::/64"
"2001:4860:4801:92::/64"
"2001:4860:4801:93::/64"
"2001:4860:4801:94::/64"
"2001:4860:4801:95::/64"
"2001:4860:4801:96::/64"
"2001:4860:4801:97::/64"
"2001:4860:4801:a0::/64"
"2001:4860:4801:a1::/64"
"2001:4860:4801:a2::/64"
"2001:4860:4801:a3::/64"
"2001:4860:4801:a4::/64"
"2001:4860:4801:a5::/64"
"2001:4860:4801:a6::/64"
"2001:4860:4801:a7::/64"
"2001:4860:4801:a8::/64"
"2001:4860:4801:a9::/64"
"2001:4860:4801:aa::/64"
"2001:4860:4801:ab::/64"
"2001:4860:4801:ac::/64"
"2001:4860:4801:b0::/64"
"2001:4860:4801:b1::/64"
"2001:4860:4801:b2::/64"
"2001:4860:4801:b3::/64"
"2001:4860:4801:b4::/64"
"2001:4860:4801:b5::/64"
"2001:4860:4801:c::/64"
"2001:4860:4801:f::/64"
"192.178.4.0/27"
"192.178.4.128/27"
"192.178.4.160/27"
"192.178.4.192/27"
"192.178.4.32/27"
"192.178.4.64/27"
"192.178.4.96/27"
"192.178.5.0/27"
"192.178.6.0/27"
"192.178.6.128/27"
"192.178.6.160/27"
"192.178.6.192/27"
"192.178.6.224/27"
"192.178.6.32/27"
"192.178.6.64/27"
"192.178.6.96/27"
"192.178.7.0/27"
"192.178.7.128/27"
"192.178.7.160/27"
"192.178.7.32/27"
"192.178.7.64/27"
"192.178.7.96/27"
"34.100.182.96/28"
"34.101.50.144/28"
"34.118.254.0/28"
"34.118.66.0/28"
"34.126.178.96/28"
"34.146.150.144/28"
"34.147.110.144/28"
"34.151.74.144/28"
"34.152.50.64/28"
"34.154.114.144/28"
"34.155.98.32/28"
"34.165.18.176/28"
"34.175.160.64/28"
"34.176.130.16/28"
"34.22.85.0/27"
"34.64.82.64/28"
"34.65.242.112/28"
"34.80.50.80/28"
"34.88.194.0/28"
"34.89.10.80/28"
"34.89.198.80/28"
"34.96.162.48/28"
"35.247.243.240/28"
"66.249.64.0/27"
"66.249.64.128/27"
"66.249.64.160/27"
"66.249.64.192/27"
"66.249.64.224/27"
"66.249.64.32/27"
"66.249.64.64/27"
"66.249.64.96/27"
"66.249.65.0/27"
"66.249.65.128/27"
"66.249.65.160/27"
"66.249.65.192/27"
"66.249.65.224/27"
"66.249.65.32/27"
"66.249.65.64/27"
"66.249.65.96/27"
"66.249.66.0/27"
"66.249.66.128/27"
"66.249.66.160/27"
"66.249.66.192/27"
"66.249.66.224/27"
"66.249.66.32/27"
"66.249.66.64/27"
"66.249.66.96/27"
"66.249.67.0/27"
"66.249.68.0/27"
"66.249.68.128/27"
"66.249.68.160/27"
"66.249.68.192/27"
"66.249.68.32/27"
"66.249.68.64/27"
"66.249.68.96/27"
"66.249.69.0/27"
"66.249.69.128/27"
"66.249.69.160/27"
"66.249.69.192/27"
"66.249.69.224/27"
"66.249.69.32/27"
"66.249.69.64/27"
