标题: [其他] 求一个IIS安全策略c-port 超过10000以上的自动封禁脚本! [打印本页]
作者: lanbingyinzuo 时间: 2012-10-11 19:09 标题: 求一个IIS安全策略c-port 超过10000以上的自动封禁脚本!
各位大家好啊;由于本人网站长时间收到一些人CC和 DOOS攻击;
在网上也找了一些IP安全策略的方法,但是是可以实现 不过有时候会把正常的IP也给封禁了!郁闷至极~!、
例子:
#Software: Microsoft HTTP API 1.0
#Version: 1.0
#Date: 2012-10-09 04:04:24
#Fields: date time c-ip c-port s-ip s-port cs-version cs-method cs-uri sc-status s-siteid s-reason s-queuename
2012-10-09 06:54:18 37.130.227.133 44382 125.102.20.128 80 HTTP/1.1 GET /forum.php?mod=viewthread&tid=859 503 894523 N/A DefaultAppPool
2012-10-09 06:54:19 37.130.227.133 53954 125.102.20.128 80 HTTP/1.1 GET /forum.php?mod=viewthread&tid=859 503 894523 N/A DefaultAppPool
2012-10-09 06:54:19 1.2.173.193 60990 125.102.20.128 80 HTTP/1.1 GET /forum.php?mod=viewthread&tid=859 503 894523 N/A DefaultAppPool
2012-10-09 06:54:22 1.2.173.193 49635 125.102.20.128 80 HTTP/1.1 GET /forum.php?mod=viewthread&tid=859 503 894523 N/A DefaultAppPool
2012-10-09 06:54:23 1.2.173.193 43659 125.102.20.128 80 HTTP/1.1 GET /forum.php?mod=viewthread&tid=859 503 894523 N/A DefaultAppPool
2012-10-09 06:54:24 1.2.173.193 42036 125.102.20.128 80 HTTP/1.1 GET /forum.php?mod=viewthread&tid=859 503 894523 N/A DefaultAppPool
2012-10-09 06:54:26 1.2.173.193 43702 125.102.20.128 80 HTTP/1.1 GET /forum.php?mod=viewthread&tid=859 503 894523 N/A DefaultAppPool
2012-10-09 06:54:27 1.2.173.193 36513 125.102.20.128 80 HTTP/1.1 GET /forum.php?mod=viewthread&tid=859 503 894523 N/A DefaultAppPool
2012-10-09 06:54:29 65.120.221.222 9489 125.102.20.128 80 HTTP/1.1 GET /forum.php?mod=viewthread&tid=859 503 894523 N/A DefaultAppPool
2012-10-09 06:54:29 65.120.221.222 9479 125.102.20.128 80 HTTP/1.1 GET /forum.php?mod=viewthread&tid=859 503 894523 N/A DefaultAppPool
2012-10-09 06:57:53 225.12.210.25 1157 125.102.20.128 80 HTTP/1.1 GET /forum.php - 601108812 Connection_Dropped DefaultAppPool
2012-10-09 06:58:48 225.12.210.25 1155 125.102.20.128 80 - - - - - Timer_ConnectionIdle -
2012-10-09 07:00:53 225.12.210.25 1158 125.102.20.128 80 HTTP/1.1 GET /plugin.php?id=dsu_paulsign:sign - 601108812 Connection_Dropped DefaultAppPool
2012-10-09 07:04:13 225.12.210.25 1161 125.102.20.128 80 HTTP/1.1 GET /forum.php - 601108812 Connection_Abandoned_By_AppPool DefaultAppPool
2012-10-09 07:05:32 225.12.210.25 1174 125.102.20.128 80 HTTP/1.1 GET /forum.php - 601108812 Connection_Abandoned_By_AppPool DefaultAppPool
说明: c-port 这一栏 是外部端口号 我的想法是它 大于 10000 的话—筛选出来—删除重复IP—然后再 自动加入屏蔽IP安全策略列表里面
注意: c-port 外部端口号不是固定的!
就是下面这种:- psec static add policy name=XBLUE
- netsh ipsec static add filterlist name=denyip
- netsh ipsec static add filter filterlist=denyip srcaddr=37.130.227.133 dstaddr=Me dstport=80 protocol=TCP
- netsh ipsec static add filter filterlist=denyip srcaddr=1.2.173.193 dstaddr=Me dstport=80 protocol=TCP
- netsh ipsec static add filteraction name=denyact action=block
- netsh ipsec static add rule name=kill3389 policy=XBLUE filterlist=denyip filteraction=denyact
- netsh ipsec static set policy name=XBLUE assign=y
复制代码
以上就是禁止外部非法IP 访问80端口的安全策略,
能全自动的脚本处理就最好了,c-port 端口号> 10000以上的 实现自动封禁
谢谢各位大大了!
作者: apang 时间: 2012-10-11 21:22
假设顶楼"例子"的内容已保存为a.txt- @echo off
- psec static add policy name=XBLUE
- netsh ipsec static add filterlist name=denyip
- for /f "eol=# tokens=3,4" %%a in (a.txt) do (
- if %%b gtr 10000 if not defined _%%a (
- netsh ipsec static add filter filterlist=denyip srcaddr=%%a dstaddr=Me dstport=80 protocol=TCP
- set "_%%a=1"
- )
- )
- netsh ipsec static add filteraction name=denyact action=block
- netsh ipsec static add rule name=kill3389 policy=XBLUE filterlist=denyip filteraction=denyact
- netsh ipsec static set policy name=XBLUE assign=y
- pause
复制代码
试试看吧
作者: lanbingyinzuo 时间: 2012-10-12 16:06
回复 2# apang
非常感谢您噢! 方法学习了 感觉不错的~!
本来想的是: C:\WINDOWS\system32\LogFiles\HTTPERR\HTTPERR1.log 作为路径 然后检测c-port 超过10000以上的就 加入策略自动封掉!
但,好像这个文件不能读取还是怎么的 复制出来就行。。。
然后我这样改了一下 结合大大的方式:- @echo off
- netstat -n -p tcp |find ":80">>Log.log
- setlocal enabledelayedexpansion
- for /f "tokens=*" %%i in (Log.log) do (
- set var=%%i
- set "var=!var::= !"
- set "var=!var: = !"
- set "var=!var: = !"
- set "var=!var: = !"
- set "var=!var: = !"
- set "var=!var: = !"
- echo !var!>>ccLog.log
- )
- netsh ipsec static add policy name=XBLUE
- netsh ipsec static add filterlist name=denyip
- for /f "eol=# tokens=4,5" %%a in (ccLog.log) do (
- if %%b gtr 10000 if not defined _%%a (
- netsh ipsec static add filter filterlist=denyip srcaddr=%%a dstaddr=Me dstport=80 protocol=TCP
- set "_%%a=1"
- )
- )
- netsh ipsec static add filteraction name=denyact action=block
- netsh ipsec static add rule name=kill3389 policy=XBLUE filterlist=denyip filteraction=denyact
- netsh ipsec static set policy name=XBLUE assign=y
- gpupdate /force
- del log.log /f/s/q/a
- del cclog.log /f/s/q/a
- exit
复制代码
方法比较笨的。。。 呵呵 不过还是可以的!
因为c-port不是随时都有超过10000的 有时候在半夜里 有人捣乱 所以我想的是 一个批处理一直检测 这个端口的值 超过后自动加入安全策略里面!
呵呵 不知道又该怎么写了。。。
欢迎光临 批处理之家 (http://www.bathome.net/) |
Powered by Discuz! 7.2 |