作者归档:weskiller

关于weskiller

简单的说…没毅力…三分钟热度

shell-scripts(backup)

这是我最近维护的线上数据库的备份脚本,断断续续code了不少。
就目前来看效果很不错,当然主要目的是抛(rang)砖(wo)引(zhuang)玉(bi)。

backup.sh
点击下载
backup.sh 会调用对应的配置文件mysql-cluster-list,public.conf,backuptime文件,调度多个备份脚本执行,并统计结果

#!/bin/bash
#Author		weskiller	2016-04-08	
#Email:[email protected]

#定义环境变量
export PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin
export LANG="en_US.UTF-8"

#定义路径
basedir=/root/scripts/backup
log=$basedir/backup.log
date=`date +%F`
starttime_conf=$basedir/backuptime
mysql_cluster_conf=$basedir/mysql-cluster-list

#superadmin邮件地址,当脚本文件缺失的时候,会发送邮件
Semail='[email protected]'

#下标变量
declare -i sub=0

#设置循环检查的间隔时间
check_sleep=60

#设置备份超时时间(每天下午6点,用户高峰前期)
deadtime=`date --date "18:00" +%s`

#获取mysql-cluster的列表
mysql_cluster_list=(192.168.1.1)

#或者通过远程的web页面获取列表
#cluster_curl=http://192.168.1.1/mysql_cluster.txt
#for list in `curl "$cluster_curl"`;do
#	mysql_cluster_list[$sub]=$list;
#done

#标记日志备份开始
echo "" >> $log
echo "$date backup.sh start" >> $log

#加载公有配置
if [ -f "$basedir/config/public.conf" ];then
	. $basedir/config/public.conf
else
	/bin/mail -r "backup.sh" -s "backup.sh scripts is interrupt" "$Semail" <<< "`date +%F\ %T` - backup scripts is not performing! the public.conf is miss."
	echo "`date +%T` - backup scripts is not performing! the public.conf is miss." >> $log
	exit 1
fi

#检查开始备份时间配置文件
if [ ! -f "$starttime_conf" ];then
	sendemail "backup.sh scripts is interrupt" "`date +%F\ %T` - backup scripts is not performing! can't find configuration with ${starttime_conf}."
	echo "`date +%T` - backup scripts is not performing! can't find configuration with ${starttime_conf}." >> $log
	exit 1
fi

#加载配置文件mysql_cluster_conf,如果存在的话
if [ -f "$mysql_cluster_conf" ];then
	mysql_cluster_list=(`cat "$mysql_cluster_conf"`)
fi

#检测后端mysql_cluster
declare -i change=0
for i in `seq 0 $((${#mysql_cluster_list[@]}-1))`;do
	nc -z ${mysql_cluster_list[$i]} 3306 >/dev/null 2>&1
	if [ $? -eq 0 ];then
		continue
	else
		echo "detected ${mysql_cluster_list[$i]} is down. will be remove from mysql cluster." >> $log
		unset mysql_cluster_list[$i]
		change=1
	fi 
done

#重新定义有效的mysql_cluster_list
if [ $change -eq 1 ];then
	mysql_cluster_list=(${mysql_cluster_list[@]})
fi

#极端情况下后端集群全部宕机
if [ ${#mysql_cluster_list[@]} -eq 0 ];then
	sendemail "backup.sh scripts is interrupt" "`date +%F\ %T` - backup scripts is not performing! without living mysql cluster."
	echo "`date +%T` - backup scripts is not performing! without living mysql cluster." >> $log
	exit 1
fi

#手动备份
if [ "x$1" == "x" ];then
	manual=0
elif [ "$1" == "manual" ];then
	manual=1
	echo "backup.sh is start with manual." >> $log
fi