"66.249.69.96/27"
"66.249.70.0/27"
"66.249.70.128/27"
"66.249.70.160/27"
"66.249.70.192/27"
"66.249.70.224/27"
"66.249.70.32/27"
"66.249.70.64/27"
"66.249.70.96/27"
"66.249.71.0/27"
"66.249.71.128/27"
"66.249.71.160/27"
"66.249.71.192/27"
"66.249.71.224/27"
"66.249.71.32/27"
"66.249.71.64/27"
"66.249.71.96/27"
"66.249.72.0/27"
"66.249.72.128/27"
"66.249.72.160/27"
"66.249.72.192/27"
"66.249.72.224/27"
"66.249.72.32/27"
"66.249.72.64/27"
"66.249.72.96/27"
"66.249.73.0/27"
"66.249.73.128/27"
"66.249.73.160/27"
"66.249.73.192/27"
"66.249.73.224/27"
"66.249.73.32/27"
"66.249.73.64/27"
"66.249.73.96/27"
"66.249.74.0/27"
"66.249.74.128/27"
"66.249.74.160/27"
"66.249.74.192/27"
"66.249.74.224/27"
"66.249.74.32/27"
"66.249.74.64/27"
"66.249.74.96/27"
"66.249.75.0/27"
"66.249.75.128/27"
"66.249.75.160/27"
"66.249.75.192/27"
"66.249.75.224/27"
"66.249.75.32/27"
"66.249.75.64/27"
"66.249.75.96/27"
"66.249.76.0/27"
"66.249.76.128/27"
"66.249.76.160/27"
"66.249.76.192/27"
"66.249.76.224/27"
"66.249.76.32/27"
"66.249.76.64/27"
"66.249.76.96/27"
"66.249.77.0/27"
"66.249.77.128/27"
"66.249.77.160/27"
"66.249.77.192/27"
"66.249.77.224/27"
"66.249.77.32/27"
"66.249.77.64/27"
"66.249.77.96/27"
"66.249.78.0/27"
"66.249.78.32/27"
"66.249.78.64/27"
"66.249.78.96/27"
"66.249.79.0/27"
"66.249.79.128/27"
"66.249.79.160/27"
"66.249.79.192/27"
"66.249.79.224/27"
"66.249.79.32/27"
"66.249.79.64/27"
"66.249.79.96/27"
"64.68.91.0/24"
"192.178.5.0/24"
"34.80.50.0/24"
"66.249.68.0/24"
"34.146.150.0/24"
"34.152.50.0/24"
"35.247.243.0/24"
"64.68.88.0/24"
"66.249.64.0/24"
"34.118.66.0/24"
"34.165.18.0/24"
"192.178.6.0/24"
"34.176.130.0/24"
"34.64.82.0/24"
"34.96.162.0/24"
"66.249.66.0/24"
"66.249.71.0/24"
"34.88.194.0/24"
"34.147.110.0/24"
"34.101.50.0/24"
"66.249.79.0/24"
"34.155.98.0/24"
"66.249.72.0/24"
"66.249.69.0/24"
"66.249.77.0/24"
"34.118.254.0/24"
"66.249.74.0/24"
"95.216.227.0/24"
"66.249.75.0/24"
"34.175.160.0/24"
"34.151.74.0/24"
"66.249.76.0/24"
"203.208.60.0/24"
"34.100.182.0/24"
"66.249.73.0/24"
"66.249.70.0/24"
"66.249.65.0/24"
"34.89.10.0/24"
"34.126.178.0/24"
"34.89.198.0/24"
"34.65.242.0/24"
"66.249.78.0/24"
"34.154.114.0/24"
#360
"123.6.49.0/24"
"1.192.192.0/24"
"1.192.195.0/24"
