去评论
dz插件网

DZ插件网手工扛SYN DDOS攻击之全自动监测高连接数超过阈值自动封锁屏蔽IP并自动放行蜘蛛IP和白名单自动监测执行脚本

admin
2025/09/01 21:19:55
DZ插件网手工扛SYN DDOS攻击之全自动监测高连接数超过阈值自动封锁屏蔽IP并自动放行蜘蛛IP和白名单自动监测执行脚本:

创建脚本:
  1. vi /usr/local/sbin/auto_block_ip.sh
复制DZ插件网优化后的内容:
  1. #!/bin/bash

  3. # 高级IP自动屏蔽脚本 - 针对高连接数攻击
  4. # 功能: 检测ESTABLISHED连接数超标的IP,并自动屏蔽,排除蜘蛛和白名单。

  6. # ===== 配置区域 (请根据您的环境修改) =====

  8. # 连接数阈值
  9. CONNECTION_THRESHOLD=68     # 超过这个数值的IP将被封锁
  10. LOG_ONLY_THRESHOLD=60       # 超过此值但未达封锁阈值的IP,仅记录日志

  12. # 封锁类型
  13. # TEMP: 临时封锁,使用iptables的Recent模块,一段时间后自动解封
  14. # PERM: 永久封锁,使用iptables的DROP规则
  15. BLOCK_TYPE="TEMP"

  17. # 临时封锁的过期时间(秒)(仅在BLOCK_TYPE="TEMP"时有效)
  18. TEMP_BLOCK_EXPIRE=3600      # 3600秒 = 1小时

  20. # 白名单文件路径(每行一个IP或CIDR网段)
  21. WHITELIST_FILE="/etc/ddos/ignore.ip.list"

  23. # 日志文件路径
  24. LOG_FILE="/var/log/auto_block_ip.log"

