基于ddos-deflate增强实时扫描高连接数 IP自动封禁超过阈值的 IP整合 Fail2ban、宝塔nginx防火墙、用户自定义白名单的防御攻击
2025/09/02 22:44:56
鍩轰簬ddos-deflate澧炲己瀹炴椂鎵弿楂樿繛鎺ユ暟 IP鑷姩灏佺瓒呰繃闃堝€肩殑 IP鏁村悎 Fail2ban銆佸疂濉攏ginx闃茬伀澧欍€丷edis CC L7灞傞槻寰°€佺敤鎴疯嚜瀹氫箟鐧藉悕鍗曠殑闃插尽鏀诲嚮鑴氭湰锛氥€愨瓙猸愨瓙猸愨瓙鎺ㄨ崘锛銆
DZ鎻掍欢缃戠殑瀹為檯杩愮敤鏁堟灉鍥撅細
鏈鏇存柊鏃ュ織锛 [2025.9.13 缁堟瀬鏇存柊]
2025.9.13澧炲己闃插尽鍓嶇疆闃插尽鍙傛暟閰嶇疆锛歔鍗冲湪/etc/ddos 璺緞涓嬮潰鍒涘缓 host-thresholds.json]锛堜笅闈㈠煙鍚嶉兘鏇挎崲涓轰綘鑷繁瀹為檯鍩熷悕锛
鐩存帴鍛戒护鍒涘缓瀹屾暣 缃戠珯缁嗗垎棰楃矑搴﹂槻寰¢槇鍊煎紩瀵兼枃浠讹紙鍝€曞繕璁板垱寤 鑴氭湰涔熸湁鍐椾綑淇濆簳锛 锛
鍒涘缓瀹夎鑴氭湰锛
绮樿创濡備笅缁忚繃DZ鎻掍欢缃戜紭鍖栧疄鎴樼殑鏍稿績瀹夎鑴氭湰鍐呭锛氥€2025-09-13 鏇存柊骞跺疄娴嬮獙璇佹棤閿欙紝璇峰皢鑴氭湰鍐呭鐨勯儴鍒嗗弬鏁版牴鎹嚜宸卞疄闄呮儏鍐垫敼鍐欍€
瀹屾暣鑴氭湰鍐呭锛
銆愯寰楁壒閲忔悳绱⑩€滀綘鐨勨€濇浛鎹负浣犺嚜宸辩殑瀹為檯淇℃伅銆锛堟敞鎰忓畬鏁村鍒朵笉瑕佹湁浠讳綍鏍煎紡绗﹀彿缂栫爜閿欒锛
鍏朵腑鏉ユ簮鐧藉悕鍗曟枃浠跺弬鑰冩垨鑰呯洿鎺ュ€熺敤锛
鍚姩瀹夎骞堕儴缃查槻寰$郴缁锛
绮樿创鍒拌鍒掍换鍔℃渶鍚庝竴琛岋細锛堣繖閲岄璁剧殑鏄瘡鏃19锛30杩涜闃插尽姹囨姤锛屾敼涓轰綘鑷繁鎯宠鐨勬椂闂淬€傦級
甯哥敤鍛戒护锛氾紙濡傛灉鐧藉悕鍗曡В鏋愪笉瀹屾暣锛岃寰楋細sudo ddos-guard whitelist-reload 閲嶆柊瑁呰浇涓€娆℃墍鏈夋潵婧愮櫧鍚嶅崟锛
DZ鎻掍欢缃戠殑瀹為檯杩愮敤鏁堟灉鍥撅細
鏈鏇存柊鏃ュ織锛 [2025.9.13 缁堟瀬鏇存柊]
| 鍔熻兘鍒嗙被 | 鍔熻兘妯″潡 | v24.27 缁堟瀬鐗堢姸鎬 | 瀹¤璇存槑涓庝紭鍖栫偣 |
| 鏍稿績闃插尽寮曟搸 | L7 搴旂敤灞傞槻寰 | 鉁 鍖呭惈 | 瀹屾暣鍖呭惈CC銆佺伆鑹叉満鍣ㄤ汉銆丏iscuz!绮惧噯鎵撳嚮銆佹悳绱㈠紩鎿庝繚鎶ゃ€ |
| L4 缃戠粶灞傞槻寰 | 鉁 鍖呭惈 | 閲囩敤鏈€缁堜慨姝g殑awk $NF寮曟搸锛岀簿鍑嗙粺璁¤繛鎺ユ暟銆 | |
| 鏅鸿兘闃插尽浣撶郴 | 鑷€傚簲鏀诲嚮妯″紡 | 鉁 鍖呭惈 | 鍙牴鎹叏灞€娴侀噺锛岃嚜鍔ㄥ崌闄峀4鍜孡7闃插尽闃堝€笺€ |
| 娓愯繘寮忓皝绂 | 鉁 鍖呭惈 | 瀹屾暣瀹炵幇锛氬鍙嶅鏀诲嚮鐨処P鑷姩鍗囩骇灏佺鏃堕暱锛岀洿鑷虫案涔呭皝绂併€ | |
| 鎭舵剰IP鎯呮姤搴 | 鉁 鍖呭惈 | 瀹屾暣瀹炵幇锛氭案涔呰褰曡鈥滈《鏍煎缃氣€濈殑IP锛屼究浜庡彇璇併€ | |
| 鑷繘鍖栫櫧鍚嶅崟 | 鉁 鍖呭惈 | 瀹屾暣瀹炵幇锛氬彲瀹氭湡浠嶤DN鏈嶅姟鍟嗚嚜鍔ㄨ幏鍙栧苟鏇存柊IP鍒楄〃銆 | |
| Redis CC鍘熷瓙寮曟搸 | 鉁 鍖呭惈 | 瀹屾暣瀹炵幇锛氬紩鍏モ€淩edis鍘熺敓CC闃插尽寮曟搸鈥濓紝鑷姩妫€娴嬪苟浣跨敤Redis缂撳瓨锛屾瀬澶ч檷浣庣鐩業/O銆 | |
| 鍔ㄦ€佹壂鎻忛鐜 | 鉁 鍖呭惈 | 瀹屾暣瀹炵幇锛氭敾鍑绘ā寮忎笅鑷姩鍔犻€熸壂鎻忥紝骞虫伅鍚庤嚜鍔ㄩ檷閫熴€ | |
| 鐪熷亣铚樿洓DNS鏍¢獙 | 鉁 鍖呭惈 | 閫氳繃DNS鍙屽悜瑙f瀽锛100%璇嗗埆浼鎴愭牳蹇冩悳绱㈠紩鎿庣殑鏀诲嚮鑰呫€ | |
| 鍛婅涓庝氦浜 | 鈥滅姸鎬+鎴樻姤鈥濆弻鍛婅 | 鉁 鍖呭惈 | 鍚屾椂鎷ユ湁鈥滆繘鍏/閫€鍑烘敾鍑绘ā寮忊€濈殑鐘舵€佸憡璀﹀拰鍖呭惈绮惧噯鏀诲嚮鍒楄〃鐨勨€滄壒娆℃垬鎶モ€濄€ |
| 鐢ㄦ埛瀹氬埗鍖栨牸寮 | 鉁 鍖呭惈 | 鍛婅鏍煎紡銆丒moji銆佹湇鍔″櫒IP绛夊潎宸叉寜鎮ㄧ殑鏈€缁堣姹傚畾鍒躲€ | |
| 鐧藉悕鍗曚笌璋冧紭 | 鍏ㄦ潵婧愮櫧鍚嶅崟 | 鉁 鍖呭惈 | 瀹屾暣鏀寔ignore.ip.list, ignore.host.list, 瀹濆, Fail2ban銆 |
| 鍐呮牳鍙傛暟璋冧紭 | 鉁 鍖呭惈 | tune鍛戒护瀹屾暣淇濈暀銆 | |
| 鐢ㄦ埛瀹氬埗鍖栭槇鍊 | 鉁 宸蹭慨姝 | L4灞傞槇鍊煎凡涓ユ牸鎸夌収DZ鎻掍欢缃戞渶缁堝疄璺 40/15/60 杩涜棰勮銆 | |
| 浠g爜璐ㄩ噺 | 瀹屾暣鎬т笌鍙鎬 | 鉁 100%淇濊瘉 | 鎵€鏈変唬鐮佸潎宸叉仮澶嶄负娓呮櫚銆佸甫缂╄繘鍜岃灏芥敞閲婄殑澶氳鏍煎紡锛屾棤浠讳綍鐪佺暐銆 |
鐩存帴鍛戒护鍒涘缓瀹屾暣 缃戠珯缁嗗垎棰楃矑搴﹂槻寰¢槇鍊煎紩瀵兼枃浠讹紙鍝€曞繕璁板垱寤 鑴氭湰涔熸湁鍐椾綑淇濆簳锛 锛
- sudo cat <<'EOF' > /etc/ddos/host-thresholds.json
- {
- "GLOBAL": {
- "NO_OF_SYN": 180,
- "NO_OF_EST": 260,
- "NO_OF_CONNTRACK": 15000
- },
- "default": {
- "HOST_WEIGHT": 1.0,
- "REQ_PER_MIN": { "L1": 30, "L2": 60, "L3": 120 },
- "SYN_PER_IP": 0,
- "EST_PER_IP": 0,
- "PATH_TIERS": [
- { "KIND": "PREFIX", "PAT": "/favicon.ico", "L1": 200, "L2": 400, "L3": 800 },
- { "KIND": "PREFIX", "PAT": "/static/", "L1": 200, "L2": 400, "L3": 800 }
- ]
- },
- "www.dz-x.net": {
- "HOST_WEIGHT": 1.0,
- "REQ_PER_MIN": { "L1": 28, "L2": 56, "L3": 112 },
- "SYN_PER_IP": 60,
- "EST_PER_IP": 90,
- "PATH_TIERS": [
- { "KIND": "PREFIX", "PAT": "/avatar.php", "L1": 10, "L2": 20, "L3": 40 },
- { "KIND": "REGEX", "PAT": "^/misc\\.php\\?mod=seccode", "L1": 6, "L2": 12, "L3": 24 },
- { "KIND": "REGEX", "PAT": "^/forum\\.php\\?mod=image", "L1": 8, "L2": 16, "L3": 32 },
- { "KIND": "PREFIX", "PAT": "/ajax.php", "L1": 12, "L2": 24, "L3": 48 },
- { "KIND": "REGEX", "PAT": "^/plugin\\.php\\?id=", "L1": 8, "L2": 16, "L3": 32 },
- { "KIND": "PREFIX", "PAT": "/search.php", "L1": 4, "L2": 8, "L3": 16 },
- { "KIND": "PREFIX", "PAT": "/home.php", "L1": 16, "L2": 32, "L3": 64 },
- { "KIND": "PREFIX", "PAT": "/member.php", "L1": 10, "L2": 20, "L3": 40 },
- { "KIND": "REGEX", "PAT": "^/forum\\.php\\?mod=viewthread", "L1": 14, "L2": 28, "L3": 56 },
- { "KIND": "PREFIX", "PAT": "/api/mobile/", "L1": 10, "L2": 20, "L3": 40 },
- { "KIND": "PREFIX", "PAT": "/uc_server/", "L1": 12, "L2": 24, "L3": 48 }
- ]
- },
- "demo.dz-x.net": {
- "HOST_WEIGHT": 0.8,
- "REQ_PER_MIN": { "L1": 24, "L2": 48, "L3": 96 },
- "SYN_PER_IP": 50,
- "EST_PER_IP": 80,
- "PATH_TIERS": [
- { "KIND": "PREFIX", "PAT": "/avatar.php", "L1": 10, "L2": 20, "L3": 40 },
- { "KIND": "REGEX", "PAT": "^/misc\\.php\\?mod=seccode", "L1": 6, "L2": 12, "L3": 24 },
- { "KIND": "PREFIX", "PAT": "/ajax.php", "L1": 12, "L2": 24, "L3": 48 },
- { "KIND": "REGEX", "PAT": "^/plugin\\.php\\?id=", "L1": 8, "L2": 16, "L3": 32 },
- { "KIND": "PREFIX", "PAT": "/search.php", "L1": 4, "L2": 8, "L3": 16 }
- ]
- }
- }
- EOF
鍒涘缓瀹夎鑴氭湰锛
- sudo vi /usr/local/sbin/ddos-guard
瀹屾暣鑴氭湰鍐呭锛
銆愯寰楁壒閲忔悳绱⑩€滀綘鐨勨€濇浛鎹负浣犺嚜宸辩殑瀹為檯淇℃伅銆锛堟敞鎰忓畬鏁村鍒朵笉瑕佹湁浠讳綍鏍煎紡绗﹀彿缂栫爜閿欒锛
- #!/usr/bin/env bash
- # ==============================================================================
- # ddos-guard v24.27-Stable (Debian 12 + BT Panel + Discuz! X3.5)
- # 鏍稿績娓呭崟锛堢畝瑕侊級
- # - BTWAF v4/v6 鐧藉悕鍗曡В鏋愶紝甯﹁缁嗘潵婧愮粺璁′笌涓侀拤鎺ㄩ€
- # - 缁熶竴鐧藉悕鍗曪細ignore.ip.list / ignore.host.list / BTWAF / Fail2ban ignoreip
- # - 鐧藉悕鍗曟洿鏂板悗鑷姩瑙e皝琚鏉€ IP锛屽甫瑙e皝璁℃暟
- # - nftables 寮曟搸锛坵l{4,6}/tmp{4,6}/bl{4,6}锛夛紝鍥為€€ iptables+ipset
- # - L4/L7 娣峰悎锛歋YN/EST per-IP銆佸叏灞€ CT锛岃嚜閫傚簲 GLOBAL 闃堝€硷紱Redis 鍘熷瓙璁℃暟鐨 L7 闄愰€
- # - 绔欑偣瑕嗗啓/鏉冮噸锛/etc/ddos/host-thresholds.json锛夛紝鐭獥 IP鈫扝ost 绱㈠紩
- # - 鐪熷亣铚樿洓锛圲A 妯″紡 + 鍙嶆煡/姝e悜鍥炶瘉锛夛紝Discuz 绮炬墦 + 娉涘姩鎬侀〉 CC
- # - 娓愯繘寮忓皝绂侊紙T1/T2/T3鈫掓案涔咃級锛屾伓鎰 IP 鎯呮姤搴擄紙鍩轰簬 Redis 璁℃暟锛
- # - 瀛愬懡浠わ細install / uninstall / run / daemon / status / top / history /
- # check / tune / tune-guide / whitelist-reload / whitelist-show /
- # ban / unban / flush-bans / blacklist / f2b-setup
- # ==============================================================================
- set -euo pipefail
- IFS=$'\n\t'
- SCRIPT_NAME="ddos-guard"
- SELF_PATH="/usr/local/sbin/${SCRIPT_NAME}"
- # ----------------------------- 杩愯鐩綍/鏃ュ織 --------------------------------
- LOG_FILE="/var/log/ddos-guard.log" # 鑴氭湰杩愯鏃ュ織
- BAN_HISTORY="/var/log/ddos-guard-history.csv" # 灏佺鍘嗗彶锛圕SV锛
- WORKDIR="/usr/local/ddos-deflate" # 鍏煎/淇濈暀鐨勬暟鎹洰褰
- RUNDIR="/run/ddos-guard" # 杩愯鎬佹暟鎹€佸揩鐓с€佽妭娴佹爣璁扮瓑
- TMPDIR="/tmp/ddos-guard" # 涓存椂鏂囦欢鐩綍
- mkdir -p "$WORKDIR" "$RUNDIR" "$TMPDIR"
- LOCK_FILE="/var/lock/ddos-guard.lock" # 璺ㄨ繘绋嬩簰鏂ラ攣
- LOCK_FD=200
- # ----------------------------- 澶栭儴渚濊禆 ------------------------------------
- SS=$(command -v ss || true)
- IPT=$(command -v iptables || true)
- IP6T=$(command -v ip6tables || true)
- IPSET=$(command -v ipset || true)
- CT=$(command -v conntrack || true)
- TAIL=$(command -v tail || true)
- GREP=$(command -v grep || true)
- AWK=$(command -v awk || true)
- SED=$(command -v sed || true)
- SORT=$(command -v sort || true)
- UNIQ=$(command -v uniq || true)
- CUT=$(command -v cut || true)
- HEAD=$(command -v head || true)
- DATE=$(command -v date || true)
- HOST=$(command -v host || true)
- PY3=$(command -v python3 || true)
- CURL=$(command -v curl || true)
- REDIS_CLI=$(command -v redis-cli || true)
- GETENT=$(command -v getent || true)
- STAT=$(command -v stat || true)
- SHA1=$(command -v sha1sum || command -v shasum || true)
- MD5=$(command -v md5sum || true)
- # ----------------------------- 閽夐拤鍛婅 ------------------------------------
- # - 璁剧疆 DINGTALK_WEBHOOK 鍗冲彲鍚敤閽夐拤鏈哄櫒浜
- # - 鍚岀被鍛婅鑺傛祦榛樿 600s锛10 鍒嗛挓锛
- DINGTALK_WEBHOOK="${DINGTALK_WEBHOOK:-https://oapi.dingtalk.com/robot/send?access_token=浣犻拤閽夌殑webhook鏈哄櫒浜轰俊鎭瘆"
- DINGTALK_THROTTLE_SEC="${DINGTALK_THROTTLE_SEC:-600}"
- ALERT_TS_DIR="$RUNDIR/alert-ts"; mkdir -p "$ALERT_TS_DIR"
- # ----------------------------- L4 鍏滃簳闃堝€ ---------------------------------
- # 鑻 /etc/ddos/host-thresholds.json 鐨 GLOBAL 娈靛瓨鍦紝浼氳鐩栬繖浜涒€滃厹搴曗€
- NO_OF_SYN=${NO_OF_SYN:-180} # 鍏ㄥ眬 SYN锛堟€婚噺锛夎Е鍙戠嚎
- NO_OF_EST=${NO_OF_EST:-260} # 鍏ㄥ眬 EST锛堟€婚噺锛夎Е鍙戠嚎
- NO_OF_CONNTRACK=${NO_OF_CONNTRACK:-15000} # 鍏ㄥ眬 conntrack锛堟€婚噺锛夎Е鍙戠嚎
- NO_OF_CT="$NO_OF_CONNTRACK"
- # 鏀诲嚮妯″紡涓 per-IP 鐨 L4 鏇翠弗闃堝€
- ENABLE_DYNAMIC_THRESHOLDS=${ENABLE_DYNAMIC_THRESHOLDS:-true}
- NO_OF_EST_ATTACK_MODE=${NO_OF_EST_ATTACK_MODE:-120} # 鍙傝€ www.dz-x.net/t/151300/1/1.html
- NO_OF_SYN_ATTACK_MODE=${NO_OF_SYN_ATTACK_MODE:-68} # 鍙傝€ www.dz-x.net/t/151300/1/1.html
- # L7 鍏滃簳闃堝€硷紙姣忚矾寰 L1 鍩虹嚎锛孒ost/Path tiers 浼氳鐩栵級
- CC_THRESHOLD=${CC_THRESHOLD:-30}
- CC_THRESHOLD_ATTACK_MODE=${CC_THRESHOLD_ATTACK_MODE:-5}
- # ----------------------------- 澶氱珯鐐规棩蹇 ----------------------------------