"42.236.10.0/24"
"42.236.12.0/24"
"42.236.17.0/24"
"42.236.101.0/24"
"27.115.124.0/24"
"180.163.220.0/24"
#搜狗
"121.229.156.0/24"
"111.202.101.0/24"
"106.120.173.0/24"
"123.126.50.0/24"
"223.109.255.0/24"
"106.38.241.0/24"
"112.86.225.0/24"
"118.184.177.0/24"
"123.125.109.0/24"
"49.7.20.0/24"
"61.135.159.0/24"
"49.7.117.0/24"
"223.109.252.0/24"
"123.126.68.0/24"
"58.250.125.0/24"
"61.135.189.0/24"
"220.181.125.0/24"
"111.202.100.0/24"
"111.202.103.0/24"
"123.126.113.0/24"
"49.7.21.0/24"
"123.183.224.0/24"
"106.120.188.0/24"
"218.30.103.0/24"
"220.181.124.0/24"
"36.110.147.0/24"
"123.125.125.0/24"
"123.125.186.0/24"
"61.135.158.0/24"
"180.102.110.0/24"
#雅虎
"217.146.176.0/24"
"74.6.168.0/24"
"72.30.14.0/24"
"67.195.49.0/24"
"67.195.52.0/24"
"106.10.186.0/24"
"116.214.12.0/24"
"124.108.101.0/24"
"124.108.92.0/24"
"209.131.41.0/24"
"124.108.100.0/24"
"216.252.126.0/24"
"67.195.55.0/24"
"67.195.83.0/24"
"27.123.51.0/24"
"203.84.194.0/24"
"67.195.98.0/24"
"183.177.73.0/24"
"209.73.183.0/24"
"202.165.111.0/24"
"8.12.149.0/24"
"119.160.246.0/24"
"98.139.1.0/24"
"66.196.90.0/24"
"66.94.233.0/24"
#必应
"157.55.39.0/24"
"207.46.13.0/24"
"40.77.167.0/24"
"13.66.139.0/24"
"13.66.144.0/24"
"52.167.144.0/24"
"13.67.10.0/24"
"13.69.66.0/24"
"13.71.172.0/24"
"139.217.52.0/24"
"191.233.204.0/24"
"20.36.108.0/24"
"20.43.120.0/24"
"40.79.131.0/24"
"40.79.186.0/24"
"52.231.148.0/24"
"20.79.107.0/24"
"51.105.67.0/24"
"20.125.163.0/24"
"40.77.188.0/24"
"40.77.189.0/24"
"40.77.190.0/24"
"40.77.191.0/24"
"65.55.210.0/24"
"199.30.24.0/24"
"199.30.25.0/24"
"40.77.202.0/24"
"40.77.139.0/24"
"20.74.197.0/24"
"20.15.133.0/24"
"40.77.177.0/24"
"40.77.178.0/24"
"40.77.179.0/24"
"65.55.212.0/24"
"131.253.26.0/24"
"65.55.219.0/24"
"65.55.211.0/24"
"40.77.162.0/24"
"40.77.194.0/24"
"157.56.0.0/24"
"199.30.26.0/24"
"65.55.213.0/24"
"199.30.20.0/24"
"65.55.208.0/24"
"157.56.1.0/24"
"65.52.110.0/24"
"65.55.209.0/24"
"131.253.38.0/24"
"131.253.24.0/24"
"131.253.27.0/24"
"157.56.2.0/24"
"65.55.215.0/24"
"23.103.64.0/24"
"65.55.25.0/24"
"40.77.215.0/24"
"61.131.4.0/24"
"40.77.173.0/24"
"202.89.235.0/24"
"65.55.214.0/24"
"202.101.96.0/24"
"40.77.161.0/24"
"40.77.221.0/24"
"65.52.109.0/24"
"40.77.220.0/24"
"65.55.218.0/24"