  26. # 最大日志文件大小(KB),超过则滚动
  27. MAX_LOG_SIZE=10240

  29. # 定义常见搜索引擎蜘蛛的IP段(CIDR格式)
  30. # 这是一个基础列表,您可能需要根据实际情况扩充
  31. SPIDER_NETS=(
  32. #百度
  33. "180.76.15.0/24"
  34. "124.166.232.0/24"
  35. "116.179.32.0/24"
  36. "180.76.5.0/24"
  37. "61.135.168.0/24"
  38. "61.135.186.0/24"
  39. "111.206.221.0/24"
  40. "116.179.37.0/24"
  41. "111.206.198.0/24"
  42. "113.24.225.0/24"
  43. "123.125.71.0/24"
  44. "220.181.108.0/24"
  45. "119.63.198.0/24"
  46. "123.125.68.0/24"
  47. "180.149.133.0/24"
  48. "123.125.66.0/24"
  49. "119.63.195.0/24"
  50. "220.181.32.0/24"
  51. "123.125.143.0/24"
  52. "61.135.165.0/24"
  53. "173.82.106.0/24"
  54. "61.135.162.0/24"
  55. "61.135.169.0/24"
  56. "64.20.40.0/24"
  57. "199.188.107.0/24"
  58. "180.101.52.0/24"
  59. "137.175.22.0/24"
  60. "124.64.200.0/24"
  61. "45.136.113.0/24"
  62. "209.141.35.0/24"
  63. "207.154.236.0/24"
  64. "180.149.143.0/24"
  65. "115.239.212.0/24"
  66. "58.217.202.0/24"
  67. "173.82.206.0/24"
  68. #谷歌
  69. "2001:4860:4801:10::/64"
  70. "2001:4860:4801:11::/64"
  71. "2001:4860:4801:12::/64"
  72. "2001:4860:4801:13::/64"
  73. "2001:4860:4801:14::/64"
  74. "2001:4860:4801:15::/64"
  75. "2001:4860:4801:16::/64"
  76. "2001:4860:4801:17::/64"
  77. "2001:4860:4801:18::/64"
  78. "2001:4860:4801:19::/64"
  79. "2001:4860:4801:1a::/64"
  80. "2001:4860:4801:1b::/64"
  81. "2001:4860:4801:1c::/64"
  82. "2001:4860:4801:1d::/64"
  83. "2001:4860:4801:1e::/64"
  84. "2001:4860:4801:1f::/64"
  85. "2001:4860:4801:20::/64"
  86. "2001:4860:4801:21::/64"
  87. "2001:4860:4801:22::/64"
  88. "2001:4860:4801:23::/64"
  89. "2001:4860:4801:24::/64"
  90. "2001:4860:4801:25::/64"
  91. "2001:4860:4801:26::/64"
  92. "2001:4860:4801:27::/64"
  93. "2001:4860:4801:28::/64"
  94. "2001:4860:4801:29::/64"
  95. "2001:4860:4801:2::/64"
  96. "2001:4860:4801:2a::/64"
  97. "2001:4860:4801:2b::/64"
  98. "2001:4860:4801:2c::/64"
  99. "2001:4860:4801:2d::/64"
  100. "2001:4860:4801:2e::/64"
  101. "2001:4860:4801:2f::/64"
  102. "2001:4860:4801:30::/64"
  103. "2001:4860:4801:31::/64"
  104. "2001:4860:4801:32::/64"
  105. "2001:4860:4801:33::/64"
  106. "2001:4860:4801:34::/64"
  107. "2001:4860:4801:35::/64"
  108. "2001:4860:4801:36::/64"
  109. "2001:4860:4801:37::/64"
  110. "2001:4860:4801:38::/64"
  111. "2001:4860:4801:39::/64"
  112. "2001:4860:4801:3a::/64"
  113. "2001:4860:4801:3b::/64"
  114. "2001:4860:4801:3c::/64"
  115. "2001:4860:4801:3d::/64"
  116. "2001:4860:4801:3e::/64"
  117. "2001:4860:4801:3f::/64"
  118. "2001:4860:4801:40::/64"
  119. "2001:4860:4801:41::/64"
  120. "2001:4860:4801:42::/64"
  121. "2001:4860:4801:43::/64"
  122. "2001:4860:4801:44::/64"
  123. "2001:4860:4801:45::/64"
  124. "2001:4860:4801:46::/64"
  125. "2001:4860:4801:47::/64"
  126. "2001:4860:4801:48::/64"
  127. "2001:4860:4801:49::/64"
  128. "2001:4860:4801:4a::/64"
  129. "2001:4860:4801:4b::/64"
  130. "2001:4860:4801:4c::/64"
  131. "2001:4860:4801:4d::/64"
  132. "2001:4860:4801:4e::/64"
  133. "2001:4860:4801:50::/64"
  134. "2001:4860:4801:51::/64"
  135. "2001:4860:4801:52::/64"
  136. "2001:4860:4801:53::/64"
  137. "2001:4860:4801:54::/64"
  138. "2001:4860:4801:55::/64"
  139. "2001:4860:4801:56::/64"
  140. "2001:4860:4801:57::/64"
  141. "2001:4860:4801:60::/64"
  142. "2001:4860:4801:61::/64"
  143. "2001:4860:4801:62::/64"
  144. "2001:4860:4801:63::/64"
  145. "2001:4860:4801:64::/64"
  146. "2001:4860:4801:65::/64"
  147. "2001:4860:4801:66::/64"
  148. "2001:4860:4801:67::/64"
  149. "2001:4860:4801:68::/64"
  150. "2001:4860:4801:69::/64"
  151. "2001:4860:4801:6a::/64"
