#!/usr/bin/env python #_*_coding:utf-8_*_ ''' python deny_dns_allip.py your_filelog_name 动态获取dns日志的IP地址,把不满足条件的都drop掉 此脚本修改后可以动态拒绝任何日志内的IP 相当于 tail -f filename | awk -F "你的条件" ,然后 把结果输送到iptables -I INPUT -s %s -j DROP ''' from sys import argv import collections import time,os,re o = open(argv[1], 'r') print(''.join(collections.deque(o, 5)).strip(' ')) # last 5 lines o.seek(0,2) # jump to last line ip_list = [] while 1: line = o.readline() if not line: time.sleep(0.1) continue ret = line.strip(' ') try: #正则的条件,根据该字段获取该字段的IP ip = str(ret.split("query: hoffmeister.be IN ANY +E")[0]) ipstr = re.search('d{1,3}.d{1,3}.d{1,3}.d{1,3}',ip).group() #排除部分IP,排除172网段124网段211网段,根据需要自己定义 exclude_ips = str(ipstr.split(".")[0]) allow_ips = ['172','124','211'] # #print("ip_list:",ip_list) if ipstr not in ip_list and exclude_ips not in allow_ips: ip_list.append(ipstr) #取最新的IP,然后drop掉 print("======>>i:",ip_list[-1]) os.system("iptables -I INPUT -s %s -j DROP"%(ip_list[-1])) print("iptables -I INPUT -s %s -j DROP"%(ip_list[-1])) else: pass except: b=None
加强版
动态获取日志,然后调用淘宝ip查询的API 智能判断 来源IP属于什么地方,当是国外的IP时,直接干掉。
解决了部分用户 使用手机4G测试时的被意外干掉的情况。
# -*- coding: utf-8 -*- import requests,os def checkip(ip): URL = 'http://ip.taobao.com/service/getIpInfo.php' try: r = requests.get(URL, params=ip, timeout=2) except requests.RequestException as e: #pass print(e) else: json_data = r.json() if json_data[u'code'] == 0: #print "ipvalues",type(ip.values()) ret = json_data[u'data'][u'country'].encode('utf-8') + str(ip.values()) #print ret country = json_data[u'data'][u'country'].encode('utf-8') if country != '中国': ret_ip = ip.values()[0] print "---------------country and ip",country, ret_ip os.system("iptables -I INPUT -s %s -j DROP"%(ret_ip)) print("iptables -I INPUT -s %s -j DROP"%(ret_ip)) else: print"----china",ip.values()[0] #return json_data[u'data'][u'country'].encode('utf-8') + str(ip.values()) #print '所在地区: ' + json_data[u'data'][u'area'].encode('utf-8') #print '所在省份: ' + json_data[u'data'][u'region'].encode('utf-8') #print '所在城市: ' + json_data[u'data'][u'city'].encode('utf-8') #print '所属运营商:' + json_data[u'data'][u'isp'].encode('utf-8') else: #pass print '查询失败,请稍后再试!' #ip= {'ip':'67.177.203.45'} #checkip(ip)
#!/usr/bin/env python #_*_coding:utf-8_*_ from sys import argv import collections import time,os,re import ip_check o = open(argv[1], 'r') print(''.join(collections.deque(o, 5)).strip(' ')) # last 5 lines o.seek(0,2) # jump to last line ip_list = [] while 1: line = o.readline() if not line: time.sleep(2) continue ret = line.strip(' ') try: ip = str(ret.split("query: hoffmeister.be IN ANY +E")[0]) ipstr = re.search('d{1,3}.d{1,3}.d{1,3}.d{1,3}',ip).group() # exclude_ips = str(ipstr.split(".")[0]) allow_ips = ['172','124','211'] # #print("ip_list:",ip_list) if ipstr not in ip_list and exclude_ips not in allow_ips: ip_list.append(ipstr) print("======>>i:",ip_list[-1]) #f = open('ip.txt','a+') #f.write(ip_list[-1]+' ') #f.close() check_ips = {'ip':ip_list[-1]} ip_check.checkip(check_ips) else: pass except: b=None
bind dns日志配置 添加如下行。有点诡异 日志的路径并非 根下的var 而是运行bind的根下的var
[root@localhost var]# ls log named run tmp [root@localhost var]# cd log/ [root@localhost log]# ls den_txt_ip.py deny_dns_ip.py ip-check.txt query.log query_log.10 query_log.13 query_log.16 query_log.2 query_log.5 query_log.8 test.log deny_dns_allip.py ip_check.py ip.txt query_log.0 query_log.11 query_log.14 query_log.17 query_log.3 query_log.6 query_log.9 test.py deny_dns_allip.py.bak ip_check.pyc query_log query_log.1 query_log.12 query_log.15 query_log.18 query_log.4 query_log.7 read_ip.py [root@localhost log]# pwd /var/named/chroot/var/log [root@localhost log]# ps -ef |grep "named" root 518 1 0 Jun22 ? 00:00:04 named -d 1 named 4400 1 2 11:20 ? 00:06:47 /usr/sbin/named -u named -t /var/named/chroot root 29940 26031 0 15:47 pts/8 00:00:00 grep named root 32069 1 0 Jun22 ? 00:00:01 named -d 1
logging { /*指定服务器日志记录的内容和日志信息来源*/ channel "default_syslog" { syslog daemon; /* 发送给syslog 的daemon facility */ severity info; /* 只发送此优先级和更高优先级的信息 */ }; channel default_debug { file "data/named.run"; /* 写入工作目录下的named.run 文件。注意:如果服务器用-f 参数启动,则"named.run"会被stderr 所替换。*/ severity dynamic; /* 按照服务器当前的debug 级别记录日志 */ }; channel xfer_in_log { file "/var/log/named/xfer_in_log" versions 100 size 10m; severity info; print-category yes; print-severity yes; print-time yes; }; channel xfer_out_log { file "/var/log/named/xfer_out_log" versions 100 size 10m; severity info; print-category yes; print-severity yes; print-time yes; }; channel notify_log { file "/var/log/named/notify_log" versions 100 size 10m; severity info; print-category yes; print-severity yes; print-time yes; }; channel general_log { file "/var/log/named/general_log" versions 400 size 100m; severity info; print-category yes; print-severity yes; print-time yes; }; channel default_log { file "/var/log/named/default_log" versions 400 size 100m; severity info; print-category yes; print-severity yes; print-time yes; }; channel update_log { file "/var/log/named/update_log" versions 100 size 10m; severity info; print-category yes; print-severity yes; print-time yes; }; channel query_log { file "/var/log/query_log" versions 1024 size 100m; severity info; print-category no; print-severity no; print-time yes; }; category queries { query_log; }; category default { default_log; }; category general { general_log; }; category xfer-in { xfer_in_log; }; category xfer-out { xfer_out_log; }; category notify { notify_log; }; category update { update_log; }; };