#重定向所有标准错误信息
#exec 2>$basedir/backup.error

#备份循环
sub=0
for project in $basedir/config/*-*;do
	script=`basename $project`
	project_name=${script%-*}
#默认模式下,根据设定的时间备份
	if [ "$manual" -eq 0 ];then
#获取配置时间
		project_start_time="`awk 'BEGIN{FS="="}/'$script'/{print $2}' $starttime_conf`" 
		if [ $? -eq 0 ];then
			project_timestamp=`date --date "$project_start_time" +%s`
			if [ "$project_timestamp" -le "`date +%s`" ];then
				echo "`date +%F\ %T` - $script backuptime is error" >> $log
				continue
			fi
		else
			echo "`date +%F\ %T` - $script backuptime is not find " >> $log
			continue
		fi
		waittime="$((project_timestamp-`date +%s`))"
#手动备份,根据设定的时间延迟
	elif [ "$manual" -eq 1 ];then
		first=`awk 'BEGIN{FS="="}{print $2}' backuptime|grep -P "^[^ ]" |sort -n|head -1`
		lag=$((`date --date '1 minute' +%s`-`date --date "$first" +%s`))
		project_start_time="`awk 'BEGIN{FS="="}/'$script'/{print $2}' $starttime_conf`" 
                if [ $? -eq 0 ];then
                        project_timestamp=$((`date --date "$project_start_time" +%s`+$lag))
                else
                        echo "`date +%F\ %T` - $script backuptime is not find " >> $log
                        continue
                fi
                waittime="$((project_timestamp-`date +%s`))"
	fi
	host=${mysql_cluster_list[$((sub%${#mysql_cluster_list[@]}))]}
#使用screen,定时放入后台
	screen -S $project_name -d -m /bin/bash "$project" "$host" "$waittime"
#放入项目数组
	project_list[$sub]="$script"
	((sub++))
done

#监控今天的备份日志,当所有备份完成后发送邮件通知
line=`grep -Pn "$date backup.sh start" $log|sed -n '$p'|awk 'BEGIN{FS=":"}{print $1}'`
while sleep $check_sleep && [ ${#project_list[@]} -gt 0 ];do
	sub=0
	for i in ${project_list[@]};do
		if sed -n "$line,\$p" $log |grep -Pq "$i backup (success|failed)" ;then
			 unset project_list[$sub]
		fi  
		((sub++))
	done
	project_list=(${project_list[@]})
	if [ "`date +%s`" -ge "$deadtime" ];then
		sendemail "backup is overtime" "`date +%F\ %T` -- project:${project_list[*]} already overtime"
	fi
done

#判断是否有失败的项目
if sed -n "$line,\$p" $log |grep -Pq "backup failed";then
	backup_failed=1
else 
	backup_failed=0
fi

#标记日志备份结束
echo "$date backup.sh finish" >> $log

#统计失败项目邮件
if [ $backup_failed -eq 1 ];then
	sendemail "some project backup failed" "`date +%F\ %T` -- backup failed project:`sed -n $line,'$p' $log|grep -Po "\S*(?= backup failed)"|tr '\n' ' '`"
fi

#生成WEB网页
sed -n -e "$line,\$p" -e '1a<pre>' -e '$a</pre>' $log > /backup/backup.html

#日志整理
if [ `date --date '1 day' +%d` -eq 1 ];then
        .  $basedir/logrotate.sh
fi

#优雅的退出
exit 0

scripts
点击下载
scripts 是真正的备份执行脚本,加载public.conf获取公共配置信息,针对不同的线上业务和数据库可以自定义操作,或者根据需求修改,这里只是提供模板。

#!/bin/bash
#author weskiller 2016-04-08
#description:project backup scripts unit

#2015-05-16:新增隔天自动备份功能

#定义环境变量
export PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin
export LANG="en_US.UTF-8"
#获取脚本包含的信息
dir=/root/scripts/backup
scripts=`basename $0`
backup_host=192.168.1.${scripts#*-}
game_label=${scripts%-*}

#定义各种需要的时间戳
month=`date +%m`
last_month=`date --date "1 months ago" +%m`
day=`date +%d`
yesterday=`date --date "1 day ago" +%d`