  152. "2001:4860:4801:6b::/64"
  153. "2001:4860:4801:6c::/64"
  154. "2001:4860:4801:6d::/64"
  155. "2001:4860:4801:6e::/64"
  156. "2001:4860:4801:6f::/64"
  157. "2001:4860:4801:70::/64"
  158. "2001:4860:4801:71::/64"
  159. "2001:4860:4801:72::/64"
  160. "2001:4860:4801:73::/64"
  161. "2001:4860:4801:74::/64"
  162. "2001:4860:4801:75::/64"
  163. "2001:4860:4801:76::/64"
  164. "2001:4860:4801:77::/64"
  165. "2001:4860:4801:78::/64"
  166. "2001:4860:4801:79::/64"
  167. "2001:4860:4801:7a::/64"
  168. "2001:4860:4801:7b::/64"
  169. "2001:4860:4801:80::/64"
  170. "2001:4860:4801:81::/64"
  171. "2001:4860:4801:82::/64"
  172. "2001:4860:4801:83::/64"
  173. "2001:4860:4801:84::/64"
  174. "2001:4860:4801:85::/64"
  175. "2001:4860:4801:86::/64"
  176. "2001:4860:4801:87::/64"
  177. "2001:4860:4801:88::/64"
  178. "2001:4860:4801:90::/64"
  179. "2001:4860:4801:91::/64"
  180. "2001:4860:4801:92::/64"
  181. "2001:4860:4801:93::/64"
  182. "2001:4860:4801:94::/64"
  183. "2001:4860:4801:95::/64"
  184. "2001:4860:4801:96::/64"
  185. "2001:4860:4801:97::/64"
  186. "2001:4860:4801:a0::/64"
  187. "2001:4860:4801:a1::/64"
  188. "2001:4860:4801:a2::/64"
  189. "2001:4860:4801:a3::/64"
  190. "2001:4860:4801:a4::/64"
  191. "2001:4860:4801:a5::/64"
  192. "2001:4860:4801:a6::/64"
  193. "2001:4860:4801:a7::/64"
  194. "2001:4860:4801:a8::/64"
  195. "2001:4860:4801:a9::/64"
  196. "2001:4860:4801:aa::/64"
  197. "2001:4860:4801:ab::/64"
  198. "2001:4860:4801:ac::/64"
  199. "2001:4860:4801:b0::/64"
  200. "2001:4860:4801:b1::/64"
  201. "2001:4860:4801:b2::/64"
  202. "2001:4860:4801:b3::/64"
  203. "2001:4860:4801:b4::/64"
  204. "2001:4860:4801:b5::/64"
  205. "2001:4860:4801:c::/64"
  206. "2001:4860:4801:f::/64"
  207. "192.178.4.0/27"
  208. "192.178.4.128/27"
  209. "192.178.4.160/27"
  210. "192.178.4.192/27"
  211. "192.178.4.32/27"
  212. "192.178.4.64/27"
  213. "192.178.4.96/27"
  214. "192.178.5.0/27"
  215. "192.178.6.0/27"
  216. "192.178.6.128/27"
  217. "192.178.6.160/27"
  218. "192.178.6.192/27"
  219. "192.178.6.224/27"
  220. "192.178.6.32/27"
  221. "192.178.6.64/27"
  222. "192.178.6.96/27"
  223. "192.178.7.0/27"
  224. "192.178.7.128/27"
  225. "192.178.7.160/27"
  226. "192.178.7.32/27"
  227. "192.178.7.64/27"
  228. "192.178.7.96/27"
  229. "34.100.182.96/28"
  230. "34.101.50.144/28"
  231. "34.118.254.0/28"
  232. "34.118.66.0/28"
  233. "34.126.178.96/28"
  234. "34.146.150.144/28"
  235. "34.147.110.144/28"
  236. "34.151.74.144/28"
  237. "34.152.50.64/28"
  238. "34.154.114.144/28"
  239. "34.155.98.32/28"
  240. "34.165.18.176/28"
  241. "34.175.160.64/28"
  242. "34.176.130.16/28"
  243. "34.22.85.0/27"
  244. "34.64.82.64/28"
  245. "34.65.242.112/28"
  246. "34.80.50.80/28"
  247. "34.88.194.0/28"
  248. "34.89.10.80/28"
  249. "34.89.198.80/28"
  250. "34.96.162.48/28"
  251. "35.247.243.240/28"
  252. "66.249.64.0/27"
  253. "66.249.64.128/27"
  254. "66.249.64.160/27"
  255. "66.249.64.192/27"
  256. "66.249.64.224/27"
  257. "66.249.64.32/27"
  258. "66.249.64.64/27"
  259. "66.249.64.96/27"
  260. "66.249.65.0/27"
  261. "66.249.65.128/27"
  262. "66.249.65.160/27"
  263. "66.249.65.192/27"
  264. "66.249.65.224/27"
  265. "66.249.65.32/27"
  266. "66.249.65.64/27"
  267. "66.249.65.96/27"
  268. "66.249.66.0/27"
  269. "66.249.66.128/27"
  270. "66.249.66.160/27"
  271. "66.249.66.192/27"
  272. "66.249.66.224/27"
  273. "66.249.66.32/27"
  274. "66.249.66.64/27"
  275. "66.249.66.96/27"
  276. "66.249.67.0/27"
  277. "66.249.68.0/27"
  278. "66.249.68.128/27"
  279. "66.249.68.160/27"
  280. "66.249.68.192/27"