- # 璁块棶鏃ュ織锛圕C 鏃ュ織锛夛細涓€琛屼竴涓枃浠讹紱鏃犳硶浠庢棩蹇楄В鏋 Host 鏃讹紝鐢 LOG_HOST_MAP 鍏滃簳 [浠ヤ綘瀹濆闈㈡澘鐨勫疄闄呯綉绔欒闂棩蹇楄矾寰勪负鍑哴
- CC_LOG_PATHS=(
- "/www/wwwlogs/浣犵殑鍩熷悕1.log"
- "/www/wwwlogs/浣犵殑鍩熷悕2.log"
- "/www/wwwlogs/浣犵殑鍩熷悕3.log"
- "/www/wwwlogs/浣犵殑鍩熷悕4.log"
- "/www/wwwlogs/浣犵殑鍩熷悕5.log"
- )
- # 閿欒鏃ュ織锛坧erip 鍗囩骇绛夌嚎绱級锛氫竴琛屼竴涓枃浠
- ERROR_LOG_PATHS=(
- "/www/wwwlogs/浣犵殑鍩熷悕1.error.log"
- "/www/wwwlogs/浣犵殑鍩熷悕2.error.log"
- "/www/wwwlogs/浣犵殑鍩熷悕3.error.log"
- "/www/wwwlogs/浣犵殑鍩熷悕4.error.log"
- "/www/wwwlogs/浣犵殑鍩熷悕5.error.log"
- )
- # 鏃ュ織 鈫 Host 鐨勫洖閫€鏄犲皠锛堟鍒 鈫 鍩熷悕锛塠浠ヤ綘瀹濆闈㈡澘鐨勫疄闄呯綉绔欒闂棩蹇楄矾寰勪负鍑哴
- declare -A LOG_HOST_MAP=(
- ["^/www/wwwlogs/www\.浣犵殑\.鍩熷悕1鍚庣紑\.log$"]="浣犵殑鍩熷悕1"
- ["^/www/wwwlogs/www\.浣犵殑\.鍩熷悕1鍚庣紑\.error\.log$"]="浣犵殑鍩熷悕1"
- ["^/www/wwwlogs/www\.浣犵殑\.鍩熷悕2鍚庣紑\.log$"]="浣犵殑鍩熷悕2"
- ["^/www/wwwlogs/www\.浣犵殑\.鍩熷悕2鍚庣紑\.error\.log$"]="浣犵殑鍩熷悕2"
- ["^/www/wwwlogs/www\.浣犵殑\.鍩熷悕3鍚庣紑\.log$"]="浣犵殑鍩熷悕3"
- ["^/www/wwwlogs/www\.浣犵殑\.鍩熷悕3鍚庣紑\.error\.log$"]="浣犵殑鍩熷悕3"
- ["^/www/wwwlogs/www\.浣犵殑s\.鍩熷悕4鍚庣紑\.log$"]="浣犵殑鍩熷悕4"
- ["^/www/wwwlogs/www\.浣犵殑\.鍩熷悕4鍚庣紑\.error\.log$"]="浣犵殑鍩熷悕4"
- ["^/www/wwwlogs/www\.浣犵殑\.鍩熷悕5鍚庣紑\.log$"]="浣犵殑鍩熷悕5"
- ["^/www/wwwlogs/www\.p浣犵殑\.鍩熷悕5鍚庣紑\.error\.log$"]="浣犵殑鍩熷悕5"
- )
- # ----------------------------- Redis锛堥檺閫熶笌缂撳瓨锛 ------------------------
- ENABLE_RATE_LIMITING=${ENABLE_RATE_LIMITING:-true} # 鏄惁鍚敤 Redis L7 鍘熷瓙闄愰€
- RATELIMIT_TTL=${RATELIMIT_TTL:-600} # 璁℃暟 key 鐨 TTL锛堣鏄庢€э級
- RATELIMIT_RATE="${RATELIMIT_RATE:-15/minute}" # 璇存槑鎬ф樉绀
- CC_RATELIMIT_THRESHOLD=${CC_RATELIMIT_THRESHOLD:-15} # 10s 绐楀彛闃堝€硷紙INCR+EXPIRE锛
- # 鏃ュ織娓告爣缂撳瓨锛堟樉钁楅檷浣 I/O锛夛細渚濊禆 redis-cli 涓 stat
- LOG_CACHE_ENABLE=${LOG_CACHE_ENABLE:-true}
- LOG_CACHE_MAX_FALLBACK_LINES=${LOG_CACHE_MAX_FALLBACK_LINES:-20000}
- # ----------------------------- 铚樿洓 UA 绛栫暐 --------------------------------
- GOOD_BOT_PATTERN='Googlebot|Baiduspider|bingbot|Sogou|360Spider|YisouSpider|YoudaoBot|msnbot|Yahoo! Slurp|YandexBot|DNSPod-Monitor|AspiegelBot'
- SEMI_TRUST_BOTS='Bytespider|ToutiaoSpider'
- BAD_BOT_PATTERN='Applebot|Amazonbot|GPTBot|ClaudeBot|PetalBot|DataForSeoBot|meta-externalagent|okhttp|Thinkbot|MJ12bot|SemrushBot|AhrefsBot|DotBot|Scrapy|python-requests|aiohttp|curl|wget|python-urllib|Go-http-client|Java/|PycURL|httpx'
- declare -A GOOD_BOT_RDNS_SUFFIX=(
- ["Googlebot"]="\\.googlebot\\.com$|\\.google\\.com$"
- ["bingbot"]="\\.search\\.msn\\.com$|\\.bing\\.com$"
- ["Baiduspider"]="\\.baidu\\.com$|\\.baiducontent\\.com$"
- ["Sogou"]="\\.sogou\\.com$|\\.sogou\\.com\\.cn$"
- ["360Spider"]="\\.360\\.cn$|\\.haosou\\.com$|\\.so\\.com$"
- ["YisouSpider"]="\\.yisou\\.com$"
- ["YoudaoBot"]="\\.youdao\\.com$"
- ["YandexBot"]="\\.yandex\\.ru$|\\.yandex\\.net$"
- ["Yahoo! Slurp"]="\\.yahoo\\.com$|\\.yahoo\\.net$"
- ["msnbot"]="\\.msn\\.com$|\\.bing\\.com$"
- ["DNSPod-Monitor"]="\\.dnspod\\.cn$|\\.dnspod\\.com$"
- ["AspiegelBot"]="\\.aspiegel\\.com$|\\.petalbot\\.com$"
- )
- # ----------------------------- 鐧藉悕鍗曟簮 ------------------------------------
- IGNORE_IP_FILE="/etc/ddos/ignore.ip.list" # 涓€琛屼竴涓紙CIDR/鍗旾P锛夛紝鏀寔 # 娉ㄩ噴
- IGNORE_HOST_FILE="/etc/ddos/ignore.host.list" # 涓€琛屼竴涓煙鍚嶏紝瑙f瀽 A/AAAA
- BTWAF_IP_WHITE="${BTWAF_IP_WHITE:-/www/server/btwaf/rule/ip_white.json}" # IPv4 鏁村舰鎴栧尯闂
- BTWAF_IP_WHITE_V6="${BTWAF_IP_WHITE_V6:-/www/server/btwaf/rule/ip_white_v6.json}" # IPv6 CIDR/鍗曟
- # 鐧藉悕鍗曞憡璀﹁Е鍙戠瓥鐣ワ細浠呮牴鎹潵婧愭枃浠 mtime 鎺ㄩ€侊紙true/false锛
- WL_ALERT_BY_MTIME_ONLY=${WL_ALERT_BY_MTIME_ONLY:-true}
- # ----------------------------- Host/Path 闃堝€ JSON ------------------------
- THRESHOLDS_JSON="${THRESHOLDS_JSON:-/etc/ddos/host-thresholds.json}" # 妯℃澘鏂囦欢鍙傝€ www.dz-x.net/t/151053/1/1.html
- # ----------------------------- 鎵弿棰戠巼锛堝姩鎬侊級 ---------------------------
- SCAN_INTERVAL=${SCAN_INTERVAL:-8} # 姝e父鎬 systemd timer 鍛ㄦ湡锛堢锛
- ATTACK_SCAN_INTERVAL=${ATTACK_SCAN_INTERVAL:-2} # 鏀诲嚮鎬 timer 鍛ㄦ湡锛堢锛
- BAN_PERIOD=${BAN_PERIOD:-3600} # ipset 榛戝悕鍗曡秴鏃讹紙绉掞級
- # ----------------------------- ipset 鍚嶇О ---------------------------------
- SET_WL_V4="ddos_whitelist_v4"
- SET_WL_V6="ddos_whitelist_v6"
- SET_BL_V4="ddos_blacklist_v4"
- SET_BL_V6="ddos_blacklist_v6"
- SET_RL_V4="ddos_ratelimit_v4"
- SET_GB_V4="ddos_goodbots_v4"
- SET_ADMIN_V4="ddos_admin_v4"
- SET_RL_V6="ddos_ratelimit_v6"
- SET_GB_V6="ddos_goodbots_v6"
- # ----------------------------- 棰滆壊/鐘舵€ ----------------------------------
- C_R=$'\033[0;31m'; C_G=$'\033[0;32m'; C_Y=$'\033[0;33m'; C_B=$'\033[0;34m'; C_N=$'\033[0m'
- declare -a BANNED_THIS_RUN=()
- declare -a LIMITED_THIS_RUN=()
- # ----------------------------- 闃堝€肩紦瀛 -----------------------------------
- declare -A HT_HOST_WEIGHT HT_REQ_L1 HT_REQ_L2 HT_REQ_L3 HT_SYN_PERIP HT_EST_PERIP
- declare -A PT_KIND PT_PAT PT_L1 PT_L2 PT_L3 PT_COUNT
- GLOBAL_SYN=${GLOBAL_SYN:-0}; GLOBAL_EST=${GLOBAL_EST:-0}; GLOBAL_CT=${GLOBAL_CT:-0}
- # ----------------------------- 鐧藉悕鍗曞彉鏇存娴嬶紙Redis锛 --------------------
- WL_REDIS_NS="ddos:wl" # 鐧藉悕鍗曞懡鍚嶇┖闂
- WL_MTIME_SIG_FILE="$RUNDIR/wl.mtime.sig" # mtime 绛惧悕锛堟湰鍦板揩鐓э級
- # ----------------------------- 閫氱敤鍑芥暟 -----------------------------------
- log(){ echo "[$($DATE '+%F %T')] [ddos-guard] $*" | tee -a "$LOG_FILE"; }
- die(){ echo >&2 "${C_R}Error:${C_N} $*"; exit 1; }
- need_root(){ [ "$(id -u)" -eq 0 ] || die "闇€瑕 root 鏉冮檺杩愯銆"; }
- have(){ command -v "$1" >/dev/null 2>&1; }
- # 閿侊細鎵撳紑 + 闈為樆濉炲皾璇
- lock_open(){ exec {LOCK_FD}> "$LOCK_FILE" || die "鏃犳硶鎵撳紑閿佹枃浠讹細$LOCK_FILE"; }
- lock_try(){ flock -n "$LOCK_FD"; } # 鎷夸笉鍒伴攣杩斿洖闈 0
- lock_wait(){ flock "$LOCK_FD"; } # 闃诲绛夊緟
- # 鑾峰彇鍏綉 IP (楂樺彲鐢)
- get_public_ip(){
- local ip=""
- # 鏂规硶1: 渚濇灏濊瘯澶氫釜鍙潬鐨 HTTP 鏈嶅姟
- # 浣跨敤 --max-time 5 闃叉鎱㈤€熶紶杈撴寕璧
- local http_svcs=("ip.3322.net" "icanhazip.com" "ifconfig.me" "api.ipify.org" "ipinfo.io/ip" "whatismyip.akamai.com")
- if [ -n "$CURL" ]; then
- for svc in "${http_svcs[@]}"; do
- # 浣跨敤 head -n1 纭繚鍙彇绗竴琛岋紝闃叉鏈嶅姟杩斿洖棰濆淇℃伅
- ip=$($CURL -4 -s --connect-timeout 2 --max-time 5 "$svc" | head -n1)
- if is_ipv4 "$ip" || is_ipv6 "$ip"; then
- echo "$ip"
- return 0
- fi
- done
- fi
- # 鏂规硶2: 濡傛灉 HTTP 澶辫触锛岄檷绾у埌 DNS 鏌ヨ (浣跨敤 OpenDNS 鐨勮В鏋愬櫒)
- if [ -n "$HOST" ]; then
- ip=$(host myip.opendns.com resolver1.opendns.com 2>/dev/null | awk '/has address/ {print $NF}')
- if is_ipv4 "$ip"; then # OpenDNS 姝ゆ柟娉曢€氬父鍙繑鍥 IPv4
- echo "$ip"
- return 0
- fi
- fi
- # 濡傛灉鎵€鏈夋柟娉曢兘澶辫触锛岃繑鍥 N/A
- echo "N/A"
- }
- # ==============================================================================
- # 宸ュ叿锛欼P/鍩熷悕鍒ゅ埆涓庤浆鎹
- # ==============================================================================
- is_ipv4(){ [[ "$1" =~ ^([0-9]{1,3}\.){3}[0-9]{1,3}$ ]] && IFS=. read -r a b c d <<<"$1" && ((a<=255&&b<=255&&c<=255&&d<=255)); }
- is_ipv6(){ [[ "$1" == *:* ]]; }
- is_cidr4(){ [[ "$1" =~ ^([0-9]{1,3}\.){3}[0-9]{1,3}/([0-9]|[1-2][0-9]|3[0-2])$ ]] && IFS='/.' read -r a b c d m <<<"${1//\//.}" && ((a<=255&&b<=255&&c<=255&&d<=255)); }
- is_cidr6(){ [[ "$1" =~ :/.+ ]] && [[ "${1##*/}" =~ ^([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8])$ ]]; }
- is_ip_or_cidr(){ is_ipv4 "$1" || is_ipv6 "$1" || is_cidr4 "$1" || is_cidr6 "$1"; }
- is_private_ip(){
- local ip="$1"
- if have python3; then
- python3 - <<'PY' "$ip" || exit 1
- import ipaddress,sys
- ip=sys.argv[1]
- try:
- o=ipaddress.ip_address(ip)
- print("1" if (o.is_private or o.is_loopback or o.is_link_local or o.is_reserved) else "0")
- except: print("0")
- PY
- else
- [[ "$ip" =~ ^10\.|^127\.|^169\.254\.|^192\.168\.|^172\.(1[6-9]|2[0-9]|3[0-1])\. ]] && echo 1 || echo 0
- fi
- }
- resolve_host_to_ips(){
- local host="$1" out=()
- if have getent; then
- while read -r ip; do out+=("$ip"); done < <(getent ahosts "$host" | awk '{print $1}' | sort -u)
- elif have host; then
- while read -r ip; do out+=("$ip"); done < <(host -W1 "$host" 2>/dev/null | awk '/has address|IPv6 address/ {print $NF}' | sort -u)
- fi
- printf "%s\n" "${out[@]}" | sort -u
- }
- guess_host_from_file(){
- local file="$1" k