#定义数据库信息
game_database="p${game_label}_logs1"
game_backup_database="p${game_label}_logs_backup1"
today="$(date --date @$(($(date --date "`date +%F`" +%s)-3600*8)) +%F\ %T)"
delete_gamelog_time="$(date --date @$((`date --date "$today" +%s`+7*3600)) +%F\ %T)"
three_months="`date --date '4 month ago' +%m`"

#加载公共配置
if [ -f "$dir/config/public.conf" ];then
	. $dir/config/public.conf
else
	echo "`date +%F\ %T`:not find public.conf" > $dir/config/$scripts.error 
	exit 1; 
fi

#获取backup.sh传递的参数
if [ "x$1" == "x" ];then
	echo "`date +%F\ %T`:not received parameter:mysql backup host " >> $dir/log/$scripts.log
	exit 1
else
	db_host="$1"
fi
if [ "x$2" == "x$2" ];then
	sleep $2
	if [ $? -ne 0 ];then
	echo "`date +%F\ %T`:received sleep time parameter,but sleep error " >> $dir/log/$scripts.log
	exit 1
	fi
else
	echo "`date +%F\ %T`:not received parameter:sleep time(s) " >> $dir/log/$scripts.log
	exit 1
fi

#开始时间戳
start_time="`date +%s`"

#创建文件夹,如果不存在的话
/usr/bin/ssh root@$backup_host "mkdir -p $backupdir/$game_label/months/$month"

#创建xtrabakup命令
if [ "$day" -eq 1 ];then
	innobackup_command="/usr/bin/innobackupex --no-timestamp $backupdir/$game_label/months/$month/$day"
	/usr/bin/ssh root@$backup_host "rm -f $backupdir/$game_label/days"
	/usr/bin/ssh root@$backup_host "ln -sf $backupdir/$game_label/months/$month $backupdir/$game_label/days"
#删除三个月之前的备份
	delete_three_backup="rm -rf $backupdir/$game_label/months/$three_months"
else
#获取days下的目录,确定日期
	uday=$(ssh root@$backup_host "basename \`ls -d $backupdir/$game_label/days/*|grep -Pv "tar.bz2$"\` 2>/dev/null")
	if [ ${uday:-0} -eq $yesterday ];then
	innobackup_command="/usr/bin/innobackupex --incremental --incremental-basedir $backupdir/$game_label/days/$yesterday --no-timestamp  $backupdir/$game_label/days/$day ; result=\$? ; if [ \$result -ne 0 -a ! -e $backupdir/$game_label/days/$day/xtrabackup_info ];then rm -rf $backupdir/$game_label/days/$day;fi ;exit \$result"
	else
	innobackup_command="/usr/bin/innobackupex --incremental --incremental-basedir $backupdir/$game_label/days/$uday --no-timestamp  $backupdir/$game_label/days/$day ; result=\$? ; if [ \$result -ne 0 -a ! -e $backupdir/$game_label/days/$day/xtrabackup_info ];then rm -rf $backupdir/$game_label/days/$day;fi ;exit \$result"
	jump=1	
	fi
fi

#创建mysqldump命令
mysqldump_command="mysqldump --single-transaction --skip-add-locks --skip-lock-tables  --no-create-info --replace --where \"create_time < '$today'\" $game_database logs  |mysql -u$db_user -h$db_host -p$db_pass $game_backup_database"

#创建清理日志命令
mysql_command="mysql -e \"delete from $game_database.logs where create_time < '$delete_gamelog_time';\""

