-
#!/bin/bash
-
#Authors :Tangwb
-
#Date :2016/02/18
-
##########################################################################################
-
# 该脚本的目的在于: #
-
# 1.邮件服务器自动防御CC攻击。 #
-
# 2.内部邮箱被黑客破译密码后乱发邮件导致邮件队列过长问题。 #
-
##########################################################################################
-
#加载环境变量
-
. /etc/profile
-
# 定义需监控的端口
-
CHK_PORT="80 443 25 110 22 995 465 587 143 993"
-
# 定义不需要监控的tcp状态
-
CHK_TCP_STATE="LISTEN"
-
# 连接数量最大限制
-
MAX_CONNECT_IP_NUM=100
-
# 邮件队列最大限制
-
MAX_MAIL_QUEUE=200
-
# 扫描ip的间隔时间(秒)
-
SCAN_IP_TIMEOUT=30
-
# IP自动解封时间(天)
-
IP_DEBLOCK_TIME=5
-
# ip白名单
-
ACCEPT_IP="183.62.15.118 172.16.2.10 127.0.0.1 192.168.1.97 192.168.1.99 0.0.0.0"
-
# 记录需要封锁IP临时文件
-
IP_DENY_TMP=/tmp/ip_deny_tmp
-
# 记录需要封锁IP文件
-
IP_DENY=/tmp/ip_deny
-
# 邮件队列过长输出信息
-
MAIL_QUEUE=/tmp/mail_queue_info
-
# 汇总文件
-
MAIL_TXT=/tmp/mail_txt
-
# sendEmail命令路径
-
SENDMAIL=/usr/local/bin/sendEmail
-
# 邮件接收列表
-
MAILLIST="tang@sina.cn"
-
-
# 封杀ip函数
-
function drop_ip_from_table()
-
{
-
iptables -I INPUT -s "$1" -j DROP -m comment --comment "auto by shell"
-
}
-
-
# 找出符合规定的IP并在iptables里面封杀
-
function deny_ip_iptable()
-
{
-
time=$(date +"%F")
-
netstat -an |awk --re-interval 'BEGIN{split("'"${CHK_PORT}"'",_p);for(i in _p){p[_p[i]]};split("'"${CHK_TCP_STATE}"'",_s);for(i in _s){s[_s[i]]}}/^tcp/&&!/LISTEN/{match($4,":([0-9]+)$",a);match($5,"([0-9]{1,3}\\.){3}[0-9]{1,3}",b);sum[a[1]" "b[0]" "$NF]++}END{for(i in sum){if(sum[i]>+"'$MAX_CONNECT_IP_NUM'"){split(i,c);if(c[1] in p && !(c[3] in s)){print "'${time}'",c[2]" --> port: "c[1],"state: "c[3],"sum: "sum[i]}}}}' >$IP_DENY_TMP
-
while read line
-
do
-
ip=$(awk '{print $2}' <<<$line)
-
if grep -w $ip <<<$ACCEPT_IP &>/dev/null || iptables-save |grep -E "$ip.*auto by shell" &>/dev/null ;then
-
continue
-
fi
-
drop_ip_from_table $ip && echo "$time $ip" >> $IP_DENY
-
done<${IP_DENY_TMP}
-
}
-
-
# 自动解封ip
-
function deblock_ip()
-
{
-
DEBLOCK_TIME=$(date -d "${IP_DEBLOCK_TIME} days ago" +"%F")
-
awk '{if($1<"'$DEBLOCK_TIME'"){CMD="iptables -D INPUT -s \""$2"\" -j DROP -m comment --comment \"auto by shell\"";system(CMD)}else{exit}}' $IP_DENY
-
NR=$(awk '$1<"'$DEBLOCK_TIME'"{n=NR}END{print n}' $IP_DENY)
-
test -n "$NR" && sed -i "1,${NR}d" $IP_DENY
-
}
-
-
# 自动处理内部邮件队列过长问题
-
function mail_queue()
-
{
-
mailq |awk 'BEGIN{RS=""}$9==""{a[$7]++}END{if($0~/Request/){if($5>+"'${MAX_MAIL_QUEUE}'"){for(i in a){print i,a[i]|"sort -rn -k2,2|head -1"}}}}' >$MAIL_QUEUE
-
if [ -s $MAIL_QUEUE ];then
-
sender=$(cat $MAIL_QUEUE|head -1|awk '{print $1}')
-
postsuper -h ALL
-
mailq |awk 'BEGIN{RS=""}{if($7=="'"$sender"'"&&$9=="")print $1}'| tr -d '*!'| postsuper -d -
-
postsuper -r ALL
-
fi
-
}
-
-
# 发送邮件函数
-
function sendmsg()
-
{
-
cat $MAIL_TXT|${SENDMAIL} -f "nagios@onecloud.cn" -t "$MAILLIST" -s 192.168.1.99 -u "Mail server anti attack record mail" -xu nagios@onecloud.cn -xp xxoo -o message-content-type=text/html -o message-charset=utf8
-
}
-
-
# 程序执行入口
-
function main_app()
-
{
-
while true
-
do
-
deny_ip_iptable
-
if [[ $(date +"%H%M") -eq 2300 ]];then
-
deblock_ip
-
fi
-
mail_queue
-
cat /dev/null >$MAIL_TXT
-
cat $IP_DENY_TMP >> $MAIL_TXT
-
test -s $MAIL_QUEUE && awk '{print $1,"queue size is",$2,"Maybe the password is known to hackers, please change the password !!"}' $MAIL_QUEUE >> $MAIL_TXT
-
if [ -s $MAIL_TXT ];then
-
sendmsg
-
fi
-
sleep ${SCAN_IP_TIMEOUT}
-
done
-
}
-
- main_app