  281. "66.249.68.32/27"
  282. "66.249.68.64/27"
  283. "66.249.68.96/27"
  284. "66.249.69.0/27"
  285. "66.249.69.128/27"
  286. "66.249.69.160/27"
  287. "66.249.69.192/27"
  288. "66.249.69.224/27"
  289. "66.249.69.32/27"
  290. "66.249.69.64/27"
  291. "66.249.69.96/27"
  292. "66.249.70.0/27"
  293. "66.249.70.128/27"
  294. "66.249.70.160/27"
  295. "66.249.70.192/27"
  296. "66.249.70.224/27"
  297. "66.249.70.32/27"
  298. "66.249.70.64/27"
  299. "66.249.70.96/27"
  300. "66.249.71.0/27"
  301. "66.249.71.128/27"
  302. "66.249.71.160/27"
  303. "66.249.71.192/27"
  304. "66.249.71.224/27"
  305. "66.249.71.32/27"
  306. "66.249.71.64/27"
  307. "66.249.71.96/27"
  308. "66.249.72.0/27"
  309. "66.249.72.128/27"
  310. "66.249.72.160/27"
  311. "66.249.72.192/27"
  312. "66.249.72.224/27"
  313. "66.249.72.32/27"
  314. "66.249.72.64/27"
  315. "66.249.72.96/27"
  316. "66.249.73.0/27"
  317. "66.249.73.128/27"
  318. "66.249.73.160/27"
  319. "66.249.73.192/27"
  320. "66.249.73.224/27"
  321. "66.249.73.32/27"
  322. "66.249.73.64/27"
  323. "66.249.73.96/27"
  324. "66.249.74.0/27"
  325. "66.249.74.128/27"
  326. "66.249.74.160/27"
  327. "66.249.74.192/27"
  328. "66.249.74.224/27"
  329. "66.249.74.32/27"
  330. "66.249.74.64/27"
  331. "66.249.74.96/27"
  332. "66.249.75.0/27"
  333. "66.249.75.128/27"
  334. "66.249.75.160/27"
  335. "66.249.75.192/27"
  336. "66.249.75.224/27"
  337. "66.249.75.32/27"
  338. "66.249.75.64/27"
  339. "66.249.75.96/27"
  340. "66.249.76.0/27"
  341. "66.249.76.128/27"
  342. "66.249.76.160/27"
  343. "66.249.76.192/27"
  344. "66.249.76.224/27"
  345. "66.249.76.32/27"
  346. "66.249.76.64/27"
  347. "66.249.76.96/27"
  348. "66.249.77.0/27"
  349. "66.249.77.128/27"
  350. "66.249.77.160/27"
  351. "66.249.77.192/27"
  352. "66.249.77.224/27"
  353. "66.249.77.32/27"
  354. "66.249.77.64/27"
  355. "66.249.77.96/27"
  356. "66.249.78.0/27"
  357. "66.249.78.32/27"
  358. "66.249.78.64/27"
  359. "66.249.78.96/27"
  360. "66.249.79.0/27"
  361. "66.249.79.128/27"
  362. "66.249.79.160/27"
  363. "66.249.79.192/27"
  364. "66.249.79.224/27"
  365. "66.249.79.32/27"
  366. "66.249.79.64/27"
  367. "66.249.79.96/27"
  368. "64.68.91.0/24"
  369. "192.178.5.0/24"
  370. "34.80.50.0/24"
  371. "66.249.68.0/24"
  372. "34.146.150.0/24"
  373. "34.152.50.0/24"
  374. "35.247.243.0/24"
  375. "64.68.88.0/24"
  376. "66.249.64.0/24"
  377. "34.118.66.0/24"
  378. "34.165.18.0/24"
  379. "192.178.6.0/24"
  380. "34.176.130.0/24"
  381. "34.64.82.0/24"
  382. "34.96.162.0/24"
  383. "66.249.66.0/24"
  384. "66.249.71.0/24"
  385. "34.88.194.0/24"
  386. "34.147.110.0/24"
  387. "34.101.50.0/24"
  388. "66.249.79.0/24"
  389. "34.155.98.0/24"
  390. "66.249.72.0/24"
  391. "66.249.69.0/24"
  392. "66.249.77.0/24"
  393. "34.118.254.0/24"
  394. "66.249.74.0/24"
  395. "95.216.227.0/24"
  396. "66.249.75.0/24"
  397. "34.175.160.0/24"
  398. "34.151.74.0/24"
  399. "66.249.76.0/24"
  400. "203.208.60.0/24"
  401. "34.100.182.0/24"
  402. "66.249.73.0/24"
  403. "66.249.70.0/24"
  404. "66.249.65.0/24"
  405. "34.89.10.0/24"
  406. "34.126.178.0/24"
  407. "34.89.198.0/24"
  408. "34.65.242.0/24"
  409. "66.249.78.0/24"
  410. "34.154.114.0/24"
  411. #360
  412. "123.6.49.0/24"
  413. "1.192.192.0/24"
  414. "1.192.195.0/24"
  415. "42.236.10.0/24"
  416. "42.236.12.0/24"
  417. "42.236.17.0/24"
  418. "42.236.101.0/24"
  419. "27.115.124.0/24"
  420. "180.163.220.0/24"
  421. #搜狗
  422. "121.229.156.0/24"
  423. "111.202.101.0/24"
  424. "106.120.173.0/24"
  425. "123.126.50.0/24"
  426. "223.109.255.0/24"
  427. "106.38.241.0/24"