#压缩前一天的备份文件
if  [ "$day" -eq 1 ];then
	tar_command="tar -jcf $backupdir/$game_label/months/$last_month/$yesterday.tar.bz2 -C $backupdir/$game_label/months/$last_month $yesterday --remove-files"
else
	if [ ${uday:-0} -eq $yesterday ];then
		tar_command="tar -jcf $backupdir/$game_label/days/$yesterday.tar.bz2 -C $backupdir/$game_label/days $yesterday --remove-files"
	else
		tar_command="tar -jcf $backupdir/$game_label/days/${uday}.tar.bz2 -C $backupdir/$game_label/days $uday --remove-files"
	fi
fi
#日志标记开始
echo "" >> $dir/log/$scripts.log
echo "`date +%F\ %T` $scripts start" >> $dir/log/$scripts.log
#在远程备份客服端上执行命令
for command in "$innobackup_command" "$mysqldump_command" "$mysql_command" "$tar_command" "$delete_three_backup" ;do
#先判断变量内容,确保ssh命令正常执行
if [ -z "$command " ] ||  echo "$command"|grep -Pq "^\s*$" ;then
	continue;
fi
ssh root@$backup_host "$command" 2>$dir/log/$scripts.error 1>/dev/null
if [ $? -eq 0 ];then
	echo "`date +%F\ %T` -- \"$command\" performing success." >> $dir/log/$scripts.log
else
	echo "`date +%F\ %T` -- \"$command\" performing failed." >> $dir/log/$scripts.log
#	sendemail "$scripts" "`cat $dir/log/$scripts.error`"
	log "failed" "$scripts"
	exit 1
fi
done
#删除错误的输出
rm -rf $dir/log/$scripts.error
#标记日志结束
echo "`date +%F` $scripts finish" >> $dir/log/$scripts.log
#输出backup.log日志
if  [ ${jump:-0} -eq 1 ];then
	log "success" "$scripts" "$((`date +%s`-start_time))" "$uday $day"
else
	log "success" "$scripts" "$((`date +%s`-start_time))"
fi
#优雅的退出
exit 0

public.conf
点击下载
public.conf 公共配置文件,包含了日志输出和维护邮件组,mysql验证

#this is public config that all scripts need to be loaded
#定位绝对路径
backupdir=/backup
#备份验证
db_user=
db_pass=

#负责人E-Mail地址
adminmail=([email protected] [email protected])
sendemail () {
	for mail in ${adminmail[@]};do
	/bin/mail -r "backup.sh" -s "$1" "$mail" <<< "$2"
	done
}

#输出日志函数
log () {
case $1 in
	success)
	if [ $3 -lt 60 ];then
		consume="${3}s"
	elif [ $3 -lt 3600 ];then
		consume="$(($3/60))m$(($3%60))s"
	else
		consume="$(($3/(60*60)))h$((($3%(60*60))/60))m$(($3%60))s"
	fi
	if [ "x$4" == "x" ];then
		echo "`date +%F\ %T` - $2 backup $1. used ${consume}." >> /root/scripts/backup/backup.log
	else
		echo "`date +%F\ %T` - $2 backup $1. used ${consume}. ${4% *} => ${4#* } " >> /root/scripts/backup/backup.log
	fi
	;;
	failed)
	echo "`date +%F\ %T` - $2 backup $1" >> /root/scripts/backup/backup.log
	;;
esac
}

backuptime
点击下载
backuptime 主要用于设定备份数据库的时间

#测试数据库
test-1=01:00
test-2=00:00

#线上数据库
produce-101=03:00
produce-102=03:30

shell-character

Bourne-Again SHell是绝大多数linux系统下默认的shell,只要涉及linux平台上的研发和维护,都或多或少的会接触Bash的CLI.
Bash shell确实十分强大,在linux的平台上,几乎无所不能,但对于新手来说,还是有许多需要注意的地方.
下面的知识适合刚接触bash,却还不熟练的同学.

bash shell是对字符非常敏感的脚本语言.
*以下所有命令均在CentOS Linux release 7.2.1511 (Core)测试,linux内核为3.10.0-327.10.1.el7.x86_64,bash 版本为 GNU bash, version 4.2.46(1)-release (x86_64-redhat-linux-gnu),部分内容可能在其他的linux发行版上有差异.

先来分析linux的分隔符.
shell的默认分隔符存放在变量IFS(Internal Field Seperator)中,下面我们来看看它长啥样(注意输出结果).

