诗篇

2024-6-6 • tag-icon

我想防止我的服务器被来自互联网的端口扫描，并且如果发生端口扫描，则阻止源 IP 地址几分钟。

这是我当前的 iptables 配置：

$>iptables --list-rules
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N DOS_PROTECT
-A INPUT -i eth1 -j DOS_PROTECT
-A INPUT -i eth0 -j DOS_PROTECT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 80 -j DROP
-A INPUT -i eth0 -p udp -m udp --dport 80 -j DROP
-A INPUT -i eth0 -p tcp -m tcp --dport 587 -j DROP
-A INPUT -i eth0 -p udp -m udp --dport 587 -j DROP
-A INPUT -i eth0 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 666 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 667 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 5006 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 993 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 587 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 465 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 8443 -j ACCEPT
-A INPUT -i eth1 -j DROP
-A DOS_PROTECT -i eth1 -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j RETURN
-A DOS_PROTECT -i eth1 -p icmp -m icmp --icmp-type 8 -j DROP
-A DOS_PROTECT -i eth1 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit 1/sec -j RETURN
-A DOS_PROTECT -i eth1 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -j DROP
-A DOS_PROTECT -i eth1 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 10000/sec --limit-burst 100 -j RETURN
-A DOS_PROTECT -i eth1 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A DOS_PROTECT -i eth0 -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j RETURN
-A DOS_PROTECT -i eth0 -p icmp -m icmp --icmp-type 8 -j DROP
-A DOS_PROTECT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit 1/sec -j RETURN
-A DOS_PROTECT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -j DROP
-A DOS_PROTECT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 10000/sec --limit-burst 100 -j RETURN
-A DOS_PROTECT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
$> iptables --list      
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
DOS_PROTECT  all  --  anywhere             anywhere            
DOS_PROTECT  all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
DROP       tcp  --  anywhere             anywhere             tcp dpt:http
DROP       udp  --  anywhere             anywhere             udp dpt:http
DROP       tcp  --  anywhere             anywhere             tcp dpt:submission
DROP       udp  --  anywhere             anywhere             udp dpt:submission
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:666
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:667
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:5006
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:imaps
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:submission
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:urd
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:8443
DROP       all  --  anywhere             anywhere            

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain DOS_PROTECT (2 references)
target     prot opt source               destination         
RETURN     icmp --  anywhere             anywhere             icmp  echo-request limit: avg 1/sec burst 5
DROP       icmp --  anywhere             anywhere             icmp echo-request
RETURN     tcp  --  anywhere             anywhere             tcp flags:FIN,SYN,RST,ACK/RST limit: avg 1/sec burst 5
DROP       tcp  --  anywhere             anywhere             tcp flags:FIN,SYN,RST,ACK/RST
RETURN     tcp  --  anywhere             anywhere             tcp flags:FIN,SYN,RST,ACK/SYN limit: avg 10000/sec burst 100
DROP       tcp  --  anywhere             anywhere             tcp flags:FIN,SYN,RST,ACK/SYN
RETURN     icmp --  anywhere             anywhere             icmp echo-request limit: avg 1/sec burst 5
DROP       icmp --  anywhere             anywhere             icmp echo-request
RETURN     tcp  --  anywhere             anywhere             tcp flags:FIN,SYN,RST,ACK/RST limit: avg 1/sec burst 5
DROP       tcp  --  anywhere             anywhere             tcp flags:FIN,SYN,RST,ACK/RST
RETURN     tcp  --  anywhere             anywhere             tcp flags:FIN,SYN,RST,ACK/SYN limit: avg 10000/sec burst 100
DROP       tcp  --  anywhere             anywhere             tcp flags:FIN,SYN,RST,ACK/SYN

我想为接口插入防扫描规则eth1。我该怎么做？

我试过：

iptables -A INPUT -m recent –name portscan –rcheck –seconds 900 -j DROP
iptables -A FORWARD -m recent –name portscan –rcheck –seconds 900 -j DROP

但报错：

$> iptables -A INPUT -m recent –name portscan –rcheck –seconds 900 -j DROP
iptables v1.4.21: Couldn't load match `recent':No such file or directory

有谁能够帮助我？

答案1

xt_recent我找到了为什么我的尝试没有成功。原因是内核中缺少。所以解决方案是：

sudo modprobe xt_recent

答案2

诗篇

我建议你研究一下这样的服务，psad它可以为你完成大部分 iptables 配置。要安装，只需运行sudo apt install psad，然后你可以配置psad在扫描大量数据包或大量不同服务后自动阻止“攻击者”。要编辑的psad配置文件，你可以在以下位置找到它：/etc/psad/psad.conf

答案1

答案2

诗篇

相关内容