- for k in "${!LOG_HOST_MAP[@]}"; do [[ "$file" =~ $k ]] && { echo "${LOG_HOST_MAP[$k]}"; return 0; }; done
- echo "default"
- }
- ipset_members(){ $IPSET list "$1" 2>/dev/null | awk '/^Members:/ {flag=1; next} flag && NF {print $1}'; }
- # BTWAF IPv4 鏁村舰/鍖洪棿 鈫 CIDR/鍗 IP
- parse_btwaf_ipv4_json(){
- local json="$1"; [ -f "$json" ] || return 0
- [ -n "$PY3" ] || { log "璺宠繃 BTWAF IPv4锛氭湭瀹夎 python3"; return 0; }
- python3 - "$json" <<'PY' || exit 1
- import sys,json,ipaddress
- from math import log2, floor
- def range_to_cidrs(a,b):
- res=[]; cur=a
- while cur<=b:
- max_size = 32 - int(floor(log2((cur & -cur))))
- max_allowed = 32 - int(floor(log2(b - cur + 1)))
- mask = max(max_size, max_allowed)
- res.append(f"{str(ipaddress.IPv4Address(cur))}/{mask}")
- cur += (1 << (32-mask))
- return res
- p=sys.argv[1]
- data=json.load(open(p,'r',encoding='utf-8'))
- out=[]
- for it in data:
- if isinstance(it,list) and len(it)==2:
- a,b=int(it[0]),int(it[1])
- if a==b: out.append(str(ipaddress.IPv4Address(a)))
- else: out.extend(range_to_cidrs(a,b))
- elif isinstance(it,int):
- out.append(str(ipaddress.IPv4Address(it)))
- for line in out: print(line)
- PY
- }
- # BTWAF IPv6 鐩存帴璇诲彇锛堝瓧绗︿覆鎴栦竴缁 list锛
- parse_btwaf_ipv6_json(){
- local json="$1"; [ -f "$json" ] || return 0
- [ -n "$PY3" ] || { log "璺宠繃 BTWAF IPv6锛氭湭瀹夎 python3"; return 0; }
- python3 - "$json" <<'PY' || exit 1
- import sys,json
- data=json.load(open(sys.argv[1],'r',encoding='utf-8'))
- for it in data:
- if isinstance(it,list) and it:
- s=str(it[0]).strip()
- if s: print(s)
- elif isinstance(it,str):
- s=it.strip()
- if s: print(s)
- PY
- }
- # 鏈€杩 UA 鑾峰彇 + 鐪熷亣铚樿洓鏍¢獙
- recent_ua_by_ip(){
- local ip="$1" n="${2:-2000}" f ua
- for f in "${CC_LOG_PATHS[@]}"; do
- [ -f "$f" ] || continue
- ua=$($TAIL -n "$n" "$f" | $GREP -F " $ip " | awk -F" '{print $(NF-1)}' | tail -n 1)
- [ -n "$ua" ] && { echo "$ua"; return 0; }
- done
- echo ""
- }
- rdns_ptr(){ [ -n "$HOST" ] || { echo ""; return; }; host -W1 "$1" 2>/dev/null | awk '/pointer/ {gsub(/\.$/,"",$NF); print $NF; exit}'; }
- forward_confirms(){ local n="$1" ip="$2"; [ -z "$n" ] && { echo 0; return; }; local ips; ips=$(resolve_host_to_ips "$n" | tr '\n' ' '); [[ " $ips " == *" $ip "* ]] && echo 1 || echo 0; }
- good_bot_key_from_ua(){ local ua="$1" k; for k in "${!GOOD_BOT_RDNS_SUFFIX[@]}"; do echo "$ua" | $GREP -Eiq -- "$k" && { echo "$k"; return; }; done; echo ""; }
- classify_ua_for_ip(){
- local ip="$1"; local ua; ua="$(recent_ua_by_ip "$ip")"
- [ -z "$ua" ] && { echo "OTHER"; return; }
- if echo "$ua" | $GREP -Eiq -- "$GOOD_BOT_PATTERN"; then
- local key; key=$(good_bot_key_from_ua "$ua")
- if [ -n "$key" ]; then
- local ptr; ptr="$(rdns_ptr "$ip")"
- if [ -n "$ptr" ] && echo "$ptr" | $GREP -Eiq -- "${GOOD_BOT_RDNS_SUFFIX[$key]}"; then
- [ "$(forward_confirms "$ptr" "$ip")" = "1" ] && echo "GOOD" || echo "FAKEGOOD"
- else echo "FAKEGOOD"; fi
- return
- fi
- fi
- echo "$ua" | $GREP -Eiq -- "$SEMI_TRUST_BOTS" && { echo "SEMI"; return; }
- echo "$ua" | $GREP -Eiq -- "$BAD_BOT_PATTERN" && { echo "BAD"; return; }
- echo "OTHER"
- }
- # ==============================================================================
- # ipset/iptables 鍒濆鍖
- # ==============================================================================
- ensure_ipset_and_iptables(){
- have ipset || die "缂哄皯 ipset"
- have iptables || die "缂哄皯 iptables"
- $IPSET create "$SET_WL_V4" hash:net -exist maxelem 524288
- $IPSET create "$SET_WL_V6" hash:net -exist family inet6 maxelem 262144
- $IPSET create "$SET_BL_V4" hash:ip -exist maxelem 1048576 timeout "$BAN_PERIOD"
- $IPSET create "$SET_BL_V6" hash:ip -exist family inet6 maxelem 524288 timeout "$BAN_PERIOD"
- $IPSET create "$SET_RL_V4" hash:ip -exist maxelem 524288 timeout "$BAN_PERIOD"
- $IPSET create "$SET_GB_V4" hash:ip -exist maxelem 131072
- $IPSET create "$SET_ADMIN_V4" hash:ip -exist maxelem 1024 timeout 3600
- $IPSET create "$SET_RL_V6" hash:ip -exist family inet6 maxelem 524288 timeout "$BAN_PERIOD"
- $IPSET create "$SET_GB_V6" hash:ip -exist family inet6 maxelem 131072
- $IPT -C INPUT -m set --match-set "$SET_WL_V4" src -j ACCEPT 2>/dev/null || $IPT -I INPUT -m set --match-set "$SET_WL_V4" src -j ACCEPT
- $IPT -C INPUT -m set --match-set "$SET_BL_V4" src -j DROP 2>/dev/null || $IPT -I INPUT -m set --match-set "$SET_BL_V4" src -j DROP
- $IPT -C INPUT -m set --match-set "$SET_RL_V4" src -j DROP 2>/dev/null || $IPT -I INPUT -m set --match-set "$SET_RL_V4" src -j DROP
- if have ip6tables; then
- $IP6T -C INPUT -m set --match-set "$SET_WL_V6" src -j ACCEPT 2>/dev/null || $IP6T -I INPUT -m set --match-set "$SET_WL_V6" src -j ACCEPT
- $IP6T -C INPUT -m set --match-set "$SET_BL_V6" src -j DROP 2>/dev/null || $IP6T -I INPUT -m set --match-set "$SET_BL_V6" src -j DROP
- fi
- }
- # ==============================================================================
- # BTWAF 璺緞鎺㈡祴
- # ==============================================================================
- autodetect_btwaf_paths(){
- if [ ! -r "$BTWAF_IP_WHITE" ] || [ ! -s "$BTWAF_IP_WHITE" ]; then
- local alt="/www/server/panel/plugin/btwaf/rule/ip_white.json"; [ -r "$alt" ] && BTWAF_IP_WHITE="$alt"
- fi
- if [ ! -r "$BTWAF_IP_WHITE_V6" ] || [ ! -s "$BTWAF_IP_WHITE_V6" ]; then
- local alt6="/www/server/panel/plugin/btwaf/rule/ip_white_v6.json"; [ -r "$alt6" ] && BTWAF_IP_WHITE_V6="$alt6"
- fi
- }
- # ==============================================================================
- # systemd timer 闂撮殧鍦ㄧ嚎璋冩暣
- # ==============================================================================
- timer_unit="/etc/systemd/system/ddos-guard.timer"
- get_current_interval(){ awk -F= '/^OnUnitActiveSec=/{print $2}' "$timer_unit" 2>/dev/null | tail -n1; }
- set_timer_interval(){
- local new="$1"
- [ -f "$timer_unit" ] || return 0
- sed -i "s/^OnUnitActiveSec=.*/OnUnitActiveSec=${new}s/" "$timer_unit"
- systemctl daemon-reload
- systemctl try-restart ddos-guard.timer >/dev/null 2>&1 || systemctl restart ddos-guard.timer >/dev/null 2>&1
- echo "$new" > "$RUNDIR/scan-interval.current" || true
- }
- attack_state_file="$RUNDIR/attack.state" # 鍐呭锛0/1
- # ==============================================================================
- # 鐧藉悕鍗曡仛鍚/鍔犺浇 + 鍙樻洿妫€娴/鑷剤 + mtime 鍒ゅ畾鍛婅
- # ==============================================================================
- WL_SNAPSHOT_V4="$RUNDIR/wl.v4.txt"
- WL_SNAPSHOT_V6="$RUNDIR/wl.v6.txt"
- file_mtime(){ [ -f "$1" ] && $STAT -c %Y "$1" 2>/dev/null || echo 0; }
- compute_wl_mtime_sig(){
- autodetect_btwaf_paths
- local m1 m2 m3 m4
- m1=$(file_mtime "$IGNORE_IP_FILE"); m2=$(file_mtime "$IGNORE_HOST_FILE")
- m3=$(file_mtime "$BTWAF_IP_WHITE"); m4=$(file_mtime "$BTWAF_IP_WHITE_V6")
- echo "${m1}-${m2}-${m3}-${m4}"
- }
- redis_set(){ [ -n "$REDIS_CLI" ] && $REDIS_CLI SETEX "$1" 86400 "$2" >/dev/null 2>&1 || true; }
- redis_get(){ [ -n "$REDIS_CLI" ] && $REDIS_CLI GET "$1" 2>/dev/null || echo ""; }
- escape_json(){ echo -n "$1" | python3 -c 'import json,sys; print(json.dumps(sys.stdin.read())[1:-1])'; }
- should_throttle(){
- local tag="$1"; local tsf="$ALERT_TS_DIR/${tag}.ts"; local now; now=$(date +%s)
- if [ -f "$tsf" ]; then local last; last=$(cat "$tsf" 2>/dev/null || echo 0); (( now - last < DINGTALK_THROTTLE_SEC )) && return 0; fi
- echo "$now" > "$tsf"; return 1
- }
- alert_markdown(){
- [ -n "$DINGTALK_WEBHOOK" ] || return 0
- local tag="$1" title="$2" text="$3"
- if should_throttle "$tag"; then return 0; fi
- local payload
- payload=$(cat <<JSON
- {"msgtype":"markdown","markdown":{"title":"${title}","text":"$(escape_json "$text")"}}
- JSON
- )
- $CURL -s -H 'Content-Type: application/json' -X POST -d "$payload" "$DINGTALK_WEBHOOK" >/dev/null 2>&1 || true
- }
- load_whitelist(){
- set +e
- ensure_ipset_and_iptables
- autodetect_btwaf_paths
- log "寮€濮嬮噸杞界櫧鍚嶅崟锛圔TWAF + ignore.ip + ignore.host锛 ..."
