網絡安全 Iptables and Spamhaus IP drop lists
最近見到這方面的資料,與大家分享。[url]http://www.spamhaus.org/faq/section/DROP%20FAQ[/url]
其中一個與iptables 配合的scripts[code]#!/bin/bash
# Generate automatic firewall rules to block bad IPs listed on spamhaus.org
FILE=/tmp/drop.lasso
wget -O $FILE http://www.spamhaus.org/drop/drop.lasso
iptables -F ; flush iptables, comment line if you use other rules
for ipblock in `egrep -v '^;' $FILE | awk '{print $1}'`
do
iptables -I INPUT -s $ipblock -j DROP
done[/code] One more example
[url]http://www.debian-tutorials.com/iptables-shell-script-to-drop-spamhaus-listed-ip[/url] [b]回復 [url=http://www.telecom-cafe.com/forum/redirect.php?goto=findpost&pid=38390&ptid=6264]1#[/url] [i]ckleea[/i] [/b]
iptable就是firewall嗎? 這樣可以自動update block list 嗎? 可以用 cron job
適合使用一般家用 router使用。如果用 routerOS或其他高檔的 router,就可以有在 router level 做。
這 scripts 可用在raspberrypi。
當然其他安全設定都要做。 另一版本[code]#!/bin/bash
IPT="/sbin/iptables"
FILE="/tmp/drop.lasso"
URL="http://www.spamhaus.org/drop/drop.lasso"
echo ""
echo -n "Deleting DROP list from existing firewall..."
#This will delete all dropped ips from firewall
ipdel=$(cat $FILE | egrep -v '^;' | awk '{ print $1}')
for ipblock in $ipdel
do
$IPT -D spamhaus-droplist -s $ipblock -j DROP
$IPT -D droplist -s $ipblock -j LOG --log-prefix "DROP Spamhaus List"
done
echo -n "Applying DROP list to existing firewall..."
#This will drop all ips from spamhaus list.
[ -f $FILE ] && /bin/rm -f $FILE || :
cd /tmp
wget $URL
blocks=$(cat $FILE | egrep -v '^;' | awk '{ print $1}')
$IPT -N spamhaus-droplist
for ipblock in $blocks
do
$IPT -A droplist -s $ipblock -j LOG --log-prefix "DROP Spamhaus List"
$IPT -A droplist -s $ipblock -j DROP
done
$IPT -I INPUT -j droplist
$IPT -I OUTPUT -j droplist
$IPT -I FORWARD -j droplist
echo "...Done"[/code] 個人使用這一個版本[code]#!/bin/bash
IPTABLES=/sbin/iptables
FILE="/tmp/drop.lasso"
URL="http://www.spamhaus.org/drop/drop.lasso"
#echo ""
#echo -n "Applying DROP list to existing firewall..."
$IPTABLES -D INPUT -j Spamhaus
$IPTABLES -D OUTPUT -j Spamhaus
$IPTABLES -D FORWARD -j Spamhaus
$IPTABLES -F Spamhaus
$IPTABLES -X Spamhaus
[ -f $FILE ] && /bin/rm -f $FILE || :
cd /tmp
wget $URL
blocks=$(cat $FILE | egrep -v '^;' | awk '{ print $1}')
$IPTABLES -N Spamhaus
for ipblock in $blocks
do
#$IPTABLES -A Spamhaus -s $ipblock -j LOG --log-prefix "DROP List Block"
$IPTABLES -A Spamhaus -s $ipblock -j DROP
#echo $ipblock
done
$IPTABLES -I INPUT -j Spamhaus
$IPTABLES -I OUTPUT -j Spamhaus
$IPTABLES -I FORWARD -j Spamhaus
#echo "...Done"
/bin/rm -f $FILE
[/code]非常簡單
用 cron job 每天運行一次 呢個script應該放係邊個folder會比較好 [b]回復 [url=http://www.telecom-cafe.com/forum/redirect.php?goto=findpost&pid=38438&ptid=6264]7#[/url] [i]orangelau[/i] [/b]
我通常放在 /opt/scripts,將它設定為 executable e.g. chmod a+x scriptsname;然後在 cronjob 設定每天或每週行一次 [b]回復 [url=http://www.telecom-cafe.com/forum/redirect.php?goto=findpost&pid=38439&ptid=6264]8#[/url] [i]ckleea[/i] [/b]
是否將呢27句全部放在同一個file,然後係crontab裡設定定時運作就可以
[attach]3260[/attach] [b]回復 [url=http://www.telecom-cafe.com/forum/redirect.php?goto=findpost&pid=38512&ptid=6264]9#[/url] [i]orangelau[/i] [/b]
是 [b]回復 [url=http://www.telecom-cafe.com/forum/redirect.php?goto=findpost&pid=38514&ptid=6264]10#[/url] [i]ckleea[/i] [/b]
Thanks!!
頁:
[1]