서버관리상에 이상한 스크립트를 실행한 흔적이 있어서(아파치로그에서 아냄)
ip 를 막아 버렸습니다.
아래와 같이요.
#!/bin/bash
IPTABLES=/sbin/iptables
echo 1 >/proc/sys/net/ipv4/tcp_syncookies
echo 1 >/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 1 >/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $f
done
fi
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $f
done
fi
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT
$IPTABLES -A INPUT -m state --state INVALID -j DROP
$IPTABLES -A OUTPUT -m state --state INVALID -j DROP
$IPTABLES -A OUTPUT -m state --state INVALID -j DROP
$IPTABLES -A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -s 112.167.216.73 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j DROP
$IPTABLES -A INPUT -s 112.168.224.105 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j DROP
$IPTABLES -A INPUT -s 112.202.6.187 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j DROP
$IPTABLES -A INPUT -s 112.203.135.58 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j DROP
$IPTABLES -A INPUT -s 113.53.197.110 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j DROP
$IPTABLES -A INPUT -s 114.143.146.238 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j DROP
$IPTABLES -A INPUT -s 114.185.151.212 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j DROP
$IPTABLES -A INPUT -s 114.36.27.184 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j DROP
$IPTABLES -A INPUT -s 114.79.19.205 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j DROP
$IPTABLES -A INPUT -s 115.134.21.192 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j DROP
$IPTABLES -A INPUT -s 117.207.96.37 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j DROP
$IPTABLES -A INPUT -s 117.213.117.134 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j DROP
$IPTABLES -A INPUT -s 118.152.54.220 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j DROP
$IPTABLES -A INPUT -s 118.243.176.126 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j DROP
$IPTABLES -A INPUT -s 118.8.43.25 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j DROP
$IPTABLES -A INPUT -s 120.28.255.217 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j DROP
$IPTABLES -A INPUT -s 112.168.224.105 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j DROP
$IPTABLES -A INPUT -s 112.202.6.187 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j DROP
$IPTABLES -A INPUT -s 112.203.135.58 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j DROP
$IPTABLES -A INPUT -s 113.53.197.110 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j DROP
$IPTABLES -A INPUT -s 114.143.146.238 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j DROP
$IPTABLES -A INPUT -s 114.185.151.212 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j DROP
$IPTABLES -A INPUT -s 114.36.27.184 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j DROP
$IPTABLES -A INPUT -s 114.79.19.205 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j DROP
$IPTABLES -A INPUT -s 115.134.21.192 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j DROP
$IPTABLES -A INPUT -s 117.207.96.37 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j DROP
$IPTABLES -A INPUT -s 117.213.117.134 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j DROP
$IPTABLES -A INPUT -s 118.152.54.220 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j DROP
$IPTABLES -A INPUT -s 118.243.176.126 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j DROP
$IPTABLES -A INPUT -s 118.8.43.25 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j DROP
$IPTABLES -A INPUT -s 120.28.255.217 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j DROP
------------ 중 략 ------------
이런 방법으로 테스트 해 보았는데 과연 접속 자체가 안되는건 잘 작동됩니다만
만약 블랙리스트 아이피가 수천개라면 어떻게 막아야 할까요? DB 로 구축하는 방법이 있나요?
님들은 어떻게 대처 하는지요?
이지포토
http://tuwlab.com/8497
ÇØ º¸´Ï Á¤¸» Àß µÇ³×¿ä. ÀÏ´Ü Áß±¹¾ÆÀÌÇÇ´Â ¸ðµÎ Â÷´ÜÇß½À´Ï´Ù.