[13:56:37 ~]#set -x                #开启命令输出模式,即会输出你键入的命令(包括所有参数)
[13:57:17 ~]#echo -n $IFS
+ echo -n
[13:57:29 ~]#echo -n "$IFS"
+ echo -n ' 	
'
 	
[13:57:37 ~]#echo -n '$IFS'
+ echo -n '$IFS'
$IFS[13:57:42 ~]#

=_=,是不是很奇怪?IFS里面到底放的是些什么?那么我们再看看这个变量的一些信息(你可能需要提前掌握使用bash变量的一些知识点我查看).

[14:05:26 ~]#set +x                #关闭命令输出模式
[14:05:27 ~]echo ${#IFS}
3

看来有三个字符存储在IFS里面,那么挨个挨个的查看下.

[14:08:10 ~]#set -x                #开启命令输出模式
[14:08:10 ~]#echo -n ${IFS:0:1}
+ echo -n
[14:08:11 ~]#echo -n "${IFS:0:1}"
+ echo -n ' '
 [14:08:12 ~]#

到这里,大家应该明白了,第一个字符存储的是空格,linux默认吧空格作为分隔符.
可能还有同学会有疑问,加双引号,和不加双引号,为什么输出不同,这里简单说一下(后面会更详细的说明),在linux中具有非常特别的意义,通常被称呼为强制引用符.即被双引号包括的内容,就一定会被解释,包括空白,所以即使${IFS:0:1}是一个空格,echo 还是会输出这个空格(第六行)!
那么接下来就简单多了.

[14:25:52 ~]#echo -n ${IFS:1:1}
+ echo -n
[14:25:55 ~]#echo -n "${IFS:1:1}"
+ echo -n '	'
	[14:25:59 ~]#

第二个是制表符\t,作为linux默认的第二个分隔符.

[14:27:23 ~]#echo -n ${IFS:2:1}
+ echo -n
[14:34:38 ~]#echo -n "${IFS:2:1}"
+ echo -n '
'

[14:34:42 ~]#

第三个是换行符\n,作为linux默认的第三个分隔符.
讲解分隔符是为了让你进一步了解bash工作的机制.帮助你理解类似下面这样的语句.

#example.sh
array=(a b c)
for i in "${arrary[*]}";do
     echo $i
done
for j in ${array[*]};do
     echo $j
done

*其实在使用数组中,如果某一个成员的内容包含了分隔符,那么在使用${array[*]}往往不是你想要的结果.而${array[@]}却会方便的多.

下面来了解bash的几个特殊字符,包括`
双引号在shell中使用的很多,然而能够熟练使用的人却不多.
回顾下双引号在shell脚本中的使用
赋值变量,当变量包含特殊字符,比如空白字符或者需要使用引用变量的时候

var1="hello world!"        #请注意这条赋值语句
var2="welcome to blog.weskiller.com , $var1"

使用grep awk sed命令

echo $var2|grep "hello world"
echo $var2|sed "s/blog/www/"
echo $var2|awk "{print $3}"

=V=,好像出了什么问题~. 在给var1赋值的时候发生了意想不到的事情.

var1="hello world!"
-bash: !": event not found

这是什么鬼?
新手一定在这里懵逼了,其实在交互式的shell中!会被转义为history,就像下面演示的一样,其实在非交互的shell中,这个功能会被禁用.

[15:41:18 ~/scripts]#history -c
[15:41:21 ~/scripts]#ls
backup.sh  clear_log.sh  test.sh
[15:41:22 ~/scripts]#echo

[15:41:35 ~/scripts]#history 1
    3  history 1
[15:41:41 ~/scripts]#!-1
history 1
    3  history 1
[15:41:44 ~/scripts]#

没错,双引号强制转义了!,而实际上如果不用双引号反而达到了你想要的效果.

var1=hello\ world!              #这里使用反斜线来转义空格,这样就不会被认为是分隔符,所以在shell看来"hello world!"是一个整体
echo $var1 

单引号在使用中往往是要告诉shell,不要乱改我输出的内容,常称呼为弱引用符
就像双引号遇到的情况,用单引号就可以完美的解决

var1='hello world!'

