Ubuntu Trusty 中禁止屏蔽 IP 位置

Ubuntu Trusty 中禁止屏蔽 IP 位置

我使用这个脚本来阻止端口扫描。如果某个 IP 尝试使用 nmap 或某些扫描工具进行端口扫描,则其 IP 将被移至黑名单 86400 秒。我找到的教程这里(链接有时会失效)

#!/bin/sh
#
#
# Script is for stoping Portscan and smurf attack

### first flush all the iptables Rules
iptables -F

# Protecting portscans
# Attacking IP will be locked for 24 hours (3600 x 24 = 86400 Seconds)
iptables -A INPUT -m recent --name portscan --rcheck --seconds 86400 -j DROP
iptables -A FORWARD -m recent --name portscan --rcheck --seconds 86400 -j DROP

# Remove attacking IP after 24 hours
iptables -A INPUT -m recent --name portscan --remove
iptables -A FORWARD -m recent --name portscan --remove

# These rules add scanners to the portscan list, and log the attempt.
iptables -A INPUT -p tcp -m tcp --dport 139 -m recent --name portscan --set -j LOG --log-prefix "portscan:"
iptables -A INPUT -p tcp -m tcp --dport 139 -m recent --name portscan --set -j DROP

iptables -A FORWARD -p tcp -m tcp --dport 139 -m recent --name portscan --set -j LOG --log-prefix "portscan:"
iptables -A FORWARD -p tcp -m tcp --dport 139 -m recent --name portscan --set -j DROP

阻止已成功。但当我想从黑名单中解除对 IP 的阻止时,我找不到它存储的位置。尝试了以下方法:

iptables -L INPUT -v -n

它没有给我任何结果。可能是因为我没有使用手动 iptable 命令来阻止该 IP。

当我使用 iptable-save 命令时,文件内容是:

# Generated by iptables-save v1.4.21 on Tue Aug  1 09:55:24 2017
*filter
:INPUT ACCEPT [2573:464414]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [2561:450932]
-A INPUT -m recent --rcheck --seconds 86400 --name portscan --mask 255.255.255.255 --rsource -j DROP
-A INPUT -m recent --remove --name portscan --mask 255.255.255.255 --rsource
-A INPUT -p tcp -m tcp --dport 139 -m recent --set --name portscan --mask 255.255.255.255 --rsource -j LOG --log-prefix "portscan:"
-A INPUT -p tcp -m tcp --dport 139 -m recent --set --name portscan --mask 255.255.255.255 --rsource -j DROP
-A FORWARD -m recent --rcheck --seconds 86400 --name portscan --mask 255.255.255.255 --rsource -j DROP
-A FORWARD -m recent --remove --name portscan --mask 255.255.255.255 --rsource
-A FORWARD -p tcp -m tcp --dport 139 -m recent --set --name portscan --mask 255.255.255.255 --rsource -j LOG --log-prefix "portscan:"
-A FORWARD -p tcp -m tcp --dport 139 -m recent --set --name portscan --mask 255.255.255.255 --rsource -j DROP
COMMIT
# Completed on Tue Aug  1 09:55:24 2017

没有任何迹象表明 IP 已被阻止。那么如何才能解除被上述脚本阻止的 IP 的阻止呢?

答案1

iptables 中最新模块使用的各种表存储在 中/proc/net/xt_recent。例如:

$ ls -l /proc/net/xt_recent
total 0
-rw-r--r-- 1 root root 0 Jul 31 17:31 BADGUY_EMAIL
-rw-r--r-- 1 root root 0 Jul 31 17:31 BADGUY_SSH
-rw-r--r-- 1 root root 0 Jul 31 17:31 HTTP_01
-rw-r--r-- 1 root root 0 Jul 31 17:31 HTTP_02
-rw-r--r-- 1 root root 0 Jul 31 17:31 HTTP_BAN

现在,假设我们看一下表格HTTP_BAN

src=151.80.153.116 ttl: 54 last_seen: 4328384635 oldest_pkt: 1 4328384635, ..., 4328384635
src=96.49.73.155 ttl: 123 last_seen: 5452194021 oldest_pkt: 3 5452194014, ..., 5452194014
src=107.172.148.195 ttl: 55 last_seen: 5129807106 oldest_pkt: 15 5129803346, ..., 5129803346
src=125.64.94.206 ttl: 50 last_seen: 4540016391 oldest_pkt: 11 4540008881, ..., 4540016391
src=173.180.45.3 ttl: 63 last_seen: 5037092972 oldest_pkt: 15 5037078444, ..., 5037078444
src=77.66.1.97 ttl: 46 last_seen: 4981357498 oldest_pkt: 17 4981346351, ..., 4981346351
src=78.73.133.234 ttl: 55 last_seen: 5009073697 oldest_pkt: 9 5009058041, ..., 5009058041
src=23.16.13.188 ttl: 125 last_seen: 4353548286 oldest_pkt: 1 4353548286, ..., 4353548286
src=131.247.152.158 ttl: 46 last_seen: 5187361776 oldest_pkt: 23 5187345808, ..., 5187345808
src=173.196.177.69 ttl: 51 last_seen: 4741647347 oldest_pkt: 21 4741643594, ..., 4741643594
src=122.114.223.46 ttl: 49 last_seen: 4914484055 oldest_pkt: 9 4914477305, ..., 4914477305

并决定我们要允许当前列表中的两个地址:

$ echo -122.114.223.46 | sudo tee /proc/net/xt_recent/HTTP_BAN
-122.114.223.46
$ echo -173.180.45.3 | sudo tee /proc/net/xt_recent/HTTP_BAN
-173.180.45.3

现在再次检查列表:

src=151.80.153.116 ttl: 54 last_seen: 4328384635 oldest_pkt: 1 4328384635, ..., 4328384635
src=96.49.73.155 ttl: 123 last_seen: 5452194021 oldest_pkt: 3 5452194014, ..., 5452194014
src=107.172.148.195 ttl: 55 last_seen: 5129807106 oldest_pkt: 15 5129803346, ..., 5129803346
src=125.64.94.206 ttl: 50 last_seen: 4540016391 oldest_pkt: 11 4540008881, ..., 4540016391
src=77.66.1.97 ttl: 46 last_seen: 4981357498 oldest_pkt: 17 4981346351, ..., 4981346351
src=78.73.133.234 ttl: 55 last_seen: 5009073697 oldest_pkt: 9 5009058041, ..., 5009058041
src=23.16.13.188 ttl: 125 last_seen: 4353548286 oldest_pkt: 1 4353548286, ..., 4353548286
src=131.247.152.158 ttl: 46 last_seen: 5187361776 oldest_pkt: 23 5187345808, ..., 5187345808
src=173.196.177.69 ttl: 51 last_seen: 4741647347 oldest_pkt: 21 4741643594, ..., 4741643594

并观察到那两个 IP 地址已经消失了。

相关内容