[root@localhost rc.d]# /etc/init.d/iptables status
Å×À̺í: nat
Chain PREROUTING (policy ACCEPT)
num target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
num target prot opt source destination
1 MASQUERADE all -- 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
Å×À̺í: filter
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 DROP all -- 0.0.0.0/0 0.0.0.0/0 source IP range 1.0.1.0-1.0.3.255
2 DROP all -- 0.0.0.0/0 0.0.0.0/0 source IP range 1.0.8.0-1.0.15.255
3 DROP all -- 0.0.0.0/0 0.0.0.0/0 source IP range 1.0.32.0-1.0.63.255
4 DROP all -- 0.0.0.0/0 0.0.0.0/0 source IP range 1.1.0.0-1.1.0.255
5 DROP all -- 0.0.0.0/0 0.0.0.0/0 source IP range 1.1.2.0-1.1.63.255
6 DROP all -- 0.0.0.0/0 0.0.0.0/0 source IP range 1.2.0.0-1.2.2.255
7 DROP all -- 0.0.0.0/0 0.0.0.0/0 source IP range 1.2.4.0-1.2.127.255
8 DROP all -- 0.0.0.0/0 0.0.0.0/0 source IP range 1.3.0.0-1.3.255.255
9 DROP all -- 0.0.0.0/0 0.0.0.0/0 source IP range 1.4.1.0-1.4.127.255
10 DROP all -- 0.0.0.0/0 0.0.0.0/0 source IP range 1.8.0.0-1.8.255.255
11 DROP all -- 0.0.0.0/0 0.0.0.0/0 source IP range 1.10.0.0-1.10.9.255
12 DROP all -- 0.0.0.0/0 0.0.0.0/0 source IP range 1.10.11.0-1.10.127.255
13 DROP all -- 0.0.0.0/0 0.0.0.0/0 source IP range 1.12.0.0-1.15.255.255
14 DROP all -- 0.0.0.0/0 0.0.0.0/0 source IP range 1.24.0.0-1.31.255.255
15 DROP all -- 0.0.0.0/0 0.0.0.0/0 source IP range 1.45.0.0-1.45.255.255
16 DROP all -- 0.0.0.0/0 0.0.0.0/0 source IP range 1.48.0.0-1.51.255.255
17 DROP all -- 0.0.0.0/0 0.0.0.0/0 source IP range 1.56.0.0-1.63.255.255
18 DROP all -- 0.0.0.0/0 0.0.0.0/0 source IP range 1.68.0.0-1.71.255.255
19 DROP all -- 0.0.0.0/0 0.0.0.0/0 source IP range 1.80.0.0-1.95.255.255
20 DROP all -- 0.0.0.0/0 0.0.0.0/0 source IP range 1.116.0.0-1.119.255.255
21 DROP all -- 0.0.0.0/0 0.0.0.0/0 source IP range 1.180.0.0-1.185.255.255
22 DROP all -- 0.0.0.0/0 0.0.0.0/0 source IP range 1.188.0.0-1.199.255.255
23 DROP all -- 0.0.0.0/0 0.0.0.0/0 source IP range 1.202.0.0-1.207.255.255
24 DROP all -- 0.0.0.0/0 0.0.0.0/0 source IP range 5.10.70.40-5.10.70.43
25 DROP all -- 0.0.0.0/0 0.0.0.0/0 source IP range 5.10.70.80-5.10.70.87
26 DROP all -- 0.0.0.0/0 0.0.0.0/0 source IP range 5.10.71.233-5.10.71.233
27 DROP all -- 0.0.0.0/0 0.0.0.0/0 source IP range 5.10.72.80-5.10.72.95
28 DROP all -- 0.0.0.0/0 0.0.0.0/0 source IP range 5.10.74.40-5.10.74.159
.... Áß·« .....
Áß±¹ip 2800°³ ±º ¸ðµÎ Â÷´Ü..¤»
Áß±¹°ú µ¿³²¾ÆÂÊÀº ¸ðµÎ Â÷´ÜÇØ ¹ö¸®´Â °ÍÀÌ Á¦ÀÏ ÆíÇÒµí ÇÕ´Ï´Ù.
Á¤¸» ½ÉÇÏ´õ±º¿ä.
!...ÁÁÀº Á¤º¸/ÆÁTIP ÀÔ´Ï´Ù...!
...
ƯÁ¤ ±¹°¡¸¦ ¸·°íÀÚ ÇÑ´Ù¸é iptables extension À¸·Î geoip ¸¦ ºÙÀÏ ¼ö ÀÖÀ¸´Ï, È®ÀÎÇغ¸½Ã¸é ³ª»ÚÁö ¾ÊÀ»µí ÇÕ´Ï´Ù.
µ¥ÀÌÅͺ£À̽º ÆÄÀϸ¸ ÀÚµ¿À¸·Î ´Ù¿î·ÎµåÇÏ°í iptables¸¸ Àç½ÃÀÛÇϸé Àû¿ëµË´Ï´Ù.
±×·±µ¥ ¹®Á¦´Â iptables¿¡¼ GeoIP¸¦ ¾²·Á¸é Ä¿³ÎÄÄÆÄÀÏÀ» ´Ù½Ã ÇؾßÇÒ ¼ö°¡ ÀÖ½À´Ï´Ù.
ÇöÀç CentOS 6.3ÀÇ °æ¿ì´Â ±âº» Ä¿³Î¿¡¼´Â iptables¿¡¼ GeoIP¸¦ ¾µ ¼ö ¾ø¾ú½À´Ï´Ù.