反引号`可谓是shell脚本语言的精华,用过的人都…,我常称之为替换符.
`command` 中的命令会被执行而输出结果会返回,这个和$(command)如出一辙,唯一可能觉得遗憾的是` `不支持调套使用,而$()是可以多次嵌套使用的.
*到现在为止,博主尚未发现` `和$()的使用区别.
在使用反引号的时候注意的是不要被单引号包括,同时反引号外的双引号和反引号内的双引号互不干扰,就像下面这样

timestamp="$(date --date "@$((`date --date "1 days ago" +%s`-2*3600))" +%F\ %T)"                       #取得当前时间间隔为一天两小时的时间戳

讲了这么多,在实际使用中的效果如何?
来看看吧

#定义时间戳,多次复用date命令
today="$(date --date @$(($(date --date "`date +%F`" +%s)-3600*8)) +%F\ %T)"
delete_timestamp="$(date --date @$((`date --date "$today" +%s`+7*3600)) +%F\ %T)"
#巧妙使用单双引号,在sed,awk中插入变量
pattern="`date +%F\ %T`"
grep -P "$parttern" $log
sed -i 's/'"$pattern"'/'"`date +%F`"'/g' $log

shell逻辑判断-三目运算符

在C语言中三目运算符的组成是

<表达式1>?<表达式2>:<表达式3>;

等同于C语言中的if语句

if (表达式1)
          表达式2;
else
          表达式3;

而在bash shell 中也有类似的方式

echo $((2>1?2:1))

但是這里 $(()) 只能进行数值大小的判断
使用command进行三目运算应该这样使用

command1 && command2 || command3

在shell中,很多人理解为下面的if语句

if command1;then
        command2
else
        command3
fi

这是错误的,原因是没有深刻理解&& 和 ||
下面的命令很好的指出错误的原因

#date && echo "It's sunny today" || echo "the weather is terrible"
Thu Aug 20 11:09:35 EDT 2015
It's sunny today
#date && "It's sunny today"  || echo "the weather is terrible"
Thu Aug 20 11:10:45 EDT 2015
-bash: It's sunny today: command not found
the weather is terrible

||会判断前一条命令的状态还回值,如果为false,就执行后面的语句
在这里 “It’s sunny today” 命令是错误的,于是后面 echo “the weather is terrible” 就执行了
深入研究
使用{}解决||判断问题

 
command1 && { command2 ;echo -n ;} || commadn3

如果command1正确 ||就只会接受来自echo -n的状态还回值,所以不会执行后面的command3
如果command1失败 &&直接跳过,||判断command1失败,执行command3
三目运算符的主要目的是达到简写的功能,避免不必要的简单if语句
在日常使用中 1 && 2 || 3 确实很实用
下面举几个列子

判断文件是否存在,如果存在就继续执行脚本,不存在就退出报错

使用if判断文件存在,然后else部分写exit。~~but,

if [ -e $path ];then
      ??
else
      exit 1
fi

如果文件存在如何进行?
这个时候只能反向思路,不存在怎么样,但是这样就和判断逻辑相反

if [ ! -e $path ];then
      exit 1
fi

但是这样就简便了很多

[ -e $path ] || exit 1

需要有顺序的连续执行多条命令,并且判断命令正确,如果命令错误就执行 “echo error”

在这里如果使用if就需要嵌套多层,十分麻烦,也浪费时间

if command1;then
      if command2;then
            if command3;then
                   command4
            else
                   echo "error"
            fi
      else
            echo "error"
      fi
else
      echo "error"
fi

而使用&&就简化了很多

commad1 && command2 && command3 && command4 || echo "error"