  428. "112.86.225.0/24"
  429. "118.184.177.0/24"
  430. "123.125.109.0/24"
  431. "49.7.20.0/24"
  432. "61.135.159.0/24"
  433. "49.7.117.0/24"
  434. "223.109.252.0/24"
  435. "123.126.68.0/24"
  436. "58.250.125.0/24"
  437. "61.135.189.0/24"
  438. "220.181.125.0/24"
  439. "111.202.100.0/24"
  440. "111.202.103.0/24"
  441. "123.126.113.0/24"
  442. "49.7.21.0/24"
  443. "123.183.224.0/24"
  444. "106.120.188.0/24"
  445. "218.30.103.0/24"
  446. "220.181.124.0/24"
  447. "36.110.147.0/24"
  448. "123.125.125.0/24"
  449. "123.125.186.0/24"
  450. "61.135.158.0/24"
  451. "180.102.110.0/24"
  452. #雅虎
  453. "217.146.176.0/24"
  454. "74.6.168.0/24"
  455. "72.30.14.0/24"
  456. "67.195.49.0/24"
  457. "67.195.52.0/24"
  458. "106.10.186.0/24"
  459. "116.214.12.0/24"
  460. "124.108.101.0/24"
  461. "124.108.92.0/24"
  462. "209.131.41.0/24"
  463. "124.108.100.0/24"
  464. "216.252.126.0/24"
  465. "67.195.55.0/24"
  466. "67.195.83.0/24"
  467. "27.123.51.0/24"
  468. "203.84.194.0/24"
  469. "67.195.98.0/24"
  470. "183.177.73.0/24"
  471. "209.73.183.0/24"
  472. "202.165.111.0/24"
  473. "8.12.149.0/24"
  474. "119.160.246.0/24"
  475. "98.139.1.0/24"
  476. "66.196.90.0/24"
  477. "66.94.233.0/24"
  478. #必应
  479. "157.55.39.0/24"
  480. "207.46.13.0/24"
  481. "40.77.167.0/24"
  482. "13.66.139.0/24"
  483. "13.66.144.0/24"
  484. "52.167.144.0/24"
  485. "13.67.10.0/24"
  486. "13.69.66.0/24"
  487. "13.71.172.0/24"
  488. "139.217.52.0/24"
  489. "191.233.204.0/24"
  490. "20.36.108.0/24"
  491. "20.43.120.0/24"
  492. "40.79.131.0/24"
  493. "40.79.186.0/24"
  494. "52.231.148.0/24"
  495. "20.79.107.0/24"
  496. "51.105.67.0/24"
  497. "20.125.163.0/24"
  498. "40.77.188.0/24"
  499. "40.77.189.0/24"
  500. "40.77.190.0/24"
  501. "40.77.191.0/24"
  502. "65.55.210.0/24"
  503. "199.30.24.0/24"
  504. "199.30.25.0/24"
  505. "40.77.202.0/24"
  506. "40.77.139.0/24"
  507. "20.74.197.0/24"
  508. "20.15.133.0/24"
  509. "40.77.177.0/24"
  510. "40.77.178.0/24"
  511. "40.77.179.0/24"
  512. "65.55.212.0/24"
  513. "131.253.26.0/24"
  514. "65.55.219.0/24"
  515. "65.55.211.0/24"
  516. "40.77.162.0/24"
  517. "40.77.194.0/24"
  518. "157.56.0.0/24"
  519. "199.30.26.0/24"
  520. "65.55.213.0/24"
  521. "199.30.20.0/24"
  522. "65.55.208.0/24"
  523. "157.56.1.0/24"
  524. "65.52.110.0/24"
  525. "65.55.209.0/24"
  526. "131.253.38.0/24"
  527. "131.253.24.0/24"
  528. "131.253.27.0/24"
  529. "157.56.2.0/24"
  530. "65.55.215.0/24"
  531. "23.103.64.0/24"
  532. "65.55.25.0/24"
  533. "40.77.215.0/24"
  534. "61.131.4.0/24"
  535. "40.77.173.0/24"
  536. "202.89.235.0/24"
  537. "65.55.214.0/24"
  538. "202.101.96.0/24"
  539. "40.77.161.0/24"
  540. "40.77.221.0/24"
  541. "65.52.109.0/24"
  542. "40.77.220.0/24"
  543. "65.55.218.0/24"
  544. #头条
  545. "110.249.201.0/24"
  546. "110.249.202.0/24"
  547. "111.225.148.0/24"
  548. "111.225.149.0/24"
  549. "220.243.135.0/24"
  550. "220.243.136.0/24"
  551. "220.243.188.0/24"
  552. "220.243.189.0/24"
  553. "60.8.123.0/24"
  554. "60.8.151.0/24"
  555. "122.14.224.0/24"
  556. "122.14.225.0/24"
  557. "122.14.226.0/24"
  558. "122.14.227.0/24"
  559. #神马
  560. "42.156.139.0/24"
  561. "106.11.154.0/24"
  562. "42.120.161.0/24"
  563. "106.11.152.0/24"
  564. "106.11.153.0/24"
  565. "106.11.155.0/24"
  566. "106.11.158.0/24"
  567. "42.156.254.0/24"
  568. "106.11.159.0/24"
  569. "42.120.160.0/24"
  570. "42.156.136.0/24"
  571. "42.156.138.0/24"
  572. "106.11.156.0/24"
  573. "106.11.157.0/24"
  574. "42.156.137.0/24"
  575. "42.120.234.0/24"
  576. "42.120.235.0/24"
  577. "42.120.236.0/24"
  578. )