- log "BTWAF IPv4锛$BTWAF_IP_WHITE"
- log "BTWAF IPv6锛$BTWAF_IP_WHITE_V6"
- local tmp4="$TMPDIR/wl4.txt"; local tmp6="$TMPDIR/wl6.txt"
- : > "$tmp4"; : > "$tmp6"
- local cnt_src_ignore_ip4=0 cnt_src_ignore_ip6=0
- local cnt_src_ignore_host_in=0 cnt_src_ignore_host_ok4=0 cnt_src_ignore_host_ok6=0
- local cnt_src_btwaf4=0 cnt_src_btwaf6=0
- # 1) ignore.ip.list锛氳В鏋愬苟鍖哄垎 v4/v6
- if [ -r "$IGNORE_IP_FILE" ]; then
- while IFS= read -r raw; do
- line="${raw%%#*}"; line="${line//$'\r'/}"; line="$(echo "$line" | xargs || true)"
- [ -n "$line" ] || continue
- fam=""
- if [ -n "$PY3" ]; then
- fam="$(
- python3 - <<'PY' "$line" 2>/dev/null || true
- import sys, ipaddress
- s=sys.argv[1]
- try:
- n=ipaddress.ip_network(s, strict=False); print(6 if n.version==6 else 4)
- except:
- try:
- a=ipaddress.ip_address(s); print(6 if a.version==6 else 4)
- except:
- pass
- PY
- )"
- fi
- if [ "$fam" = "6" ]; then echo "$line" >> "$tmp6"; ((cnt_src_ignore_ip6++))
- elif [ "$fam" = "4" ]; then echo "$line" >> "$tmp4"; ((cnt_src_ignore_ip4++))
- else
- if is_cidr6 "$line" || is_ipv6 "$line"; then echo "$line" >> "$tmp6"; ((cnt_src_ignore_ip6++))
- elif is_cidr4 "$line" || is_ipv4 "$line"; then echo "$line" >> "$tmp4"; ((cnt_src_ignore_ip4++))
- else log "蹇界暐闈炴硶鐧藉悕鍗曡锛$line"
- fi
- fi
- done < "$IGNORE_IP_FILE"
- fi
- log "ignore.ip.list 璇诲叆锛欼Pv4=$cnt_src_ignore_ip4 IPv6=$cnt_src_ignore_ip6"
- # 2) ignore.host.list锛氳В鏋 A/AAAA
- if [ -r "$IGNORE_HOST_FILE" ]; then
- while IFS= read -r rawh; do
- h="${rawh%%#*}"; h="${h//$'\r'/}"; h="$(echo "$h" | xargs || true)"
- [ -n "$h" ] || continue
- ((cnt_src_ignore_host_in++))
- while read -r ip; do
- [ -z "$ip" ] && continue
- if is_ipv6 "$ip"; then echo "$ip" >> "$tmp6"; ((cnt_src_ignore_host_ok6++))
- else echo "$ip" >> "$tmp4"; ((cnt_src_ignore_host_ok4++))
- fi
- done < <(resolve_host_to_ips "$h")
- done < "$IGNORE_HOST_FILE"
- fi
- log "ignore.host.list 鍩熷悕鏉$洰=$cnt_src_ignore_host_in 鈫 瑙f瀽鎴愬姛 IPv4=$cnt_src_ignore_host_ok4 IPv6=$cnt_src_ignore_host_ok6"
- # 3) BTWAF IPv4
- if [ -r "$BTWAF_IP_WHITE" ] && [ -n "$PY3" ]; then
- local before=$(wc -l < "$tmp4" 2>/dev/null || echo 0)
- parse_btwaf_ipv4_json "$BTWAF_IP_WHITE" >> "$tmp4"
- local after=$(wc -l < "$tmp4" 2>/dev/null || echo 0)
- cnt_src_btwaf4=$(( after - before ))
- fi
- # 4) BTWAF IPv6
- if [ -r "$BTWAF_IP_WHITE_V6" ] && [ -n "$PY3" ]; then
- local before6=$(wc -l < "$tmp6" 2>/dev/null || echo 0)
- parse_btwaf_ipv6_json "$BTWAF_IP_WHITE_V6" >> "$tmp6"
- local after6=$(wc -l < "$tmp6" 2>/dev/null || echo 0)
- cnt_src_btwaf6=$(( after6 - before6 ))
- fi
- # 5) 鍘婚噸 + 鏍¢獙
- sort -u "$tmp4" -o "$tmp4"; sort -u "$tmp6" -o "$tmp6"
- local tmp4v="$TMPDIR/wl4.valid"; local tmp6v="$TMPDIR/wl6.valid"
- : > "$tmp4v"; : > "$tmp6v"
- local v4=0 v6=0
- while read -r x; do is_ip_or_cidr "$x" && { echo "$x"; ((v4++)); }; done < "$tmp4" > "$tmp4v"
- while read -r x; do is_ip_or_cidr "$x" && { echo "$x"; ((v6++)); }; done < "$tmp6" > "$tmp6v"
- log "鑱氬悎璁℃暟锛歩gnore.ip 鈫 v4=$cnt_src_ignore_ip4 v6=$cnt_src_ignore_ip6锛沬gnore.host 鎴愬姛 鈫 v4=$cnt_src_ignore_host_ok4 v6=$cnt_src_ignore_host_ok6锛汢TWAF 鈫 v4=$cnt_src_btwaf4 v6=$cnt_src_btwaf6锛涙牎楠岄€氳繃 鈫 v4=$v4 v6=$v6"
- # 6) 鎵归噺娉ㄥ叆 ipset
- {
- echo "flush $SET_WL_V4"
- while read -r net; do [ -n "$net" ] && echo "add $SET_WL_V4 $net"; done < "$tmp4v"
- echo "flush $SET_WL_V6"
- while read -r net; do [ -n "$net" ] && echo "add $SET_WL_V6 $net"; done < "$tmp6v"
- } | $IPSET restore -exist >/dev/null 2>&1 || log "WARN: ipset restore 杩斿洖闈為浂锛堝凡蹇界暐锛"
- # 7) 淇濆瓨蹇収
- ipset_members "$SET_WL_V4" > "$WL_SNAPSHOT_V4" || true
- ipset_members "$SET_WL_V6" > "$WL_SNAPSHOT_V6" || true
- local final4=$(wc -l < "$WL_SNAPSHOT_V4" 2>/dev/null || echo 0)
- local final6=$(wc -l < "$WL_SNAPSHOT_V6" 2>/dev/null || echo 0)
- # 7.1 璁板綍鏈夋晥鑱氬悎鍝堝笇锛堜粎鐢ㄤ簬鑷剤鍒ゅ畾锛屼笉瑙﹀彂鍛婅锛
- local h4="" h6=""
- if [ -n "$SHA1" ]; then
- h4=$(cat "$tmp4v" 2>/dev/null | $SHA1 | awk '{print $1}')
- h6=$(cat "$tmp6v" 2>/dev/null | $SHA1 | awk '{print $1}')
- else
- h4="$(wc -l < "$tmp4v" 2>/dev/null)-$(head -n1 "$tmp4v" 2>/dev/null)"
- h6="$(wc -l < "$tmp6v" 2>/dev/null)-$(head -n1 "$tmp6v" 2>/dev/null)"
- fi
- local p4="$(redis_get "$WL_REDIS_NS:hash:v4")"
- local p6="$(redis_get "$WL_REDIS_NS:hash:v6")"
- local src_stat="ignore.v4=$cnt_src_ignore_ip4 ignore.v6=$cnt_src_ignore_ip6 host.v4=$cnt_src_ignore_host_ok4 host.v6=$cnt_src_ignore_host_ok6 btwaf.v4=$cnt_src_btwaf4 btwaf.v6=$cnt_src_btwaf6 valid.v4=$v4 valid.v6=$v6"
- redis_set "$WL_REDIS_NS:hash:v4" "$h4"
- redis_set "$WL_REDIS_NS:hash:v6" "$h6"
- redis_set "$WL_REDIS_NS:srcstat" "$src_stat"
- echo "$src_stat" > "$RUNDIR/wl.srcstat" || true
- # 7.2 鍙樻洿 鈫 鑷剤锛堟棤鎺ㄩ€侊級
- if [ "$h4" != "$p4" ] || [ "$h6" != "$p6" ]; then
- reconcile_unban_whitelisted
- fi
- # 7.3 鏉ユ簮鏂囦欢 mtime 鍙樺寲鎵嶆帹閫
- local cur_msig; cur_msig="$(compute_wl_mtime_sig)"
- local prev_msig=""
- [ -f "$WL_MTIME_SIG_FILE" ] && prev_msig="$(cat "$WL_MTIME_SIG_FILE" 2>/dev/null || echo "")"
- echo "$cur_msig" > "$WL_MTIME_SIG_FILE"
- if [ "${WL_ALERT_BY_MTIME_ONLY}" = true ]; then
- if [ "$cur_msig" != "$prev_msig" ]; then
- local unb="$(cat "$RUNDIR/last_unban_wl.count" 2>/dev/null || echo 0)"
- local wl_text="### 馃Ь 鐧藉悕鍗曟洿鏂帮紙鏉ユ簮鏂囦欢鍙樻洿锛
- - **鏃堕棿**锛$($DATE '+%F %T')
- - **鏉ユ簮缁熻**锛$src_stat
- - **褰撳墠蹇収**锛欼Pv4=${final4} 鏉★紝IPv6=${final6} 鏉
- - **鏈疆鑷剤瑙e皝**锛${unb} 涓"
- alert_markdown "wl-change" "鐧藉悕鍗曟洿鏂" "$wl_text"
- fi
- else
- # 涓嶄粎鎸 mtime锛屽搱甯屽彉鍖栦篃鎺ㄩ€侊紙鍙€夛級
- if [ "$h4" != "$p4" ] || [ "$h6" != "$p6" ]; then
- local unb="$(cat "$RUNDIR/last_unban_wl.count" 2>/dev/null || echo 0)"
- local wl_text="### 馃Ь 鐧藉悕鍗曟洿鏂帮紙鑱氬悎鍐呭鍙樺寲锛
- - **鏃堕棿**锛$($DATE '+%F %T')
- - **鏉ユ簮缁熻**锛$src_stat
- - **褰撳墠蹇収**锛欼Pv4=${final4} 鏉★紝IPv6=${final6} 鏉
- - **鏈疆鑷剤瑙e皝**锛${unb} 涓"
- alert_markdown "wl-change" "鐧藉悕鍗曟洿鏂" "$wl_text"
- fi
- fi
- log "鐧藉悕鍗曢噸杞藉畬鎴愶細IPv4 $final4 鏉★紝IPv6 $final6 鏉°€"
- set -e
- }
- show_whitelist(){
- ensure_ipset_and_iptables
- echo "=== IPv4 whitelist ($SET_WL_V4) ==="; ipset_members "$SET_WL_V4" | head -n 200
- echo "=== IPv6 whitelist ($SET_WL_V6) ==="; ipset_members "$SET_WL_V6" | head -n 200
- echo "(浠呭睍绀哄墠 200 鏉★紱瀹屾暣璇蜂娇鐢細ipset list $SET_WL_V4 / $SET_WL_V6)"
- }
- is_in_whitelist_snapshot(){
- local ip="$1"
- if is_ipv6 "$ip"; then
- grep -Fxq -- "$ip" "$WL_SNAPSHOT_V6" 2>/dev/null && return 0
- else
- $IPSET test "$SET_WL_V4" "$ip" >/dev/null 2>&1 && return 0
- grep -Fxq -- "$ip" "$WL_SNAPSHOT_V4" 2>/dev/null && return 0
- fi
- return 1
- }
- reconcile_unban_whitelisted(){
- local tmp="$TMPDIR/reconcile.$$" cnt=0
- ipset_members "$SET_BL_V4" > "$tmp" || true
- while read -r ip; do
- [ -n "$ip" ] || continue
- if is_in_whitelist_snapshot "$ip"; then
- unban_ip "$ip" "auto-unban-wl" && ((cnt++))
- fi
- done < "$tmp"
- if have ip6tables; then
- ipset_members "$SET_BL_V6" > "$tmp" || true
- while read -r ip; do
- [ -n "$ip" ] || continue
- if is_in_whitelist_snapshot "$ip"; then
- unban_ip "$ip" "auto-unban-wl" && ((cnt++))
- fi
- done < "$tmp"
- fi
- echo "$cnt" > "$RUNDIR/last_unban_wl.count"
- }
- # ==============================================================================
- # L4 瀹炴椂鎺掕锛堜慨澶嶇増锛
- # ==============================================================================
- extract_peer_ip_awk='
- function peerip(s, x){
- # [2001:db8::1]:443 / 1.2.3.4:54321 / 2001:db8::1
- if (s ~ /^\[/) { gsub(/^\[/,"",s); sub(/\].*$/,"",s); return s; }
- sub(/:[0-9]+$/,"",s);
- return s;
- }
- { ip=peerip($NF); if (ip!="" && ip!="-") print ip; }
- '
- top_talkers_l4(){
- have ss || die "缂哄皯 ss"
- local est syn
- est=$($SS -Hnta state established 2>/dev/null | awk "$extract_peer_ip_awk" | sort | uniq -c | sort -nr | head -n 20)
- syn=$($SS -Hnta state syn-recv 2>/dev/null | awk "$extract_peer_ip_awk" | sort | uniq -c | sort -nr | head -n 20)
- echo "---- Top EST ----"; [ -n "$est" ] && echo "$est" || echo "(鏃犳椿鍔ㄨ繛鎺)"
- echo "---- Top SYN_RECV ----"; [ -n "$syn" ] && echo "$syn" || echo "(鏃犳椿鍔ㄨ繛鎺)"
- }
- should_attack_mode(){
- local ct_count=0; have conntrack && ct_count=$(conntrack -C 2>/dev/null || echo 0)
- local syn_total est_total
- syn_total=$($SS -Hnta state syn-recv | awk '{c++} END{print c+0}')
- est_total=$($SS -Hnta state established | awk '{c++} END{print c+0}')
- local result=0
- if (( ct_count > NO_OF_CT || syn_total > NO_OF_SYN || est_total > NO_OF_EST )); then
- result=1
- fi
- # 绗竴琛岃緭鍑虹粨鏋 1 鎴 0
- echo "$result"
- # 鍚庣画琛岃緭鍑鸿缁嗙殑鎸囨爣锛岀敤浜庡憡璀
- echo "Conntrack: ${ct_count} / ${NO_OF_CT}"
