서버관리상에 이상한 스크립트를 실행한 흔적이 있어서(아파치로그에서 아냄)
ip 를 막아 버렸습니다.
아래와 같이요.
#!/bin/bash
IPTABLES=/sbin/iptables
echo 1 >/proc/sys/net/ipv4/tcp_syncookies
echo 1 >/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 1 >/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $f
done
fi
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $f
done
fi
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT
$IPTABLES -A INPUT -m state --state INVALID -j DROP
$IPTABLES -A OUTPUT -m state --state INVALID -j DROP
$IPTABLES -A OUTPUT -m state --state INVALID -j DROP
$IPTABLES -A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -s 112.167.216.73 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j DROP
$IPTABLES -A INPUT -s 112.168.224.105 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j DROP
$IPTABLES -A INPUT -s 112.202.6.187 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j DROP
$IPTABLES -A INPUT -s 112.203.135.58 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j DROP
$IPTABLES -A INPUT -s 113.53.197.110 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j DROP
$IPTABLES -A INPUT -s 114.143.146.238 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j DROP
$IPTABLES -A INPUT -s 114.185.151.212 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j DROP
$IPTABLES -A INPUT -s 114.36.27.184 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j DROP
$IPTABLES -A INPUT -s 114.79.19.205 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j DROP
$IPTABLES -A INPUT -s 115.134.21.192 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j DROP
$IPTABLES -A INPUT -s 117.207.96.37 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j DROP
$IPTABLES -A INPUT -s 117.213.117.134 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j DROP
$IPTABLES -A INPUT -s 118.152.54.220 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j DROP
$IPTABLES -A INPUT -s 118.243.176.126 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j DROP
$IPTABLES -A INPUT -s 118.8.43.25 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j DROP
$IPTABLES -A INPUT -s 120.28.255.217 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j DROP
$IPTABLES -A INPUT -s 112.168.224.105 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j DROP
$IPTABLES -A INPUT -s 112.202.6.187 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j DROP
$IPTABLES -A INPUT -s 112.203.135.58 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j DROP
$IPTABLES -A INPUT -s 113.53.197.110 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j DROP
$IPTABLES -A INPUT -s 114.143.146.238 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j DROP
$IPTABLES -A INPUT -s 114.185.151.212 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j DROP
$IPTABLES -A INPUT -s 114.36.27.184 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j DROP
$IPTABLES -A INPUT -s 114.79.19.205 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j DROP
$IPTABLES -A INPUT -s 115.134.21.192 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j DROP
$IPTABLES -A INPUT -s 117.207.96.37 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j DROP
$IPTABLES -A INPUT -s 117.213.117.134 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j DROP
$IPTABLES -A INPUT -s 118.152.54.220 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j DROP
$IPTABLES -A INPUT -s 118.243.176.126 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j DROP
$IPTABLES -A INPUT -s 118.8.43.25 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j DROP
$IPTABLES -A INPUT -s 120.28.255.217 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j DROP
------------ 중 략 ------------
이런 방법으로 테스트 해 보았는데 과연 접속 자체가 안되는건 잘 작동됩니다만
만약 블랙리스트 아이피가 수천개라면 어떻게 막아야 할까요? DB 로 구축하는 방법이 있나요?
님들은 어떻게 대처 하는지요?
이지포토
http://tuwlab.com/8497
해 보니 정말 잘 되네요. 일단 중국아이피는 모두 차단했습니다.