  580. # ===== 函数:记录日志 =====
  581. log_message() {
  582.     echo "[$(date '+%Y-%m-%d %H:%M:%S')] $1" | tee -a "$LOG_FILE"
  583. }

  585. # ===== 函数:检查IP是否在白名单或蜘蛛网段 =====
  586. is_whitelisted() {
  587.     local ip_to_check="$1"

  589.     # 检查用户自定义白名单文件
  590.     if [[ -f "$WHITELIST_FILE" ]]; then
  591.         if grep -qE "^($ip_to_check|.*/[0-9]+)$" "$WHITELIST_FILE"; then
  592.             return 0 # IP在白名单中
  593.         fi
  594.     fi

  596.     # 检查预定义的蜘蛛IP段
  597.     for net in "${SPIDER_NETS[@]}"; do
  598.         # 简单的CIDR匹配检查(对于精确生产环境,建议使用ipcalc等工具)
  599.         if [[ "$ip_to_check" == ${net%/*}.* ]] || ipcalc -n "$ip_to_check" | grep -q "Network:.*$net"; then
  600.             return 0 # IP在蜘蛛网段中
  601.         fi
  602.     done

  604.     return 1 # IP不在任何白名单中
  605. }

  607. # ===== 函数:滚动日志 =====
  608. rotate_log_if_needed() {
  609.     if [[ -f "$LOG_FILE" ]] && [[ $(du -k "$LOG_FILE" | cut -f1) -ge $MAX_LOG_SIZE ]]; then
  610.         mv -f "$LOG_FILE" "${LOG_FILE}.old"
  611.         touch "$LOG_FILE"
  612.         log_message "日志文件已滚动"
  613.     fi
  614. }

  616. # ===== 函数:封锁IP =====
  617. block_ip() {
  618.     local ip="$1"
  619.     local conn_count="$2"

  621.     # 检查是否已在白名单
  622.     if is_whitelisted "$ip"; then
  623.         log_message "忽略白名单/蜘蛛IP: $ip (连接数: $conn_count)"
  624.         return 1
  625.     fi

  627.     # 检查是否已被封锁(避免重复操作)
  628.     if iptables -nL | grep -q "$ip"; then
  629.         log_message "IP已被封锁,跳过: $ip"
  630.         return 1
  631.     fi

  633.     # 执行封锁
  634.     if [[ "$BLOCK_TYPE" == "TEMP" ]]; then
  635.         # 使用Recent模块进行临时封锁
  636.         iptables -I INPUT -s "$ip" -m recent --set --name BLOCKED_TEMP -j DROP
  637.         log_message "已临时封锁IP: $ip (连接数: $conn_count, 过期时间: ${TEMP_BLOCK_EXPIRE}秒)"
  638.     elif [[ "$BLOCK_TYPE" == "PERM" ]]; then
  639.         # 添加永久DROP规则
  640.         iptables -I INPUT -s "$ip" -j DROP
  641.         log_message "已永久封锁IP: $ip (连接数: $conn_count)"
  642.     else
  643.         log_message "错误: 未知的封锁类型: $BLOCK_TYPE"
  644.         return 1
  645.     fi
  646. }

  648. # ===== 主程序 =====

  650. # 检查root权限
  651. if [[ $EUID -ne 0 ]]; then
  652.     echo "错误: 此脚本必须以root权限运行!" >&2
  653.     exit 1
  654. fi

  656. # 确保日志文件存在
  657. touch "$LOG_FILE"
  658. rotate_log_if_needed

  660. log_message "开始执行高连接数IP检测..."