- echo "SYN Total: ${syn_total} / ${NO_OF_SYN}"
- echo "EST Total: ${est_total} / ${NO_OF_EST}"
- }
- # ==============================================================================
- # Host/Path 闃堝€硷紙澶栭儴 JSON 浼樺厛锛涘惁鍒欏唴缃 Discuz PATH_TIERS锛
- # ==============================================================================
- DEFAULT_THRESHOLDS_JSON='{
- "GLOBAL": { "SYN_GLOBAL_THRESHOLD": 180, "EST_GLOBAL_THRESHOLD": 260, "CONNTRACK_GLOBAL_THRESHOLD": 15000 },
- "*": {
- "HOST_WEIGHT": 2.0, "REQ_PER_MIN_L1": 160, "REQ_PER_MIN_L2": 300, "REQ_PER_MIN_L3": 600,
- "CONN_PER_IP_SYN_THRESHOLD": 68, "CONN_PER_IP_EST_THRESHOLD": 120,
- "PATH_TIERS": [
- { "kind": "prefix", "pattern": "/forum.php?mod=image", "L1": 10, "L2": 20, "L3": 40 },
- { "kind": "regex", "pattern": "^/plugin\\.php\\?id=aljol(&|$)", "L1": 6, "L2": 12, "L3": 24 },
- { "kind": "regex", "pattern": "^/ajax\\.php(\\?|$)", "L1": 8, "L2": 16, "L3": 32 },
- { "kind": "regex", "pattern": "^/avatar\\.php(\\?|$)", "L1": 8, "L2": 16, "L3": 32 },
- { "kind": "regex", "pattern": "^/misc\\.php\\?mod=seccode(&|$)","L1": 4, "L2": 8, "L3": 16 },
- { "kind": "regex", "pattern": "^/search\\.php(\\?|$)", "L1": 8, "L2": 16, "L3": 32 },
- { "kind": "prefix", "pattern": "/data/attachment/", "L1": 30, "L2": 60, "L3": 120 },
- { "kind": "prefix", "pattern": "/static/", "L1": 40, "L2": 80, "L3": 160 }
- ]
- },
- "浣犵殑鍩熷悕1": { "HOST_WEIGHT": 2.0, "REQ_PER_MIN_L1": 160, "REQ_PER_MIN_L2": 300, "REQ_PER_MIN_L3": 600, "CONN_PER_IP_SYN_THRESHOLD": 68, "CONN_PER_IP_EST_THRESHOLD": 120 },
- "浣犵殑鍩熷悕2": { "HOST_WEIGHT": 2.0, "REQ_PER_MIN_L1": 160, "REQ_PER_MIN_L2": 300, "REQ_PER_MIN_L3": 600, "CONN_PER_IP_SYN_THRESHOLD": 68, "CONN_PER_IP_EST_THRESHOLD": 120 },
- "浣犵殑鍩熷悕3": { "HOST_WEIGHT": 2.0, "REQ_PER_MIN_L1": 160, "REQ_PER_MIN_L2": 300, "REQ_PER_MIN_L3": 600, "CONN_PER_IP_SYN_THRESHOLD": 68, "CONN_PER_IP_EST_THRESHOLD": 120 },
- "浣犵殑鍩熷悕4": { "HOST_WEIGHT": 2.0, "REQ_PER_MIN_L1": 160, "REQ_PER_MIN_L2": 300, "REQ_PER_MIN_L3": 600, "CONN_PER_IP_SYN_THRESHOLD": 68, "CONN_PER_IP_EST_THRESHOLD": 120 },
- "浣犵殑鍩熷悕5": { "HOST_WEIGHT": 2.0, "REQ_PER_MIN_L1": 160, "REQ_PER_MIN_L2": 300, "REQ_PER_MIN_L3": 600, "CONN_PER_IP_SYN_THRESHOLD": 68, "CONN_PER_IP_EST_THRESHOLD": 120 }
- }'
- load_host_thresholds(){
- local src="$THRESHOLDS_JSON" json
- if [ -s "$src" ]; then json="$(cat "$src")"; log "宸插姞杞藉閮 host-thresholds.json锛$src"
- else json="$DEFAULT_THRESHOLDS_JSON"; log "浣跨敤鑴氭湰鍐呯疆榛樿闃堝€硷紙鍥哄寲閰嶇疆 + Discuz PATH_TIERS锛"; fi
- [ -n "$PY3" ] || { log "鏈娴嬪埌 python3锛屾棤娉曡В鏋 host/path 闃堝€ JSON"; return 0; }
- local out
- out="$(python3 - <<'PY' "$json" || exit 1
- import sys,json
- cfg=json.loads(sys.argv[1])
- # 澧炲己鐨 g() 鍑芥暟锛屽彲浠ユ鏌ュ鐢ㄩ敭鍚
- def g(k, d=0, alt_k=None):
- glob = cfg.get("GLOBAL", {})
- v = glob.get(k)
- if v is None and alt_k:
- v = glob.get(alt_k)
- return v if isinstance(v, (int, float)) else d
- # 鍏煎 GLOBAL 鍖哄煙鐨勬柊鏃т袱绉嶉敭鍚
- print("GLOBAL_SYN=%s" % g("SYN_GLOBAL_THRESHOLD", 0, alt_k="NO_OF_SYN"))
- print("GLOBAL_EST=%s" % g("EST_GLOBAL_THRESHOLD", 0, alt_k="NO_OF_EST"))
- print("GLOBAL_CT=%s" % g("CONNTRACK_GLOBAL_THRESHOLD", 0, alt_k="NO_OF_CONNTRACK"))
- for host,val in cfg.items():
- if host=="GLOBAL" or not isinstance(val,dict): continue
-
- # 鍏煎宓屽鐨 REQ_PER_MIN 瀵硅薄鍜岀嫭绔嬬殑 REQ_PER_MIN_L1/L2/L3 閿
- req_min_obj = val.get("REQ_PER_MIN", {})
- hw = val.get("HOST_WEIGHT",1.0)
- l1 = val.get("REQ_PER_MIN_L1") or req_min_obj.get("L1") or 0
- l2 = val.get("REQ_PER_MIN_L2") or req_min_obj.get("L2") or 0
- l3 = val.get("REQ_PER_MIN_L3") or req_min_obj.get("L3") or 0
-
- # 鍏煎 SYN_PER_IP 鍜 EST_PER_IP 閿悕
- syn = val.get("CONN_PER_IP_SYN_THRESHOLD") or val.get("SYN_PER_IP") or 0
- est = val.get("CONN_PER_IP_EST_THRESHOLD") or val.get("EST_PER_IP") or 0
-
- print("H|%s|%s|%s|%s|%s|%s"%(host,hw,l1,l2,l3,syn or 0)); print("E|%s|%s"%(host,est or 0))
-
- pts=val.get("PATH_TIERS",[])
- if isinstance(pts,list):
- for i,r in enumerate(pts):
- # 鍏煎 KIND/PAT (澶у啓) 鍜 kind/pattern (灏忓啓)
- kind_val = r.get("kind") or r.get("KIND") or "regex"
- kind = str(kind_val).lower()
- pat = str(r.get("pattern") or r.get("PAT") or "").strip()
-
- L1=int(r.get("L1",0) or 0); L2=int(r.get("L2",0) or 0); L3=int(r.get("L3",0) or 0)
- if not pat: continue
- if kind not in ("regex","prefix"): kind="regex"
- print("P|%s|%d|%s|%s|%d|%d|%d"%(host,i,kind,pat.replace("|","\\|"),L1,L2,L3))
- print("PCNT|%s|%d"%(host,len(pts)))
- PY
- )"
- HT_HOST_WEIGHT=(); HT_REQ_L1=(); HT_REQ_L2=(); HT_REQ_L3=(); HT_SYN_PERIP=(); HT_EST_PERIP=()
- PT_KIND=(); PT_PAT=(); PT_L1=(); PT_L2=(); PT_L3=(); PT_COUNT=()
- while IFS= read -r line; do
- case "$line" in
- GLOBAL_SYN=*) GLOBAL_SYN="${line#GLOBAL_SYN=}" ;;
- GLOBAL_EST=*) GLOBAL_EST="${line#GLOBAL_EST=}" ;;
- GLOBAL_CT=*) GLOBAL_CT="${line#GLOBAL_CT=}" ;;
- H|* ) IFS='|' read -r _ h w l1 l2 l3 syn <<<"$line"; HT_HOST_WEIGHT["$h"]="$w"; HT_REQ_L1["$h"]="$l1"; HT_REQ_L2["$h"]="$l2"; HT_REQ_L3["$h"]="$l3"; HT_SYN_PERIP["$h"]="$syn" ;;
- E|* ) IFS='|' read -r _ h est <<<"$line"; HT_EST_PERIP["$h"]="$est" ;;
- P|* ) IFS='|' read -r _ h idx kind pat L1 L2 L3 <<<"$line"; key="${h}|${idx}"; PT_KIND["$key"]="$kind"; PT_PAT["$key"]="$pat"; PT_L1["$key"]="$L1"; PT_L2["$key"]="$L2"; PT_L3["$key"]="$L3" ;;
- PCNT|* ) IFS='|' read -r _ h pc <<<"$line"; PT_COUNT["$h"]="$pc" ;;
- esac
- done <<< "$out"
- # GLOBAL 瑕嗙洊鍏滃簳
- [ "$GLOBAL_SYN" -gt 0 ] && NO_OF_SYN="$GLOBAL_SYN"
- [ "$GLOBAL_EST" -gt 0 ] && NO_OF_EST="$GLOBAL_EST"
- [ "$GLOBAL_CT" -gt 0 ] && NO_OF_CT="$GLOBAL_CT"
- log "闃堝€艰杞斤細GLOBAL SYN=$NO_OF_SYN EST=$NO_OF_EST CT=$NO_OF_CT锛涚珯鐐规暟=$(printf %s "${!HT_HOST_WEIGHT[@]}" | wc -w)"
- }
- # ==============================================================================
- # Redis 鏃ュ織娓告爣缂撳瓨锛堥檷 I/O锛
- # ==============================================================================
- stream_new_lines(){
- local f="$1"; [ -f "$f" ] || return 0
- if [ "$LOG_CACHE_ENABLE" = true ] && [ -n "$REDIS_CLI" ] && [ -n "$STAT" ]; then
- local key="ddos:logpos:$(echo -n "$f" | ${MD5:-md5sum} | awk '{print $1}')"
- local size; size=$($STAT -c %s "$f" 2>/dev/null || echo 0)
- local pos; pos=$($REDIS_CLI GET "$key" 2>/dev/null || echo "")
- if [[ -z "$pos" || "$pos" -gt "$size" ]]; then
- $TAIL -n "$LOG_CACHE_MAX_FALLBACK_LINES" "$f"
- $REDIS_CLI SETEX "$key" 86400 "$size" >/dev/null 2>&1 || true
- else
- local start=$(( pos + 1 ))
- tail -c +$start "$f" 2>/dev/null || $TAIL -n "$LOG_CACHE_MAX_FALLBACK_LINES" "$f"
- $REDIS_CLI SETEX "$key" 86400 "$size" >/dev/null 2>&1 || true
- fi
- else
- $TAIL -n "$LOG_CACHE_MAX_FALLBACK_LINES" "$f"
- fi
- }
- # ==============================================================================
- # L7 缁熻/澶勭疆 + Redis 闄愰€熷喅绛
- # ==============================================================================
- count_hits_in_logs(){
- local tmp="$TMPDIR/l7_hits.$$"; : > "$tmp"
- for f in "${CC_LOG_PATHS[@]}"; do
- [ -f "$f" ] || continue
- local fb; fb="$(guess_host_from_file "$f")"
- stream_new_lines "$f" | $AWK -v fb="$fb" '
- function g(line, h) {
- if (match(line, /"https?:\/\/([^\/"]+)/, a)) return a[1];
- if (match(line, /"[^"]+ (https?:\/\/([^\/ ]+))?\/[^"]*"/, b)) { if (b[2]!="") return b[2]; }
- return fb;
- }
- {
- ip=$1; line=$0; path="/"
- if (match($0, /"[^"]+"/, a)) {
- req=a[0]
- status_code=0
- # 灏濊瘯浠庢棩蹇楄涓彁鍙 HTTP 鐘舵€佺爜 (渚嬪 " 200 ")
- if (match($0, /"[^"]+" ([0-9]{3})/, s)) status_code=s[1]
- if (match(req, /"[^ ]+ ([^ ?"]+)/, p)) path=p[1]
- # Discuz! 鍚庡彴璺緞鍔ㄦ€佽瘑鍒€昏緫
- # 濡傛灉璁块棶鐨勬槸鍚庡彴绠$悊鍜屼笅杞絛ismall鎻掍欢鎿嶄綔鍔犵櫧鍚嶅崟闃叉璇潃鑷繁IP锛屽苟涓旂姸鎬佺爜鏄200 (琛ㄧず鎴愬姛)
- if (path ~ /^/(dismall|admin|plugin)\.php$/ && status_code == 200) {
- # 杈撳嚭涓€涓壒娈婃爣璁 ADMIN_LOGIN 鍜屽搴旂殑 IP
- print "ADMIN_LOGIN", ip, g(line)
- } else {
- # 瀵逛簬鍏朵粬鎵€鏈夎闂紝杈撳嚭甯歌鏍囪 NORMAL_HIT
- print "NORMAL_HIT", ip, g(line), path
- }
- }
- }' >> "$tmp"
- done
- $AWK '{k=$1"|" $2"|" $3; c[k]++} END{for (k in c){split(k,a,"|"); print c[k], a[1], a[2], a[3]}}' "$tmp" | sort -nr
- }
- perip_escalation_from_errorlog(){
- local tmp="$TMPDIR/perip.$$"; : > "$tmp"
- for f in "${ERROR_LOG_PATHS[@]}"; do
- [ -f "$f" ] || continue
- local fb; fb="$(guess_host_from_file "$f")"
- stream_new_lines "$f" | $AWK -v fb="$fb" '
- /limiting connections by zone "perip"/ {
- ip="";host="";
- if (match($0, /client: ([0-9.]+)/, a)) ip=a[1];
- if (match($0, /server: ([^, ]+)/, b)) host=b[1];
- if (ip!="") {print ip, (host==""?fb:host)}
- }' >> "$tmp"
- done
- if [ -s "$tmp" ]; then
- $AWK '{k=$1"|" $2; c[k]++} END{for (k in c){split(k,a,"|"); print c[k], a[1], a[2]}}' "$tmp" \