博主很喜欢使用三目运算符进行逻辑的判断
下面是举例

#在很多脚本中需要版判系统是否存在安装包或者命令
[ -e /usr/sbin/iptables ] || { echo "iptables-services not installed" && exit 1 ;}
#博主编写比较两个文件夹差异的脚本中,如果参数是两个存在的文件进行的判断
[ -f "$1" ] && [ -f "$2" ] && { cmp $1 $2 >/dev/null 2>&1 && echo 'The two files are the same' && exit 0|| { echo -ne $red 'The two files are not same'\n && exit 0 ;} ;}

ssh安全措施

以前买过许多vps,国内,国外的都有。无论idc供应商防火墙做的多好,策略有多复杂,总是会有很多连续的IP段不停的扫描你的主机服务端口,特别是Linux系统的默认远程管理端口22
最开始博主也是放置不管,并没有起多大疑心
但是麻烦就来了。不到一周的时间 ssh系统日志达到了10G,当时我一看磁盘空间就懵了,刚买的主机,什么服务都没放,怎么磁盘就增加了這么多
细细检查下才发现是/var/log/secure 这个记录ssh登陆情况的日志占用了空间
再检查内容,发现全是记录的ssh登陆失败的日志,恐怖的是某几个IP的验证密码的次数达到了十几万次
吸取教训,删除了secure日志。但是治标不治本,决定对ssh安全花些心思

No1 修改ssh端口号

更换ssh是一个很实用的方法,直接略去了百分之80以上的恶意扫描。操作也很简单,缺点是剩下百分之20还是会侦探到远程端口,没有根治

#vi /etc/ssh/sshd_config
Port $port

No2 针对固定IP开发端口

这种方法是很多企业使用的方式,效果好,安全,能根治恶意扫描,操作也相对简单
在防火墙中添加规则

iptables -t filter -I INPUT -s $IP -p tcp -m tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT

问题是如果没有固定的IP需要搭建VPN跳板

No3 编写脚本自动拒绝恶意攻击

博主最开始就是从这角度出发的,最开始在网上找了许多shell脚本,但是都不符合博主本意。偶然看到前辈一篇博客,备受启发,于是觉得编写一个适合自己的

#!/bin/bash
#function	    DROP all failed IP if  more than $Number(default is 99)
#author         weskiller 	2014-10-31
#drop this script on /root/ext_ssh_deny/ext_ssh_deny.sh
#and add crond like this
#crontab -e
#*/30 * * * * /root/ext_ssh_deny/ext_ssh_deny.sh
#service crond start

#Check whether the iptables installed
[ -e /usr/sbin/iptables ] || { echo "iptables-services not installed" && exit 1 ;}

#set limit number
Number=

#set  IP of regular expressions
Regular_Expression_Ip='(\<(22[0-3]|2[01][0-9]|1[3-9][0-9]|12[0-689]|1[0-1][0-9]|[1-9]?[0-9]|[1-9]))(\.(25[0-5]|2[0-4][0-9]|[0-1]?[0-9]?[0-9])){2}(\.(25[0-4]|2[0-4][0-9]|1[0-9]{2}|[1-9][0-9]|[1-9])\>)'

#set Centos ssh log file
File=/root/ext_ssh_deny/secure

#Extract failed information
FIND() {
	grep -Eo "((failure|Failed)(.*)$Regular_Expression_Ip|$Regular_Expression_Ip(.*)failed)" /var/log/secure > $File
}

#Find the attack IP
ATTACK_LIST() {
	grep -Eo "$Regular_Expression_Ip" $File |sort|uniq -c|awk '($1>'${Number:=99}') {printf $2"\n"}'|sort > /root/ext_ssh_deny/Attack_Ip
	
}

#Add iptables rule 
DENY_ATTACK_IP() {
	for IP in $1
	do
	Re_Ip=`echo $IP |sed  's|\.|\\\.|g'`
	TIMES=`grep "$Re_Ip" /root/ext_ssh_deny/secure |wc -l`
	/sbin/iptables -vnL|grep "$Re_Ip" >/dev/null 2>&1 || /sbin/iptables -I INPUT -s $IP -m state --state NEW,RELATED,ESTABLISHED -p tcp --dport 22 -j DROP && echo "`date +%Y%m%d-%H:%M:%S`    IP:$IP  TIMES=$TIMES" >> /root/ext_ssh_deny/deny.log
	done
}