[root@localhost rc.d]# /etc/init.d/iptables status
테이블: nat
Chain PREROUTING (policy ACCEPT)
num target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
num target prot opt source destination
1 MASQUERADE all -- 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
테이블: filter
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 DROP all -- 0.0.0.0/0 0.0.0.0/0 source IP range 1.0.1.0-1.0.3.255
2 DROP all -- 0.0.0.0/0 0.0.0.0/0 source IP range 1.0.8.0-1.0.15.255
3 DROP all -- 0.0.0.0/0 0.0.0.0/0 source IP range 1.0.32.0-1.0.63.255
4 DROP all -- 0.0.0.0/0 0.0.0.0/0 source IP range 1.1.0.0-1.1.0.255
5 DROP all -- 0.0.0.0/0 0.0.0.0/0 source IP range 1.1.2.0-1.1.63.255
6 DROP all -- 0.0.0.0/0 0.0.0.0/0 source IP range 1.2.0.0-1.2.2.255
7 DROP all -- 0.0.0.0/0 0.0.0.0/0 source IP range 1.2.4.0-1.2.127.255
8 DROP all -- 0.0.0.0/0 0.0.0.0/0 source IP range 1.3.0.0-1.3.255.255
9 DROP all -- 0.0.0.0/0 0.0.0.0/0 source IP range 1.4.1.0-1.4.127.255
10 DROP all -- 0.0.0.0/0 0.0.0.0/0 source IP range 1.8.0.0-1.8.255.255
11 DROP all -- 0.0.0.0/0 0.0.0.0/0 source IP range 1.10.0.0-1.10.9.255
12 DROP all -- 0.0.0.0/0 0.0.0.0/0 source IP range 1.10.11.0-1.10.127.255
13 DROP all -- 0.0.0.0/0 0.0.0.0/0 source IP range 1.12.0.0-1.15.255.255
14 DROP all -- 0.0.0.0/0 0.0.0.0/0 source IP range 1.24.0.0-1.31.255.255
15 DROP all -- 0.0.0.0/0 0.0.0.0/0 source IP range 1.45.0.0-1.45.255.255
16 DROP all -- 0.0.0.0/0 0.0.0.0/0 source IP range 1.48.0.0-1.51.255.255
17 DROP all -- 0.0.0.0/0 0.0.0.0/0 source IP range 1.56.0.0-1.63.255.255
18 DROP all -- 0.0.0.0/0 0.0.0.0/0 source IP range 1.68.0.0-1.71.255.255
19 DROP all -- 0.0.0.0/0 0.0.0.0/0 source IP range 1.80.0.0-1.95.255.255
20 DROP all -- 0.0.0.0/0 0.0.0.0/0 source IP range 1.116.0.0-1.119.255.255
21 DROP all -- 0.0.0.0/0 0.0.0.0/0 source IP range 1.180.0.0-1.185.255.255
22 DROP all -- 0.0.0.0/0 0.0.0.0/0 source IP range 1.188.0.0-1.199.255.255
23 DROP all -- 0.0.0.0/0 0.0.0.0/0 source IP range 1.202.0.0-1.207.255.255
24 DROP all -- 0.0.0.0/0 0.0.0.0/0 source IP range 5.10.70.40-5.10.70.43
25 DROP all -- 0.0.0.0/0 0.0.0.0/0 source IP range 5.10.70.80-5.10.70.87
26 DROP all -- 0.0.0.0/0 0.0.0.0/0 source IP range 5.10.71.233-5.10.71.233
27 DROP all -- 0.0.0.0/0 0.0.0.0/0 source IP range 5.10.72.80-5.10.72.95
28 DROP all -- 0.0.0.0/0 0.0.0.0/0 source IP range 5.10.74.40-5.10.74.159
.... 중략 .....
중국ip 2800개 군 모두 차단..ㅋ
중국과 동남아쪽은 모두 차단해 버리는 것이 제일 편할듯 합니다.
정말 심하더군요.
!...좋은 정보/팁TIP 입니다...!
...
특정 국가를 막고자 한다면 iptables extension 으로 geoip 를 붙일 수 있으니, 확인해보시면 나쁘지 않을듯 합니다.
데이터베이스 파일만 자동으로 다운로드하고 iptables만 재시작하면 적용됩니다.
그런데 문제는 iptables에서 GeoIP를 쓰려면 커널컴파일을 다시 해야할 수가 있습니다.
현재 CentOS 6.3의 경우는 기본 커널에서는 iptables에서 GeoIP를 쓸 수 없었습니다.