- | sort -nr \
- | while read -r cnt ip host; do
- local base="${HT_REQ_L3[$host]:-${HT_REQ_L3["*"]:-$((CC_THRESHOLD*4))}}"
- local esc_thr=$(( base/2 )); [ "$esc_thr" -lt 5 ] && esc_thr=5
- if (( cnt >= esc_thr )); then
- if $IPSET test "$SET_RL_V4" "$ip" >/dev/null 2>&1; then
- ban_ip "$ip" "L7-perip-escalation(cnt=$cnt,thr=$esc_thr)"
- else
- $IPSET add "$SET_RL_V4" "$ip" -exist
- LIMITED_THIS_RUN+=("$ip ($host perip-escalation cnt=$cnt thr=$esc_thr)")
- fi
- fi
- done
- fi
- }
- redis_should_limit(){
- [ -n "$REDIS_CLI" ] || { echo 0; return; }
- local ip="$1" k="ddos:l7:$ip" r
- r=$($REDIS_CLI -x <<EOF
- MULTI
- INCR $k
- EXPIRE $k 10
- EXEC
- EOF
- )
- local cnt; cnt=$(echo "$r" | tail -n1 | tr -dc 0-9)
- if [ -z "$cnt" ]; then echo 0; else [ "$cnt" -ge "$CC_RATELIMIT_THRESHOLD" ] && echo 1 || echo 0; fi
- }
- # ==============================================================================
- # Ban/Unban/Flush
- # ==============================================================================
- ban_ip(){
- local ip="$1" reason="${2:-unknown}"
- if is_in_whitelist_snapshot "$ip"; then log "璺宠繃灏佺锛堢櫧鍚嶅崟锛夛細$ip"; return 0; fi
- if is_ipv6 "$ip"; then have ip6tables || { log "IPv6 涓嶅彲鐢紝璺宠繃 $ip"; return 0; }; $IPSET add "$SET_BL_V6" "$ip" -exist
- else $IPSET add "$SET_BL_V4" "$ip" -exist; fi
- BANNED_THIS_RUN+=("$ip ($reason)") # 灏嗗師鍥犲姞鍏ユ壒娆℃垬鎶
- echo "$($DATE '+%F %T'),BAN,$ip,$reason" >> "$BAN_HISTORY"
- }
- unban_ip(){
- local ip="$1" reason="${2:-unknown}"
- is_ipv6 "$ip" && $IPSET del "$SET_BL_V6" "$ip" 2>/dev/null || $IPSET del "$SET_BL_V4" "$ip" 2>/dev/null || true
- echo "$($DATE '+%F %T'),UNBAN,$ip,$reason" >> "$BAN_HISTORY"
- }
- flush_bans(){ $IPSET flush "$SET_BL_V4" 2>/dev/null || true; $IPSET flush "$SET_BL_V6" 2>/dev/null || true; log "宸叉竻绌洪粦鍚嶅崟"; have fail2ban-client && fail2ban-client unban --all 2>/dev/null || true; }
- # ==============================================================================
- # 涓诲贰妫€锛氬姩鎬佽皟閫 + L4/L7 鍒ゅ喅 + 鍛婅
- # ==============================================================================
- alert_markdown_batch(){
- [ -n "$DINGTALK_WEBHOOK" ] || return 0
- [ "${#BANNED_THIS_RUN[@]}" -eq 0 ] && [ "${#LIMITED_THIS_RUN[@]}" -eq 0 ] && return 0
- local pub="N/A" lan="N/A"
- pub="$(get_public_ip)"
- lan="$(hostname -I 2>/dev/null | awk '{print $1}')"
- local ban_lines="" lim_lines=""
- for x in "${BANNED_THIS_RUN[@]}"; do ban_lines+="- $x\n"; done
- for x in "${LIMITED_THIS_RUN[@]}"; do lim_lines+="- $x\n"; done
- local text="### 馃毀 DDoS-Guard 鎵规鎴樻姤
- - **鏃堕棿**锛$($DATE '+%F %T')
- - **涓绘満**锛$pub锛堝缃戯級 / $lan锛堝唴缃戯級
- - **灏佺鏉$洰**锛
- $([ -n "$ban_lines" ] && echo -e "$ban_lines" || echo "- 鏃")
- - **闄愰€熸潯鐩**锛
- $([ -n "$lim_lines" ] && echo -e "$lim_lines" || echo "- 鏃")"
- alert_markdown "batch" "DDoS-Guard 鎵规鎴樻姤" "$text"
- }
- # --- alert_attack_state 鍑芥暟寮€濮 ---
- alert_attack_state(){
- local state="$1" # 鎺ユ敹绗竴涓弬鏁 (enter / exit)
- local metrics="$2" # 鎺ユ敹鏂板鐨勭浜屼釜鍙傛暟锛岀敤浜庢帴鏀舵寚鏍囪鎯
-
- # 鑾峰彇涓绘満鍏綉鍜屽唴缃 IP
- local pub="N/A" lan="N/A"
- pub="$(get_public_ip)"
- lan="$(hostname -I 2>/dev/null | awk '{print $1}')"
-
- # 鑾峰彇褰撳墠鐨勬壂鎻忛棿闅
- local current_interval
- current_interval=$(get_current_interval || echo '?')
-
- # 瀹氫箟閽夐拤娑堟伅鐨勪富瑕佸唴瀹
- local text="### 鈿狅笍 鏀诲嚮妯″紡$( [ "$state" = "enter" ] && echo 杩涘叆 || echo 閫€鍑 )
- - **鏃堕棿**锛$($DATE '+%F %T')
- - **涓绘満**锛$pub / $lan
- - **鎵弿闂撮殧**锛${current_interval%s}s"
-
- # 杩欐槸涓€涓叧閿殑鏉′欢鍒ゆ柇锛
- # 鍙湁鍦ㄦ槸鈥滆繘鍏モ€濇敾鍑绘ā寮忥紝骞朵笖鏈夊叿浣撶殑鎸囨爣璇︽儏鏃讹紝
- # 鎵嶄細鍦ㄦ秷鎭湯灏捐拷鍔犫€滆Е鍙戝師鍥犫€濊繖閮ㄥ垎鍐呭銆
- if [ "$state" = "enter" ] && [ -n "$metrics" ]; then
- text+="\n- **瑙﹀彂鍘熷洜**:\n${metrics}"
- fi
-
- # 璋冪敤閫氱敤鐨勫憡璀﹀嚱鏁帮紝灏嗕笂闈㈡嫾鎺ュソ鐨勫畬鏁存秷鎭 ($text) 鍙戦€佸嚭鍘
- alert_markdown "state-$state" "DDoS-Guard 鏀诲嚮妯″紡锛${state}" "$text"
- }
- # --- alert_attack_state 鍑芥暟缁撴潫 ---
- run_core(){
- ensure_ipset_and_iptables
- load_host_thresholds
- load_whitelist
- reconcile_unban_whitelisted # 鍙屼繚闄╄嚜鎰
- BANNED_THIS_RUN=(); LIMITED_THIS_RUN=()
- # 鍗囩骇鍚庣殑浠g爜
- local attack_mode_details; attack_mode_details=$(should_attack_mode)
- local attack_mode; attack_mode=$(echo "$attack_mode_details" | head -n 1)
- local metrics_summary; metrics_summary=$(echo "$attack_mode_details" | tail -n +2 | sed 's/^/ - /')
- local est_thr=$NO_OF_EST syn_thr=$NO_OF_SYN cc_thr=$CC_THRESHOLD
- local prev_state=0; [ -f "$attack_state_file" ] && prev_state=$(cat "$attack_state_file" 2>/dev/null || echo 0)
- if [ "$ENABLE_DYNAMIC_THRESHOLDS" = true ] && [ "$attack_mode" -eq 1 ]; then
- est_thr=$NO_OF_EST_ATTACK_MODE; syn_thr=$NO_OF_SYN_ATTACK_MODE; cc_thr=$CC_THRESHOLD_ATTACK_MODE
- if [ "$prev_state" -ne 1 ]; then
- set_timer_interval "$ATTACK_SCAN_INTERVAL"
- echo 1 > "$attack_state_file"
- alert_attack_state "enter" "$metrics_summary"
- log "杩涘叆鏀诲嚮妯″紡锛欵ST<$est_thr SYN<$syn_thr L7<$cc_thr锛涙壂鎻忛棿闅=${ATTACK_SCAN_INTERVAL}s"
- fi
- else
- if [ "$prev_state" -ne 0 ]; then
- set_timer_interval "$SCAN_INTERVAL"
- echo 0 > "$attack_state_file"
- alert_attack_state "exit"
- log "閫€鍑烘敾鍑绘ā寮忥細鎵弿闂撮殧鎭㈠=${SCAN_INTERVAL}s"
- fi
- fi
- # L4: EST per-IP
- $SS -Hnta state established \
- | awk "$extract_peer_ip_awk" \
- | sort | uniq -c | sort -nr \
- | while read -r cnt ip; do
- [ -z "$ip" ] && continue
- is_in_whitelist_snapshot "$ip" && continue
- # 澧炲姞鍔ㄦ€佺鐞嗗憳璞佸厤妫€鏌
- $IPSET test "$SET_ADMIN_V4" "$ip" >/dev/null 2_>/dev/null && continue
- [ "$(is_private_ip "$ip")" = "1" ] && continue
- $IPSET test "$SET_GB_V4" "$ip" >/dev/null 2>&1 && continue
- (( cnt >= est_thr )) && ban_ip "$ip" "L4-EST(cnt=$cnt,thr=$est_thr)"
- done
- # L4: SYN_RECV per-IP
- $SS -Hnta state syn-recv \
- | awk "$extract_peer_ip_awk" \
- | sort | uniq -c | sort -nr \
- | while read -r cnt ip; do
- [ -z "$ip" ] && continue
- is_in_whitelist_snapshot "$ip" && continue
- # 澧炲姞鍔ㄦ€佺鐞嗗憳璞佸厤妫€鏌
- $IPSET test "$SET_ADMIN_V4" "$ip" >/dev/null 2_>/dev/null && continue
- [ "$(is_private_ip "$ip")" = "1" ] && continue
- $IPSET test "$SET_GB_V4" "$ip" >/dev/null 2>&1 && continue
- (( cnt >= syn_thr )) && ban_ip "$ip" "L4-SYN(cnt=$cnt,thr=$syn_thr)"
- done
- # L7锛氬閲忔棩蹇楄鏁 鈫 Host/Path Tiers 鈫 UA 鍒嗙被 鈫 Redis 闄愰€/灏佺
- local hits; hits=$(count_hits_in_logs || true)
- if [ -n "$hits" ]; then
- while read -r tag cnt ip host path; do
- # 濡傛灉鏍囩鏄 ADMIN_LOGIN, 璇存槑鏄鐞嗗憳IP
- if [ "$tag" = "ADMIN_LOGIN" ]; then
- # 灏嗚IP (姝ゆ椂瀛樺偍鍦╟nt鍙橀噺涓) 鍔犲叆绠$悊鍛樹俊浠婚泦鍚堝苟璺宠繃鍚庣画妫€鏌
- $IPSET add "$SET_ADMIN_V4" "$cnt" -exist
- continue
- fi
- [ -z "$ip" ] && continue
- is_in_whitelist_snapshot "$ip" && continue
- # 澧炲姞鍔ㄦ€佺鐞嗗憳璞佸厤妫€鏌
- $IPSET test "$SET_ADMIN_V4" "$ip" >/dev/null 2_>/dev/null && continue
- local uac; uac="$(classify_ua_for_ip "$ip")"
- if [ "$uac" = "GOOD" ]; then $IPSET add "$SET_GB_V4" "$ip" -exist; continue; fi
- local base_host="$host"; [ -n "${HT_REQ_L1[$base_host]:-}" ] || base_host="*"
- local l1="${HT_REQ_L1[$base_host]:-$cc_thr}"
- local l2="${HT_REQ_L2[$base_host]:-$((cc_thr*2))}"
- local l3="${HT_REQ_L3[$base_host]:-$((cc_thr*4))}"
- local w="${HT_HOST_WEIGHT[$base_host]:-1.0}"
- local pc="${PT_COUNT[$base_host]:-0}"
- if [ "$pc" -gt 0 ]; then
- local idx=0
- while [ "$idx" -lt "$pc" ]; do
- local key="${base_host}|${idx}"
- local kind="${PT_KIND[$key]:-regex}"
- local pat="${PT_PAT[$key]:-}"
- local L1="${PT_L1[$key]:-0}"
- local L2="${PT_L2[$key]:-0}"
- local L3="${PT_L3[$key]:-0}"
- if [ -n "$pat" ]; then
- if [ "$kind" = "prefix" ]; then
- case "$path" in
- "$pat"*) [ "$L1" -gt 0 ] && l1="$L1"; [ "$L2" -gt 0 ] && l2="$L2"; [ "$L3" -gt 0 ] && l3="$L3"; idx=$pc; continue
- esac
- else
- echo "$path" | $GREP -Eiq -- "$pat" && { [ "$L1" -gt 0 ] && l1="$L1"; [ "$L2" -gt 0 ] && l2="$L2"; [ "$L3" -gt 0 ] && l3="$L3"; idx=$pc; continue; }
- fi
- fi
- idx=$((idx+1))
- done
- fi
- local thr=$l1
- if [ "$ENABLE_DYNAMIC_THRESHOLDS" = true ] && [ "$attack_mode" -eq 1 ]; then
- thr=$(python3 - <<PY "$l1" "$w"
- import sys
- l1=float(sys.argv[1]); w=float(sys.argv[2])
- print(int(max(3, l1*w*0.4)))
- PY
- )
- fi
- case "$uac" in
- SEMI) $IPSET add "$SET_RL_V4" "$ip" -exist; LIMITED_THIS_RUN+=("$ip ($host $path semi-trust UA)"); continue;;
- BAD|FAKEGOOD) thr=$(( thr/3 )); [ "$thr" -lt 3 ] && thr=3 ;;
- esac
- if (( cnt >= thr )); then
- local decide_limit=0
- if [ "$ENABLE_RATE_LIMITING" = true ]; then decide_limit=$(redis_should_limit "$ip"); fi
- if [ "$decide_limit" -eq 1 ] && [ "$uac" != "BAD" ] && [ "$uac" != "FAKEGOOD" ]; then
- $IPSET add "$SET_RL_V4" "$ip" -exist
- LIMITED_THIS_RUN+=("$ip ($host $path L7-limit cnt=$cnt thr=$thr)")