#头条
"110.249.201.0/24"
"110.249.202.0/24"
"111.225.148.0/24"
"111.225.149.0/24"
"220.243.135.0/24"
"220.243.136.0/24"
"220.243.188.0/24"
"220.243.189.0/24"
"60.8.123.0/24"
"60.8.151.0/24"
"122.14.224.0/24"
"122.14.225.0/24"
"122.14.226.0/24"
"122.14.227.0/24"
#神马
"42.156.139.0/24"
"106.11.154.0/24"
"42.120.161.0/24"
"106.11.152.0/24"
"106.11.153.0/24"
"106.11.155.0/24"
"106.11.158.0/24"
"42.156.254.0/24"
"106.11.159.0/24"
"42.120.160.0/24"
"42.156.136.0/24"
"42.156.138.0/24"
"106.11.156.0/24"
"106.11.157.0/24"
"42.156.137.0/24"
"42.120.234.0/24"
"42.120.235.0/24"
"42.120.236.0/24"
)
# ===== 函数:记录日志 =====
log_message() {
echo "[$(date '+%Y-%m-%d %H:%M:%S')] $1" | tee -a "$LOG_FILE"
}
# ===== 函数:检查IP是否在白名单或蜘蛛网段 =====
is_whitelisted() {
local ip_to_check="$1"
# 检查用户自定义白名单文件
if [[ -f "$WHITELIST_FILE" ]]; then
if grep -qE "^($ip_to_check|.*/+)$" "$WHITELIST_FILE"; then
return 0 # IP在白名单中
fi
fi
# 检查预定义的蜘蛛IP段
for net in "${SPIDER_NETS[@]}"; do
# 简单的CIDR匹配检查(对于精确生产环境,建议使用ipcalc等工具)
if [[ "$ip_to_check" == ${net%/*}.* ]] || ipcalc -n "$ip_to_check" | grep -q "Network:.*$net"; then
return 0 # IP在蜘蛛网段中
fi
done
return 1 # IP不在任何白名单中
}
# ===== 函数:滚动日志 =====
rotate_log_if_needed() {
if [[ -f "$LOG_FILE" ]] && [[ $(du -k "$LOG_FILE" | cut -f1) -ge $MAX_LOG_SIZE ]]; then
mv -f "$LOG_FILE" "${LOG_FILE}.old"
touch "$LOG_FILE"
log_message "日志文件已滚动"
fi
}
# ===== 函数:封锁IP =====
block_ip() {
local ip="$1"
local conn_count="$2"
# 检查是否已在白名单
if is_whitelisted "$ip"; then
log_message "忽略白名单/蜘蛛IP: $ip (连接数: $conn_count)"
return 1
fi
# 检查是否已被封锁(避免重复操作)
if iptables -nL | grep -q "$ip"; then
log_message "IP已被封锁,跳过: $ip"
return 1
fi
# 执行封锁
if [[ "$BLOCK_TYPE" == "TEMP" ]]; then
# 使用Recent模块进行临时封锁
iptables -I INPUT -s "$ip" -m recent --set --name BLOCKED_TEMP -j DROP
log_message "已临时封锁IP: $ip (连接数: $conn_count, 过期时间: ${TEMP_BLOCK_EXPIRE}秒)"
elif [[ "$BLOCK_TYPE" == "PERM" ]]; then
# 添加永久DROP规则
iptables -I INPUT -s "$ip" -j DROP
log_message "已永久封锁IP: $ip (连接数: $conn_count)"
else
log_message "错误: 未知的封锁类型: $BLOCK_TYPE"
return 1
fi
}
# ===== 主程序 =====
# 检查root权限
if [[ $EUID -ne 0 ]]; then
echo "错误: 此脚本必须以root权限运行!" >&2
exit 1
fi
# 确保日志文件存在
touch "$LOG_FILE"
rotate_log_if_needed
log_message "开始执行高连接数IP检测..."