#Extract iptables deny
IPTABLES_DENY_IP() {
 	/sbin/iptables -vnL|grep -Eo "DROP.*$Regular_Expression_Ip" |awk '{print $NF}'|sort > /root/ext_ssh_deny/Iptables_Deny_Ip
}

#the IP from the script log
LOG_IP() {
	grep -Eo "$Regular_Expression_Ip" /root/ext_ssh_deny/deny.log |sort > /root/ext_ssh_deny/Log_Ip 
}

#clear iptables rules and script log
CLEAR() {
	cat /dev/null > /root/ext_ssh_deny/deny.log
	sed -i '/\/32/'d /etc/sysconfig/iptables
	/sbin/service iptables restart >/dev/null 2>&1
}

#initialization
RESET(){
	CLEAR
	FIND
	ATTACK_LIST
	DENY_ATTACK_IP "`cat /root/ext_ssh_deny/Attack_Ip`"
	/sbin/service iptables save >/dev/null 2>&1
	exit 0
}

#order to refresh data
PREPARE() {
	IPTABLES_DENY_IP
	LOG_IP
}

#just add new Attack_Ip in iptables
UPDATE() {
	FIND
	ATTACK_LIST
	comm -13 /root/ext_ssh_deny/Log_Ip /root/ext_ssh_deny/Attack_Ip > /root/ext_ssh_deny/Update_Ip 
	[ -s /root/ext_ssh_deny/Update_Ip ] || exit 0
	DENY_ATTACK_IP "`cat /root/ext_ssh_deny/Update_Ip`"
	/sbin/service iptables save >/dev/null 2>&1
	exit 0
}

#check script health in order to Released  ip if a long time ago  
CHECK_HEALTH() {
	[ -f /var/log/secure ] || return 1
	[ -s /var/log/secure ] || return 1
	[ -f /root/ext_ssh_deny/deny.log ] || return 2
	[ -s /root/ext_ssh_deny/deny.log ] || return 2
	/usr/sbin/iptables -vnL|grep -Eo "DROP.*$Regular_Expression_Ip"  >/dev/null 2>&1 || return 3
	PREPARE
	[ -z "`comm -13 /root/ext_ssh_deny/Iptables_Deny_Ip /root/ext_ssh_deny/Log_Ip`" ] && return 0 || return 3
}

#start
MAIN() {
CHECK_HEALTH
case $? in
	1)
	CLEAR && return 1
	;;
	2|3)
	RESET 
	;;
	0)
	UPDATE
	;;
esac
}

MAIN

如上,脚本的功能是自动找出ssh登陆次数大于限定次数的ip,并加入防火墙中拒绝登陆,而且做到自动更新的功能
缺点是适应性不强,根据个人定制,无法满足所有人

No4 取消密码登陆,使用密钥验证

优点是操作简单,实用性很好。缺点是密钥文件需要本地存储,无法使用交互式命令如scp
生成密码文件

#ssh-keygen -t rsa -b 2048
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):  
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
40:86:b1:06:62:0b:ea:76:ce:2f:28:76:2c:55:23:b7 [email protected]
The key's randomart image is:
+--[ RSA 2048]----+
|o.. .oo          |
|+....+           |
|..  o .          |
|.  o + .         |
| o .+ o S        |
|. +. E           |
|  +o             |
|.+ +.            |
|o o ..           |
+-----------------+
#cp ~/.ssh/id_rsa.pub ~/.ssh/authorized_keys
#chmod 400 ~/.ssh/authorized_keys
#vi /etc/ssh/sshd_config
PasswordAuthentication no
#service sshd restart

No5 使用vnc远程管理

这种方式直接弃用了ssh,十分彻底的屏蔽了恶意主机的扫描和攻击,随意设定的端口也为攻击带来了难度,而且使用的真实的用户命令接口。但是问题也很明显。依旧使用口令,远程管理,流量开销大,对系统资源占用也比ssh要多,导致经常性的网络中断。建议管理内网的服务器使用