- else
- ban_ip "$ip" "L7-CC($host $path,cnt=$cnt,thr=$thr,ua=$uac)"
- fi
- fi
- done <<< "$hits"
- fi
- # 閿欒鏃ュ織 perip 鍗囩骇锛氬娆¢檺娴 鈫 闄愰€/灏佺
- perip_escalation_from_errorlog
- # 鎵规鎴樻姤锛堣妭娴 10 鍒嗛挓锛
- alert_markdown_batch
- }
- # 杩愯涓€娆★紙閿佹帶鍒讹細--nowait 闈為樆濉烇紱榛樿闃诲绛夊緟锛
- run_once(){
- local mode="${1:-wait}" # wait / nowait
- lock_open
- if [ "$mode" = "nowait" ]; then
- if ! lock_try; then
- log "妫€娴嬪埌宸叉湁瀹炰緥鍦ㄨ繍琛岋紙nowait 妯″紡锛岃烦杩囨湰杞級銆"
- return 0
- fi
- else
- lock_wait # CLI 璋冪敤锛氶樆濉炵瓑寰咃紝涓嶅啀鎶モ€滃凡鏈夊疄渚嬪湪杩愯鈥
- fi
- run_core
- }
- # ==============================================================================
- # 瀛愬懡浠
- # ==============================================================================
- cmd_install(){
- need_root
- # 1) systemd 鍗曞厓
- cat >/etc/systemd/system/ddos-guard.service <<SERVICE
- [Unit]
- Description=DDoS Guard one-shot scan
- After=network-online.target
- Wants=network-online.target
- [Service]
- Type=oneshot
- ExecStart=$SELF_PATH run --nowait
- User=root
- Group=root
- Nice=-5
- IOSchedulingClass=realtime
- [Install]
- WantedBy=multi-user.target
- SERVICE
- cat >"$timer_unit" <<TIMER
- [Unit]
- Description=Run ddos-guard every ${SCAN_INTERVAL}s
- [Timer]
- OnBootSec=30s
- OnUnitActiveSec=${SCAN_INTERVAL}s
- AccuracySec=1s
- Unit=ddos-guard.service
- Persistent=true
- [Install]
- WantedBy=timers.target
- TIMER
- systemctl daemon-reload
- systemctl enable --now ddos-guard.timer
- # 2) 鐩綍/鐧藉悕鍗曟枃浠
- mkdir -p /etc/ddos
- touch "$IGNORE_IP_FILE" "$IGNORE_HOST_FILE"
- # 3) 棣栨鐧藉悕鍗曞姞杞斤紙澶辫触涓嶉樆鏂級
- load_whitelist || true
- reconcile_unban_whitelisted || true
- log "瀹夎瀹屾垚锛歴ystemd timer 姣 ${SCAN_INTERVAL}s 宸℃涓€娆°€"
- alert_markdown "install" "DDoS-Guard 瀹夎瀹屾垚" "鉁 瀹夎瀹屾垚 @ $($DATE '+%F %T')锛屽畾鏃跺贰妫€ ${SCAN_INTERVAL}s锛涙敾鍑绘ā寮忚嚜鍔ㄦ彁鍗囪嚦 ${ATTACK_SCAN_INTERVAL}s銆"
- echo "鍙敤瀛愬懡浠わ細status/top/history/check/tune/tune-guide/whitelist-reload/whitelist-show/whitelist-debug/redis-status/ban/unban/flush-bans/blacklist/f2b-setup/btwaf-sync-whitelist"
- }
- cmd_uninstall(){ need_root; systemctl disable --now ddos-guard.timer 2>/dev/null || true; systemctl disable --now ddos-guard.service 2>/dev/null || true; rm -f /etc/systemd/system/ddos-guard.{service,timer}; systemctl daemon-reload; log "宸插嵏杞 systemd 閰嶇疆銆"; }
- cmd_daemon(){ need_root; log "杩涘叆鍓嶅彴瀹堟姢锛${SCAN_INTERVAL}s锛..."; while :; do run_once nowait || true; sleep "$SCAN_INTERVAL"; done; }
- cmd_status(){
- echo "== ipset 姒傝 =="
- ipset_members "$SET_WL_V4" | awk 'END{print "WLv4:", NR+0}'
- ipset_members "$SET_WL_V6" | awk 'END{print "WLv6:", NR+0}'
- ipset_members "$SET_BL_V4" | awk 'END{print "BLv4:", NR+0}'
- ipset_members "$SET_BL_V6" | awk 'END{print "BLv6:", NR+0}'
- ipset_members "$SET_RL_V4" | awk 'END{print "RLv4:", NR+0}'
- ipset_members "$SET_GB_V4" | awk 'END{print "GBv4:", NR+0}'
- echo "== systemd =="; systemctl status --no-pager ddos-guard.timer 2>/dev/null | sed -n '1,12p'
- echo "== whitelist srcstat =="; [ -f "$RUNDIR/wl.srcstat" ] && cat "$RUNDIR/wl.srcstat" || echo "(鏆傛棤)"
- echo "== scan interval =="; [ -f "$RUNDIR/scan-interval.current" ] && cat "$RUNDIR/scan-interval.current" || echo "${SCAN_INTERVAL}"
- echo "== attack state =="; [ -f "$attack_state_file" ] && cat "$attack_state_file" || echo 0
- }
- cmd_top(){ top_talkers_l4; }
- cmd_history(){ [ -f "$BAN_HISTORY" ] && tail -n 50 "$BAN_HISTORY" || echo "鏆傛棤鍘嗗彶銆"; }
- cmd_check(){
- echo "== 渚濊禆妫€鏌 =="; for c in ss iptables ipset python3 host conntrack redis-cli; do printf "%-12s : " "$c"; have "$c" && echo OK || echo MISSING; done
- autodetect_btwaf_paths
- echo "== BTWAF 鏂囦欢 =="; ls -l "$BTWAF_IP_WHITE" 2>/dev/null || echo "鏃 IPv4 鏁村舰鐧藉悕鍗"; ls -l "$BTWAF_IP_WHITE_V6" 2>/dev/null || echo "鏃 IPv6 鐧藉悕鍗"
- echo "== 鐧藉悕鍗曟簮 =="; echo "$IGNORE_IP_FILE"; [ -s "$IGNORE_IP_FILE" ] && echo "(has content)"; echo "$IGNORE_HOST_FILE"; [ -s "$IGNORE_HOST_FILE" ] && echo "(has content)"
- echo "== Host/Path JSON =="; [ -s "$THRESHOLDS_JSON" ] && echo "$THRESHOLDS_JSON (present)" || echo "浣跨敤鑴氭湰鍐呯疆榛樿"
- }
- cmd_tune(){ echo "淇濆簳闃堝€硷細SYN=${NO_OF_SYN} EST=${NO_OF_EST} CT=${NO_OF_CT}锛涙敾鍑绘€ L7 璧风偣=${CC_THRESHOLD_ATTACK_MODE}"; }
- cmd_tune_guide(){
- cat <<'EOF'
- [璋冧紭鎸囧崡]
- - 澶氱珯鐐癸細CC_LOG_PATHS/ERROR_LOG_PATHS 涓€琛屼竴涓紱LOG_HOST_MAP 鍙寚瀹氣€滆矾寰勬鍒 鈫 鍩熷悕鈥濄€
- - 闃堝€ JSON锛欸LOBAL 瑕嗙洊鍏滃簳锛涙瘡 host 閰 HOST_WEIGHT 鍜 L1/L2/L3锛汸ATH_TIERS 鏀寔 regex/prefix銆
- - 铚樿洓锛欸OOD(UA+PTR+鍥炶瘉) 鈫 ddos_goodbots_v4 鍏嶆壈锛汼EMI 鍏堥檺閫燂紱BAD/FAKE 鏀剁揣闃堝€间紭鍏堝皝绂併€
- - 鐧藉悕鍗曪細鑱氬悎 BTWAF v4/v6 + ignore.ip/host锛汻edis 鍝堝笇鐢ㄤ簬闈欓粯鑷剤锛**鍛婅浠呮寜 mtime**銆
- - Redis锛氱敤浜 L7 鍘熷瓙璁℃暟(10s绐楀彛) 涓庘€滄棩蹇楁父鏍囩紦瀛樷€濓紱鏃 Redis 鑷姩閫€鍖栥€
- - 鍔ㄦ€佽皟閫燂細鏀诲嚮妯″紡鈫抰imer 闄嶈嚦 ATTACK_SCAN_INTERVAL锛涢€€鍑烘仮澶 SCAN_INTERVAL銆
- - 閽夐拤锛氱姸鎬佸憡璀︼紙杩/閫€锛+ 鎵规鎴樻姤锛涘悓绫 10 鍒嗛挓鑺傛祦锛圖INGTALK_THROTTLE_SEC锛夈€
- EOF
- }
- cmd_whitelist_reload(){ load_whitelist; reconcile_unban_whitelisted; }
- cmd_whitelist_show(){ show_whitelist; }
- cmd_whitelist_debug(){
- autodetect_btwaf_paths
- echo "== 璺緞涓庣幆澧 =="
- echo "IGNORE_IP_FILE : $IGNORE_IP_FILE"
- echo "IGNORE_HOST_FILE : $IGNORE_HOST_FILE"
- echo "BTWAF_IP_WHITE : $BTWAF_IP_WHITE"
- echo "BTWAF_IP_WHITE_V6 : $BTWAF_IP_WHITE_V6"
- echo "python3 : $PY3"
- echo "host : $HOST"
- echo "getent : $GETENT"
- echo
- echo "== ignore.ip.list 棰勮 =="; [ -r "$IGNORE_IP_FILE" ] && nl -ba "$IGNORE_IP_FILE" | sed -n '1,30p' || echo "(涓嶅瓨鍦ㄦ垨涓嶅彲璇)"
- echo
- echo "== ignore.host.list 瑙f瀽娴嬭瘯锛堝墠 10 涓煙鍚嶏級=="
- if [ -r "$IGNORE_HOST_FILE" ]; then
- head -n 50 "$IGNORE_HOST_FILE" | sed 's/#.*$//' | sed '/^[[:space:]]*$/d' | head -n 10 | while read -r h; do
- echo "-- $h"; resolve_host_to_ips "$h" | head -n 5 | sed 's/^/ /'
- done
- else
- echo "(涓嶅瓨鍦ㄦ垨涓嶅彲璇)"
- fi
- echo
- echo "== BTWAF IPv4 JSON 杞崲锛堝墠 20 鏉★級=="
- if [ -r "$BTWAF_IP_WHITE" ] && [ -n "$PY3" ]; then parse_btwaf_ipv4_json "$BTWAF_IP_WHITE" 2>/dev/null | head -n 20; else echo "(鏂囦欢涓嶅瓨鍦/涓嶅彲璇绘垨 python3 涓嶅彲鐢)"; fi
- echo
- echo "== BTWAF IPv6 JSON 杞崲锛堝墠 20 鏉★級=="
- if [ -r "$BTWAF_IP_WHITE_V6" ] && [ -n "$PY3" ]; then parse_btwaf_ipv6_json "$BTWAF_IP_WHITE_V6" 2>/dev/null | head -n 20; else echo "(鏂囦欢涓嶅瓨鍦/涓嶅彲璇绘垨 python3 涓嶅彲鐢)"; fi
- }
- cmd_redis_status(){
- if [ -z "$REDIS_CLI" ]; then echo "redis-cli 鏈畨瑁"; return 1; fi
- echo "== Redis 杩炴帴娴嬭瘯 =="; $REDIS_CLI PING 2>/dev/null || { echo "PING 澶辫触"; return 1; }; echo "PONG"
- echo "== 鍘熷瓙璁℃暟 10s 绐楀彛娴嬭瘯 =="
- local key="ddos:test:$$"; local r
- r=$($REDIS_CLI -x <<EOF
- MULTI
- DEL $key
- INCR $key
- EXPIRE $key 10
- EXEC
- EOF
- )
- echo "$r" | sed 's/^/ /'
- local cnt; cnt=$(echo "$r" | tail -n1 | tr -dc 0-9)
- [ -n "$cnt" ] && echo "璁℃暟=$cnt锛>=1 姝e父锛" || echo "鏈嬁鍒拌鏁板€"
- }
- cmd_ban(){ [ $# -ge 2 ] || die "鐢ㄦ硶锛$0 ban <ip>"; ban_ip "$2" "manual"; }
- cmd_unban(){ [ $# -ge 2 ] || die "鐢ㄦ硶锛$0 unban <ip>"; unban_ip "$2" "manual"; }
- cmd_flush_bans(){ flush_bans; }
- cmd_blacklist(){
- [ $# -ge 2 ] || die "鐢ㄦ硶锛$0 blacklist <ip|file>"
- local arg="$2"
- if [ -f "$arg" ]; then
- while read -r x; do
- x="${x%%#*}"; x="${x//$'\r'/}"; x="$(echo "$x" | xargs || true)"; [ -n "$x" ] || continue
- is_ipv6 "$x" && $IPSET add "$SET_BL_V6" "$x" -exist || $IPSET add "$SET_BL_V4" "$x" -exist
- done < "$arg"
- else
- is_ipv6 "$arg" && $IPSET add "$SET_BL_V6" "$arg" -exist || $IPSET add "$SET_BL_V4" "$arg" -exist
- fi
- }
- cmd_f2b_setup(){
- need_root
- local jail="${F2B_JAIL_LOCAL:-/etc/fail2ban/jail.local}"
- touch "$jail"
- local tmp="$TMPDIR/f2b.ignore.v4"; ipset_members "$SET_WL_V4" > "$tmp" || true
- if ! grep -q '^\[DEFAULT\]' "$jail"; then echo -e "[DEFAULT]\nignoreip = 127.0.0.1/8" >> "$jail"; fi
- local old; old=$(awk -F'= *' '/^\[DEFAULT\]/{f=1} f&&/^ignoreip *=/{print $2; exit}' "$jail" | tr -d ' \t')
- local addrs; addrs=$(cat "$tmp" | paste -sd, -)
- [ -n "$addrs" ] || { log "Fail2Ban锛氭棤鍙悎骞剁櫧鍚嶅崟"; return 0; }
- local merged
- merged=$(python3 - <<PY "$old" "$addrs"
- import sys
- o=(sys.argv[1] or "").split(",")
- a=(sys.argv[2] or "").split(",")
- s=set([x.strip() for x in o if x.strip()])|set([x.strip() for x in a if x.strip()])
- print(",".join(sorted(s)))
- PY
- )
- python3 - <<'PY' "$jail" "$merged"
- import sys,re
- p,merged=sys.argv[1],sys.argv[2]
- s=open(p,'r',encoding='utf-8').read()
- def repl(m): return m.group(1)+'= '+merged
- s=re.sub(r'(^\[DEFAULT\][\s\S]*?^ignoreip\s*)=.*$', lambda m: repl(m), s, flags=re.M)
- open(p,'w',encoding='utf-8').write(s)
- PY
- systemctl restart fail2ban 2>/dev/null || true
- log "Fail2Ban ignoreip 宸插閲忓悎骞剁櫧鍚嶅崟锛屽苟灏濊瘯閲嶅惎鏈嶅姟銆"
- }
- cmd_daily_report(){
- log "寮€濮嬬敓鎴愭瘡鏃ユ垬鎶..."
