iptables结合日志记录统计服务连接数
本帖最后由 kashu 于 2013-7-1 14:04 编辑首相通过iptables的 LOG操作 将所有相关连接事件记录到/var/log/messages 日志文件中,然后通过脚本做相关的统计:
以下是防火墙的设置,简要复制下:
# iptables -nL
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT icmp --0.0.0.0/0 0.0.0.0/0 icmp type 8
LOG all--0.0.0.0/0 0.0.0.0/0 state INVALID LOG flags 6 level 4 prefix `DROP_INVALID'
DROP all--0.0.0.0/0 0.0.0.0/0 state INVALID
ACCEPT all--0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
LOG tcp--0.0.0.0/0 0.0.0.0/0 tcp dpt:22 LOG flags 6 level 4 prefix `SSH_CONNECT======>'
ACCEPT tcp--0.0.0.0/0 0.0.0.0/0 tcp dpt:22
LOG tcp--0.0.0.0/0 0.0.0.0/0 tcp dpt:21 LOG flags 6 level 4 prefix `FTP__CONNECT===>'
ACCEPT tcp--0.0.0.0/0 0.0.0.0/0 tcp dpt:21
LOG tcp--0.0.0.0/0 0.0.0.0/0 tcp dpt:8008 LOG flags 6 level 4 prefix `HTTP8008__CONNECT===>'
ACCEPT tcp--0.0.0.0/0 0.0.0.0/0 tcp dpt:8008
ACCEPT all--0.0.0.0/0 0.0.0.0/0
LOG tcp--0.0.0.0/0 0.0.0.0/0 tcp dpt:808 LOG flags 6 level 4 prefix `SQUID_CONNECT=======>'
ACCEPT tcp--0.0.0.0/0 0.0.0.0/0 tcp dpt:808
ACCEPT tcp--0.0.0.0/0 0.0.0.0/0 tcp dpt:1723
ACCEPT 47 --0.0.0.0/0 0.0.0.0/0
LOG tcp--0.0.0.0/0 0.0.0.0/0 tcp dpt:80 LOG flags 6 level 4 prefix `HTTP_80======>'
ACCEPT tcp--0.0.0.0/0 0.0.0.0/0 tcp dpt:80
ACCEPT tcp--0.0.0.0/0 0.0.0.0/0 tcp dpt:666
=====================================================================================
大部分都是公司内部使用 所以端口显得有点那个啥。。。。
LOG操作: iptables -A INPUT -p tcp 22 -j LOG --log-prefix "SSH_CONNECT===>" --log-ip-options--log-tcp-options
基本都都是类似的操作添加,,我们只对做LOG操作的项目做连接统计,然后看下 messages文件中内容的大体格式:
# ls -lh /var/log/mes*
-rw------- 1 root root 375K 5ÔÂ28 15:16 /var/log/messages
-rw------- 1 root root70M 5ÔÂ25 14:04 /var/log/messages-201305_24
-rw------- 1 root root 7.2M 5ÔÂ28 14:37 /var/log/messages-201305_25
-rw------- 1 root root 4.1M 5ÔÂ27 00:05 /var/log/messages-201305_26
-rw------- 1 root root 5.8M 5ÔÂ28 00:05 /var/log/messages-201305_27
只复制下一个记录条目:
May 28 15:17:28 localhost kernel: SQUID_CONNECT=======>IN=eth0 OUT= MAC=00:24:1d:10:02:de:f8:66:f2:d1:da:c0:08:00 SRC=182.41.211.206 DST=112.253.22.13 LEN=52 TOS=0x00 PREC=0x00 TTL=118 ID=22209 DF PROTO=TCP SPT=1530 DPT=808 WINDOW=8192 RES=0x00 SYN URGP=0 OPT (020405A00103030201010402)
然后就可以写脚本进行相关统计了,脚本如下:
============================================================================================
# cat Backup_Messages.sh
#!/bin/bash
DATE=`/bin/date +%Y%m_%d`
File_Name=/var/log/messages-$DATE
/usr/bin/chattr -a /var/log/messages
/bin/cp /var/log/messages$File_Name
/bin/echo >/var/log/messages
/usr/bin/chattr +a /var/log/messages
ECHO(){
/bin/echo "******$2******"
/bin/echo "The sum of$1 connections: $Connection_Sum"
/bin/echo "The sum of$1 Connect_IP: $IP_Sum"
}
function Mon(){
N=1
while [ $# -ne 0 ]
do
Connection_Sum=`/bin/grep "$1" $File_Name|wc -l`