# 获取所有ESTABLISHED状态的TCP连接,提取IP,统计连接数
# 使用 'ss' 命令,它是 netstat 的现代替代品,更高效准确
declare -A ip_connections # 使用关联数组来计数
# 解析 ss 命令的输出
while read -r line; do
if [[ -n "$line" ]]; then
((ip_connections["$line"]++))
fi
done < <(ss -ntu state established | awk '{split($5, a, ":"); print a}' | sort | uniq -c | awk '{if($1>0) print $2}')
# 处理每个IP
for ip in "${!ip_connections[@]}"; do
count=${ip_connections["$ip"]}
# 跳过本地环回和空地址
[[ "$ip" == "127.0.0.1" || "$ip" == "0.0.0.0" || "$ip" == "::1" ]] && continue
# 判断连接数级别并采取相应措施
if [[ $count -ge $CONNECTION_THRESHOLD ]]; then
log_message "警报!IP连接数超高: $ip (连接数: $count),执行封锁..."
block_ip "$ip" "$count"
elif [[ $count -ge $LOG_ONLY_THRESHOLD ]]; then
log_message "警告!IP连接数偏高: $ip (连接数: $count),已记录。"
fi
done
log_message "高连接数IP检测完成。"
exit 0
创建日志空文件:
touch /var/log/auto_block_ip.log其中白名单文件 /etc/ddos/ignore.ip.list 参考和共用:
https://www.dz-x.net/t/149134/1/1.html
赋予执行权限:
chmod +x /usr/local/sbin/auto_block_ip.sh配置Logrotate进行日志滚动:
sudo vi /etc/logrotate.d/auto_block_ip添加以下内容:
/var/log/auto_block_ip.log {
daily
missingok
rotate 7
compress
delaycompress
notifempty
create 644 root root
}部署为系统服务:
创建Systemd服务文件/etc/systemd/system/auto-block-ip.service:
Description=Auto Block IP Service
After=network.target
Wants=auto-block-ip.timer
Type=oneshot
User=root
ExecStart=/usr/local/sbin/auto_block_ip.sh
# 日志配置
StandardOutput=syslog
StandardError=syslog
SyslogIdentifier=auto-block-ip
# 安全限制
NoNewPrivileges=yes
ProtectSystem=strict
ProtectHome=read-only
PrivateTmp=yes
WantedBy=multi-user.target创建定时器文件/etc/systemd/system/auto-block-ip.timer,实现每15秒执行一次(如果效果不满意可以设置10秒或5秒自动执行一次):
Description=Run Auto Block IP every 20 seconds
Requires=auto-block-ip.service
# 启动后30秒开始第一次执行
OnBootSec=30s
# 之后每20秒执行一次
OnUnitActiveSec=20s
# 确保准确性
AccuracySec=1s
# 如果上次执行未完成,是否并行执行(no表示等待)
Unit=auto-block-ip.service
WantedBy=timers.target创建RSyslog配置/etc/rsyslog.d/auto-block-ip.conf:
# 为自动屏蔽IP服务创建专用日志
if $programname == 'auto-block-ip' then /var/log/auto-block-ip.log
& stop启用并启动服务:
# 重新加载Systemd配置
sudo systemctl daemon-reload
# 启用并启动定时器
sudo systemctl enable auto-block-ip.timer
sudo systemctl start auto-block-ip.timer
# 启用日志配置
sudo systemctl restart rsyslog
# 检查服务状态
sudo systemctl status auto-block-ip.timer
sudo systemctl status auto-block-ip.service
# 查看定时器列表
systemctl list-timers --all创建监控脚本/usr/local/sbin/monitor_auto_block.sh:(每20秒检查服务状态)
#!/bin/bash
# 监控自动屏蔽IP服务的脚本
SERVICE="auto-block-ip.timer"
LOG_FILE="/var/log/service_monitor.log"
MAX_LOG_SIZE=10240
# 函数:记录日志
log_message() {
echo "[$(date '+%Y-%m-%d %H:%M:%S')] $1" | tee -a "$LOG_FILE"
}
# 函数:滚动日志
rotate_log() {
if [ -f "$LOG_FILE" ] && [ $(du -k "$LOG_FILE" | cut -f1) -ge $MAX_LOG_SIZE ]; then
mv -f "$LOG_FILE" "${LOG_FILE}.old"
touch "$LOG_FILE"
fi
}
# 主循环
while true; do
rotate_log
# 检查服务状态
if ! systemctl is-active --quiet "$SERVICE"; then
log_message "警告: $SERVICE 未运行,尝试重启..."