  662. # 获取所有ESTABLISHED状态的TCP连接,提取IP,统计连接数
  663. # 使用 'ss' 命令,它是 netstat 的现代替代品,更高效准确
  664. declare -A ip_connections # 使用关联数组来计数

  666. # 解析 ss 命令的输出
  667. while read -r line; do
  668.     if [[ -n "$line" ]]; then
  669.         ((ip_connections["$line"]++))
  670.     fi
  671. done < <(ss -ntu state established | awk '{split($5, a, ":"); print a[1]}' | sort | uniq -c | awk '{if($1>0) print $2}')

  673. # 处理每个IP
  674. for ip in "${!ip_connections[@]}"; do
  675.     count=${ip_connections["$ip"]}

  677.     # 跳过本地环回和空地址
  678.     [[ "$ip" == "127.0.0.1" || "$ip" == "0.0.0.0" || "$ip" == "::1" ]] && continue

  680.     # 判断连接数级别并采取相应措施
  681.     if [[ $count -ge $CONNECTION_THRESHOLD ]]; then
  682.         log_message "警报!IP连接数超高: $ip (连接数: $count),执行封锁..."
  683.         block_ip "$ip" "$count"
  684.     elif [[ $count -ge $LOG_ONLY_THRESHOLD ]]; then
  685.         log_message "警告!IP连接数偏高: $ip (连接数: $count),已记录。"
  686.     fi
  687. done

  689. log_message "高连接数IP检测完成。"

  691. exit 0
创建日志空文件:
  1. touch /var/log/auto_block_ip.log
其中白名单文件 /etc/ddos/ignore.ip.list 参考和共用:
https://www.dz-x.net/t/149134/1/1.html

赋予执行权限:
  1. chmod +x /usr/local/sbin/auto_block_ip.sh
配置Logrotate进行日志滚动
  1. sudo vi /etc/logrotate.d/auto_block_ip
添加以下内容:
  1. /var/log/auto_block_ip.log {
  2.     daily
  3.     missingok
  4.     rotate 7
  5.     compress
  6.     delaycompress
  7.     notifempty
  8.     create 644 root root
  9. }
部署为系统服务:

创建Systemd服务文件/etc/systemd/system/auto-block-ip.service:
  1. [Unit]
  2. Description=Auto Block IP Service
  3. After=network.target
  4. Wants=auto-block-ip.timer

  6. [Service]
  7. Type=oneshot
  8. User=root
  9. ExecStart=/usr/local/sbin/auto_block_ip.sh

  11. # 日志配置
  12. StandardOutput=syslog
  13. StandardError=syslog
  14. SyslogIdentifier=auto-block-ip

  16. # 安全限制
  17. NoNewPrivileges=yes
  18. ProtectSystem=strict
  19. ProtectHome=read-only
  20. PrivateTmp=yes

  22. [Install]
  23. WantedBy=multi-user.target
创建定时器文件/etc/systemd/system/auto-block-ip.timer,实现每15秒执行一次(如果效果不满意可以设置10秒或5秒自动执行一次):
  1. [Unit]
  2. Description=Run Auto Block IP every 20 seconds
  3. Requires=auto-block-ip.service

  5. [Timer]
  6. # 启动后30秒开始第一次执行
  7. OnBootSec=30s
  8. # 之后每20秒执行一次
  9. OnUnitActiveSec=20s
  10. # 确保准确性
  11. AccuracySec=1s
  12. # 如果上次执行未完成,是否并行执行(no表示等待)
  13. Unit=auto-block-ip.service

  15. [Install]
  16. WantedBy=timers.target
创建RSyslog配置/etc/rsyslog.d/auto-block-ip.conf
  1. # 为自动屏蔽IP服务创建专用日志
  2. if $programname == 'auto-block-ip' then /var/log/auto-block-ip.log
  3. & stop
启用并启动服务:
  1. # 重新加载Systemd配置
  2. sudo systemctl daemon-reload

  4. # 启用并启动定时器
  5. sudo systemctl enable auto-block-ip.timer
  6. sudo systemctl start auto-block-ip.timer

  8. # 启用日志配置
  9. sudo systemctl restart rsyslog

  11. # 检查服务状态
  12. sudo systemctl status auto-block-ip.timer
  13. sudo systemctl status auto-block-ip.service

  15. # 查看定时器列表
  16. systemctl list-timers --all
创建监控脚本/usr/local/sbin/monitor_auto_block.sh(每20秒检查服务状态)
  1. #!/bin/bash

  3. # 监控自动屏蔽IP服务的脚本
  4. SERVICE="auto-block-ip.timer"
  5. LOG_FILE="/var/log/service_monitor.log"
  6. MAX_LOG_SIZE=10240