IP_Sum=`/bin/grep "$1" $File_Name|awk '{print $9}' |awk -F = '{print $2}'|sort -n|uniq -c|wc -l`
/bin/echo -e "\n\n\n">>$File_Name
/bin/echo ======================================>>$File_Name
case $N in
1) ECHO INVALID INVALID_DROP>>$File_Name;;
2) ECHO SSH SSH_22>>$File_Name;;
3) ECHO FTP FTP_21>>$File_Name;;
4) ECHO 8008 HTTP_8008>>$File_Name;;
5) ECHO SQUID SQUID_808>>$File_Name;;
6) ECHO 80 HTTP_80>>$File_Name;;
*) exit 0;;
esac
/bin/echo "Followingis the List:">>$File_Name
/bin/grep "$1" $File_Name|awk '{print $9}' |awk -F = '{print $2}'|sort -n|uniq -c|sort -n -r>>$File_Name
shift;let N++
done
}
Mon DROP_INVALID SSH_CONNECT FTP__CONNECT HTTP8008__CONNECT SQUID_CONNECT HTTP_80
/usr/bin/chattr +i $File_Name
==========================================================================================
脚本很简单就是手动截断日志,然后在每个当天日志的末尾添加上统计数据,贴下结果吧
# ls -lh mess*
-rw------- 1 root root577 5ÔÂ28 15:25 messages
-rw------- 1 root root70M 5ÔÂ25 14:04 messages-201305_24
-rw------- 1 root root 7.2M 5ÔÂ28 14:37 messages-201305_25
-rw------- 1 root root 4.1M 5ÔÂ27 00:05 messages-201305_26
-rw------- 1 root root 5.8M 5ÔÂ28 00:05 messages-201305_27
-rw------- 1 root root35K 5ÔÂ28 14:50 messages-201305_28
=================
# lsattr mess*
-----a-------e- messages
----i--------e- messages-201305_24
----i--------e- messages-201305_25
----i--------e- messages-201305_26
----i--------e- messages-201305_27
----i--------e- messages-201305_28
可以看到 日志截断后大小 和特殊属性都即刻生效,看下今天28号截止此刻的访问情况:
# catmessages-201305_28
(此处的详细记录滤过。。)
=====================================
******INVALID_DROP******
The sum ofINVALID connections: 3
The sum ofINVALID Connect_IP: 3
Followingis the List:
1 60.15.119.182
1 212.1.208.107
1 200.124.141.82
======================================
******SSH_22******
The sum ofSSH connections: 1
The sum ofSSH Connect_IP: 1
Followingis the List:
1 218.65.61.80
======================================
******FTP_21******
The sum ofFTP connections: 8
The sum ofFTP Connect_IP: 2
Followingis the List:
6 182.41.211.206
2 61.179.50.3
======================================
******HTTP_8008******
The sum of8008 connections: 7
The sum of8008 Connect_IP: 1
Followingis the List:
7 112.253.22.13
======================================
******SQUID_808******
The sum ofSQUID connections: 27
The sum ofSQUID Connect_IP: 1
Followingis the List:
27 182.41.211.206
======================================
******HTTP_80******
The sum of80 connections: 76
The sum of80 Connect_IP: 4
Following is the List:
48 36.233.98.150
25 125.39.45.154
2 124.238.249.171
1 111.161.20.214
# crontab -l
00 00 * * * sh ~/Backup_Messages.sh
每天凌晨执行一次
我只是做了一下统计 ,当然最好还是根据统计做下限制操作等等
如果有一双眼睛陪我一同哭泣,就值得我为生命受苦。 女,喜甜食,甚胖!该女有一癖好:痛恨蚂蚁,见必杀之。问其故曰:这小东西,那么爱吃甜食,腰还那么细! 如果跟导师讲不清楚,那么就把他搞胡涂吧! 生活***好玩,因为生活老***玩我! 小手一抖,钱钱到手! 打破老婆终身制,实行小姨股份制。引入小姐竞争制,推广情人合同制。 先找组织,再学习,支持一下。
页:
[1]