systemctl restart "$SERVICE"
# 再次检查是否启动成功
sleep 5
if systemctl is-active --quiet "$SERVICE"; then
log_message "成功: $SERVICE 已重启"
else
log_message "错误: $SERVICE 重启失败"
fi
fi
# 等待20秒后再次检查
sleep 20
done设置监控脚本权限并创建服务:
sudo chmod +x /usr/local/sbin/monitor_auto_block.sh创建监控服务文件/etc/systemd/system/monitor-auto-block.service:
Description=Monitor for Auto Block IP Service
After=network.target
Type=simple
ExecStart=/usr/local/sbin/monitor_auto_block.sh
Restart=always
RestartSec=10
WantedBy=multi-user.target启用并启动监控服务:
sudo systemctl daemon-reload
sudo systemctl enable monitor-auto-block.service
sudo systemctl start monitor-auto-block.service
如果不想用了完整卸载:
停止并禁用定时器和服务
首先停止并禁用所有相关的定时器和服务,防止它们再次启动。
# 停止并禁用 auto-block-ip 的定时器和服务
sudo systemctl stop auto-block-ip.timer
sudo systemctl disable auto-block-ip.timer
sudo systemctl stop auto-block-ip.service
sudo systemctl disable auto-block-ip.service
# 停止并禁用监控脚本的服务
sudo systemctl stop monitor-auto-block.service
sudo systemctl disable monitor-auto-block.service
删除Systemd单元文件
这些文件是服务和定时器的定义所在,必须删除才能算彻底卸载
# 删除 auto-block-ip 的.service和.timer文件
sudo rm /etc/systemd/system/auto-block-ip.service
sudo rm /etc/systemd/system/auto-block-ip.timer
# 删除监控脚本的.service文件
sudo rm /etc/systemd/system/monitor-auto-block.service重新加载Systemd配置
删除单元文件后,需要让Systemd管理器知道配置发生了变化
sudo systemctl daemon-reload
删除脚本文件和日志配置
接下来删除你之前创建的脚本和日志配置文件。
# 删除主脚本和监控脚本
sudo rm /usr/local/sbin/auto_block_ip.sh
sudo rm /usr/local/sbin/monitor_auto_block.sh
# 删除RSyslog的专用配置文件
sudo rm /etc/rsyslog.d/auto-block-ip.conf重启Rsyslog服务
让RSyslog重新加载配置,确保之前的专用日志配置已失效。
sudo systemctl restart rsyslog(可选) 清理日志文件
如果你希望彻底清理,可以删除脚本运行期间生成的所有日志文件。
sudo rm -f /var/log/auto-block-ip.log /var/log/auto_block_ip.log /var/log/service_monitor.log**** Hidden Message *****
如果你服务器CPU和内核不高于2H 2G,那么在每15~20秒扫描执行封堵的时候可能引起瞬时 CPU 占用过高,下面给出更加优化的解决方案,二选一即可:
基于ddos-deflate增强实时扫描高连接数 IP自动封禁超过阈值的 IP整合 Fail2ban、宝塔nginx防火墙、用户自定义白名单的防御攻击
https://www.dz-x.net/t/151053/1/1.html
来自: DZ插件网
{
"title": "DZ插件网高连接数自动封锁脚本配置指南",