  8. # 函数:记录日志
  9. log_message() {
  10.     echo "[$(date '+%Y-%m-%d %H:%M:%S')] $1" | tee -a "$LOG_FILE"
  11. }

  13. # 函数:滚动日志
  14. rotate_log() {
  15.     if [ -f "$LOG_FILE" ] && [ $(du -k "$LOG_FILE" | cut -f1) -ge $MAX_LOG_SIZE ]; then
  16.         mv -f "$LOG_FILE" "${LOG_FILE}.old"
  17.         touch "$LOG_FILE"
  18.     fi
  19. }

  21. # 主循环
  22. while true; do
  23.     rotate_log
  24.    
  25.     # 检查服务状态
  26.     if ! systemctl is-active --quiet "$SERVICE"; then
  27.         log_message "警告: $SERVICE 未运行,尝试重启..."
  28.         systemctl restart "$SERVICE"
  29.         
  30.         # 再次检查是否启动成功
  31.         sleep 5
  32.         if systemctl is-active --quiet "$SERVICE"; then
  33.             log_message "成功: $SERVICE 已重启"
  34.         else
  35.             log_message "错误: $SERVICE 重启失败"
  36.         fi
  37.     fi
  38.    
  39.     # 等待20秒后再次检查
  40.     sleep 20
  41. done
设置监控脚本权限并创建服务:
  1. sudo chmod +x /usr/local/sbin/monitor_auto_block.sh
创建监控服务文件/etc/systemd/system/monitor-auto-block.service
  1. [Unit]
  2. Description=Monitor for Auto Block IP Service
  3. After=network.target

  5. [Service]
  6. Type=simple
  7. ExecStart=/usr/local/sbin/monitor_auto_block.sh
  8. Restart=always
  9. RestartSec=10

  11. [Install]
  12. WantedBy=multi-user.target
启用并启动监控服务:
  1. sudo systemctl daemon-reload
  2. sudo systemctl enable monitor-auto-block.service
  3. sudo systemctl start monitor-auto-block.service


如果不想用了完整卸载:
停止并禁用定时器和服务
首先停止并禁用所有相关的定时器和服务,防止它们再次启动。
  1. # 停止并禁用 auto-block-ip 的定时器和服务
  2. sudo systemctl stop auto-block-ip.timer
  3. sudo systemctl disable auto-block-ip.timer
  4. sudo systemctl stop auto-block-ip.service
  5. sudo systemctl disable auto-block-ip.service

  7. # 停止并禁用监控脚本的服务
  8. sudo systemctl stop monitor-auto-block.service
  9. sudo systemctl disable monitor-auto-block.service

删除Systemd单元文件
这些文件是服务和定时器的定义所在,必须删除才能算彻底卸载
  1. # 删除 auto-block-ip 的.service和.timer文件
  2. sudo rm /etc/systemd/system/auto-block-ip.service
  3. sudo rm /etc/systemd/system/auto-block-ip.timer

  5. # 删除监控脚本的.service文件
  6. sudo rm /etc/systemd/system/monitor-auto-block.service
重新加载Systemd配置
删除单元文件后,需要让Systemd管理器知道配置发生了变化
  1. sudo systemctl daemon-reload

删除脚本文件和日志配置
接下来删除你之前创建的脚本和日志配置文件。
  1. # 删除主脚本和监控脚本
  2. sudo rm /usr/local/sbin/auto_block_ip.sh
  3. sudo rm /usr/local/sbin/monitor_auto_block.sh

  5. # 删除RSyslog的专用配置文件
  6. sudo rm /etc/rsyslog.d/auto-block-ip.conf
重启Rsyslog服务
让RSyslog重新加载配置,确保之前的专用日志配置已失效。
  1. sudo systemctl restart rsyslog
(可选) 清理日志文件
如果你希望彻底清理,可以删除脚本运行期间生成的所有日志文件。
  1. sudo rm -f /var/log/auto-block-ip.log /var/log/auto_block_ip.log /var/log/service_monitor.log
[此处包含隐藏内容,如果需要查看请回复]


如果你服务器CPU和内核不高于2H 2G,那么在每15~20秒扫描执行封堵的时候可能引起瞬时 CPU 占用过高,下面给出更加优化的解决方案,二选一即可:
基于ddos-deflate增强实时扫描高连接数 IP自动封禁超过阈值的 IP整合 Fail2ban、宝塔nginx防火墙、用户自定义白名单的防御攻击
https://www.dz-x.net/t/151053/1/1.html
来自: DZ插件网
进入原文参与互动