- local start_ts; start_ts=$(date -d "yesterday 19:30:00" +%s)
- local end_ts; end_ts=$(date -d "today 19:30:00" +%s)
- local report_data; report_data=$(
- awk -F, -v start="$start_ts" -v end="$end_ts" '
- BEGIN { OFS="," }
- {
- cmd="date -d ""$1"" +%s"
- cmd | getline ts
- close(cmd)
- if (ts >= start && ts < end) {
- print $0
- }
- }
- ' "$BAN_HISTORY" 2>/dev/null || true
- )
- local ban_count=0 unban_count=0
- local ban_details=""
- ban_count=$(echo "$report_data" | grep -c ',BAN,' || true)
- unban_count=$(echo "$report_data" | grep -c ',UNBAN,' || true)
- if [ "$ban_count" -gt 0 ]; then
- ban_details=$(echo "$report_data" | grep ',BAN,' | head -n 20 | awk -F, '{
- gsub(/"/, "\\"", $4); # Escape quotes in reason
- print "- **" $3 "** (" $4 ")"
- }' || true)
- fi
- local pub; pub="$(get_public_ip)"
- local text="### 馃搱 DDoS-Guard 姣忔棩鎴樻姤
- - **鎶ュ憡鏃堕棿**: $($DATE '+%F %T')
- - **缁熻鍛ㄦ湡**: 杩囧幓 24 灏忔椂
- - **涓绘満鍏綉 IP**: $pub
- - **鎬昏灏佺IP鏁**: ${ban_count}
- - **鎬昏瑙e皝IP鏁**: ${unban_count}
- #### 灏佺璇︽儏 (鏈€澶氭樉绀20鏉)
- $([ -n "$ban_details" ] && echo -e "$ban_details" || echo "- 浠婃棩鏃犳柊澧炲皝绂両P")"
- alert_markdown "daily-report" "DDoS-Guard 姣忔棩鎴樻姤" "$text"
- log "姣忔棩鎴樻姤宸茬敓鎴愬苟鎺ㄩ€併€"
- }
- # ==============================================================================
- # 涓诲叆鍙
- # ==============================================================================
- case "${1:-}" in
- install) cmd_install;;
- uninstall) cmd_uninstall;;
- run) shift || true; mode="${1:-wait}"; [ "$mode" = "--nowait" ] && mode="nowait" || mode="wait"; run_once "$mode";;
- daemon) cmd_daemon;;
- status) cmd_status;;
- top) cmd_top;;
- history) cmd_history;;
- check) cmd_check;;
- tune) cmd_tune;;
- tune-guide) cmd_tune_guide;;
- whitelist-reload) cmd_whitelist_reload;;
- whitelist-show) cmd_whitelist_show;;
- whitelist-debug) cmd_whitelist_debug;;
- redis-status) cmd_redis_status;;
- ban) cmd_ban "$@";;
- unban) cmd_unban "$@";;
- flush-bans) cmd_flush_bans;;
- blacklist) cmd_blacklist "$@";;
- f2b-setup) cmd_f2b_setup;;
- daily-report) cmd_daily_report;;
- btwaf-sync-whitelist) cmd_whitelist_reload;;
- *)
- cat <<'USAGE'
- 鐢ㄦ硶锛歞dos-guard <subcommand>
- 瀛愬懡浠わ細
- install | uninstall | run [--nowait] | daemon
- status | top | history | check | tune | tune-guide
- whitelist-reload | whitelist-show | whitelist-debug | redis-status
- ban <ip> | unban <ip> | flush-bans | blacklist <ip|file> | f2b-setup
- btwaf-sync-whitelist # 鍏煎鍒悕锛堝悓 whitelist-reload锛
- 璇存槑锛
- - 澶氱珯鐐癸細鍦 CC_LOG_PATHS 涓 ERROR_LOG_PATHS 閲屼竴琛屼竴涓棩蹇楁枃浠跺嵆鍙紱
- 鑻ユ棩蹇楅噷鏃犳硶瑙f瀽 Host锛屽彲鍦 LOG_HOST_MAP 涓坊鍔犫€滄枃浠惰矾寰勬鍒 鈫 鍩熷悕鈥濈殑鏄犲皠銆
- - 闃堝€硷細鑻ュ瓨鍦 /etc/ddos/host-thresholds.json锛屽垯浠ヨ鏂囦欢涓哄噯锛涘惁鍒欎娇鐢ㄨ剼鏈唴缃粯璁わ紙宸插浐鍖栦綘鐨勯厤缃 + Discuz PATH_TIERS锛夈€
- - 铚樿洓绛栫暐锛氱湡路濂借湗铔涳紙UA+PTR+姝e悜鍥炶瘉锛夆啋 ddos_goodbots_v4 鍏嶆壈锛涘崐鍙俊鍏堥檺閫燂紱浼€/鎭舵剰浼樺厛灏佺銆
- - 鐧藉悕鍗曪細姣忚疆 run 閮戒細鑱氬悎 BTWAF v4/v6 + ignore.ip/host锛沚an 鍓嶄簩娆℃牎楠岋紱
- whitelist-reload 鍚庤嚜鍔ㄨВ灏佸凡杩涘叆鐧藉悕鍗曠殑璇皝 IP銆
- - Redis锛氱敤浜 L7 鍘熷瓙璁℃暟鍜屸€滄棩蹇楁父鏍囩紦瀛樷€濓紙闄嶄綆纾佺洏 I/O锛夛紝鏃 Redis 鑷姩闄嶇骇銆
- - 鍔ㄦ€佽皟閫燂細杩涘叆鏀诲嚮妯″紡鈫掑皢宸℃闂撮殧鏀逛负 ATTACK_SCAN_INTERVAL锛堥粯璁 2s锛夛紝閫€鍑哄悗鎭㈠涓 SCAN_INTERVAL銆
- - 閽夐拤锛氭嫢鏈夆€滆繘鍏/閫€鍑烘敾鍑绘ā寮忊€濈殑鐘舵€佸憡璀︿笌鈥滄壒娆℃垬鎶モ€濓紝鍚岀被 10 鍒嗛挓鑺傛祦銆
- USAGE
- ;;
- esac
鍏朵腑鏉ユ簮鐧藉悕鍗曟枃浠跺弬鑰冩垨鑰呯洿鎺ュ€熺敤锛
鐧藉悕鍗曡嚜瀹氫箟鏂囦欢涓婁紶瀛樻斁鍒帮細/etc/ddos/
涓洪槻姝㈠嚭閿欙紝浣犲彲浠ョ洿鎺ヤ笅杞芥鑴氭湰锛岀劧鍚庤繘琛屼慨鏀瑰悗涓婁紶鑷筹細/usr/local/sbin/ 涓嬮潰銆銆愬缓璁繕鏄剼鏈懡浠ゆ楠ゆ墜宸ュ鍒讹紝浠ュ厤鏂囦欢瀛樺湪缂栫爜宸紓闂銆
璧嬩簣鑴氭湰瀹夎鎵ц鏉冮檺锛
- sudo chmod +x /usr/local/sbin/ddos-guard
绮樿创淇敼鍐呭鍚庣殑璇硶鏍¢獙锛锛堟棤浠讳綍閿欒杈撳嚭琛ㄧず閫氳繃锛
- sudo bash -n /usr/local/sbin/ddos-guard
- sudo /usr/local/sbin/ddos-guard install
鍒涘缓姣忔棩闃插尽鎯呭喌姹囨姤璁″垝浠诲姟锛氾紙姣忔棩闃插尽鏃ユ姤锛
- crontab -e
- 30 19 * * * /usr/local/sbin/ddos-guard daily-report >/dev/null 2>&1
- # 閲嶈浇鏈嶅姟閲嶅惎鏃堕棿璁℃暟鍣
- sudo systemctl daemon-reload && sudo systemctl restart ddos-guard.timer
- # 鍚屾 瀹濆nginx闃茬伀澧 鐧藉悕鍗 + 寮哄埗宸℃涓€杞
- sudo ddos-guard btwaf-sync-whitelist
- sudo ddos-guard run
- sudo ddos-guard status
- # 鏌ョ湅鎵€鏈塱pv4鐧藉悕鍗
- sudo ddos-guard whitelist-show
- # 鏌ョ湅鎵€鏈夌櫧鍚嶅崟缁熻
- sudo ddos-guard whitelist-show --count
- # Fail2ban 閮ㄧ讲
- sudo ddos-guard f2b-setup
- sudo ddos-guard f2b-status
- # 涓€閿竻绌洪粦鍚嶅崟骞跺敖閲忚仈鍔‵ail2ban瑙e皝
- sudo ddos-guard clear-bans [--all-jails]
- # 鍒犻櫎鍗曚釜琚案涔呭皝绂佺殑 IP
- sudo nft delete element inet ddg bl4 { 220.181.108.93 }
- # 娓呯┖鎵€鏈夋案涔呭皝绂侊紙鎱庣敤锛
- sudo nft flush set inet ddg bl4
- # 娓呯┖鎵€鏈変复鏃跺皝绂侊紙濡傛灉涔熸兂椤烘墜瑙e紑 tmp锛
- sudo ddos-guard flush-temp
- # 淇敼鍚庨噸鏂板姞杞芥墽琛
- sudo systemctl daemon-reload
- sudo systemctl start ddos-guard.timer
- # 鏌ョ湅闃叉姢瀹氭椂鍣ㄧ姸鎬
- sudo systemctl status ddos-guard.timer
- --------------------------------------------------------------------------
- # 鏌ョ湅鐘舵€
- sudo ddos-guard status
- # 瀹炴椂鐩戞帶
- sudo ddos-guard top
- # 閽夐拤鎺ㄩ€佹秷鎭嚜妫€锛堟墦鍗颁袱娆¤繑鍥炰綋锛
- sudo ddos-guard ding-check
- # 鏌ョ湅閽夐拤閰嶇疆锛堣繖閲屼細鏄剧ず瀹屾暣 host锛
- sudo ddos-guard ding-show-config
- # 骞舵墜宸ヨ窇涓€杞紝瑙傛祴鏄惁鏈 MASS_BAN 鎺ㄩ€
- sudo rm -f /var/lib/ddos-guard/notify/last_*.ts
- sudo env DINGTALK_DEBUG=2 ddos-guard run
- # 鏌ョ湅闃叉姢瀹氭椂鍣ㄧ姸鎬
- sudo systemctl status ddos-guard.timer
- # 鏌ョ湅灏佺鍘嗗彶
- sudo ddos-guard history
- # 鎵嬪姩杩愯涓€娆℃壂鎻
- sudo ddos-guard run
- # 鏌ョ湅闃叉姢鏈嶅姟杩愯鐘舵€
- sudo systemctl status ddos-guard.service
- # 鏌ョ湅褰撳墠榛戝悕鍗
- sudo ddos-guard blacklist
- # 鏌ョ湅IP濞佽儊鎯呮姤搴
- sudo ipset list ddos_tempban
- # 鏌ョ湅姘镐箙灏佺榛戝悕鍗曪紙IP濞佽儊鎯呮姤搴擄級
- sudo ddos-guard perma-list
- # 缃戠粶璋冧紭鍐呮牳闃插尽鍙傛暟涓存椂搴旂敤
- sudo ddos-guard tune
- # ddos-guard 鐜鑷鎶ュ憡
- sudo ddos-guard check
- # 鏌ョ湅鏈嶅姟鍣≧edis鍘熺敓CC闃插尽寮曟搸鐘舵€
- sudo ddos-guard redis-status
- # 涓€閿竻绌哄皝绂
- sudo ddos-guard flush-bans
- # 鎴栧悓鏃舵竻鎯呮姤搴撳苟灏濊瘯浠 fail2ban 瑙e皝
- sudo ddos-guard flush-bans --purge-intel
- # 闆嗘垚 Fail2ban 鑱斿姩闃插尽鍒濆鍖
- sudo ddos-guard f2b-setup
- # 鍒锋柊鍩熷悕鐧藉悕鍗曠紦瀛
- sudo ddos-guard refresh-dns
- # 鍒锋柊瀹濆鐧藉悕鍗曠紦瀛
- ddos-guard refresh-btwaf
- # 瀹屽叏鍗歌浇~
- sudo ddos-guard uninstall || true
- # 鎵嬪姩閿€姣佹棫闆嗗悎锛堟鏃 iptables 瑙勫垯宸茶鍗歌浇锛屼笉浼氳寮曠敤锛
- for s in ddos_white ddos_tempban ddos_permban ddos_white_v6 ddos_tempban_v6 ddos_permban_v6; do
- sudo ipset destroy "$s" 2>/dev/null || true
- done
- # 閲嶆柊瀹夎
- sudo ddos-guard install
- # 濡傛灉涔嬪墠 family 寮勯敊銆乼imer 娌¤濂斤細
- sudo ddos-guard repair-ipsets
- sudo ddos-guard fix-systemd
- # 閲嶆柊鍚屾鐧藉悕鍗曞苟璺戜竴杞娴
- sudo ddos-guard btwaf-sync-whitelist
- sudo ddos-guard run
- # 鍏抽棴瀹濆绯荤粺鍔犲浐
- btpython /www/server/panel/plugin/syssafe/stop.py 0