"description": "本脚本用于自动监测服务器上的高连接数IP,并在超过设定阈值时自动封锁,同时排除搜索引擎蜘蛛和白名单IP,有效防御SYN/DDOS攻击。",
"content": "以下是为您提供的DZ插件网高连接数自动封锁脚本的详细配置说明及优化建议:\n\n### 脚本概述\n该脚本通过实时监测服务器的ESTABLISHED连接数,自动识别并封锁异常高连接数的IP地址,特别针对SYN Flood等DDOS攻击进行防护。脚本支持临时封锁和永久封锁两种模式,并内置了常见搜索引擎蜘蛛IP段及自定义白名单功能,确保正常流量不受影响。\n\n### 配置说明\n1. **连接数阈值设置**:\n - `CONNECTION_THRESHOLD=68`:超过此连接数的IP将被自动封锁。\n - `LOG_ONLY_THRESHOLD=60`:超过此值但未达封锁阈值的IP仅记录日志,便于监控。\n\n2. **封锁类型选择**:\n - `BLOCK_TYPE=\"TEMP\"`:临时封锁模式,使用iptables的Recent模块,一段时间后自动解封。\n - `BLOCK_TYPE=\"PERM\"`:永久封锁模式,使用iptables的DROP规则。\n - 临时封锁的过期时间可通过`TEMP_BLOCK_EXPIRE=3600`(单位:秒)调整。\n\n3. **白名单配置**:\n - 自定义白名单文件路径:`WHITELIST_FILE=\"/etc/ddos/ignore.ip.list\"`,每行一个IP或CIDR网段。\n - 脚本已内置常见搜索引擎(百度、谷歌、360、搜狗等)的蜘蛛IP段,无需手动添加。\n\n4. **日志管理**:\n - 日志文件路径:`LOG_FILE=\"/var/log/auto_block_ip.log\"`。\n - 支持日志滚动,最大日志文件大小可通过`MAX_LOG_SIZE=10240`(单位:KB)调整。\n\n### 使用步骤\n1. **创建脚本文件**:\n \n vi /usr/local/sbin/auto_block_ip.sh\n\n 将提供的脚本内容复制到文件中并保存。\n\n2. **修改配置参数**:\n 根据实际服务器环境调整脚本中的配置区域参数,特别是连接数阈值和白名单路径。\n\n3. **设置执行权限**:\n \n chmod +x /usr/local/sbin/auto_block_ip.sh\n\n\n4. **创建白名单文件(可选)**:\n \n mkdir -p /etc/ddos\n vi /etc/ddos/ignore.ip.list\n\n 每行添加一个需要排除的IP或网段(例如:192.168.1.0/24)。\n\n5. **手动测试脚本**:\n \n /usr/local/sbin/auto_block_ip.sh\n\n 检查日志文件(/var/log/auto_block_ip.log)确认无报错且功能正常。\n\n6. **添加定时任务**:\n 建议通过crontab设置每分钟执行一次,以实现实时监控:\n \n crontab -e\n\n 添加以下行:\n \n * * * * * /usr/local/sbin/auto_block_ip.sh >/dev/null 2>&1\n\n\n### 注意事项\n- 该脚本需以root权限运行,否则无法操作iptables。\n- 临时封锁模式依赖iptables的recent模块,确保系统已加载该模块(可通过`lsmod | grep recent`检查)。\n- 永久封锁模式会持续累积iptables规则,长期运行可能导致规则数量过多,建议定期清理过期规则或使用临时封锁模式。\n- 内置蜘蛛IP段可能随时间变化,建议定期更新脚本或通过白名单文件补充新增IP段。\n- 若服务器流量较大,可适当调高连接数阈值,避免误封正常用户。\n\n### 故障排除\n- 若脚本无法正常执行,请检查:\n1. root权限是否充足。\n2. iptables是否安装且可用。\n3. 白名单文件路径是否正确。\n4. 日志文件是否可写入。\n- 详细错误信息可查看日志文件(/var/log/auto_block_ip.log)。\n\n通过以上配置,您的服务器将具备自动识别和防御高连接数攻击的能力,同时保障搜索引擎蜘蛛和白名单IP的正常访问。如需进一步优化或定制功能,可参考DZ插件网的相关文档或联系我们获取技术支持。"
}
-- 本回答由 人工智能 AI智能体 生成,内容仅供参考,请仔细甄别。 看看咋弄的
页:
[1]