|
分享一个用于openwrt alist服务 自动封禁恶意ip的python脚本.微信推送。想要邮件或钉钉推送的自己动手加。
本人较菜,不懂最新版的firewall4的nft命令,但是iptables还能用。大佬还请嘴下留情,热心人士请补全nft命令,不胜感激。
最遗憾的还是由于alist日志中TLS正确认证日志中也带有401特征码,所以无法进行操作。
# */5 * * * * python3 ip.py
import re,os,subprocess,requests,json
from collections import defaultdict
webhook_url = 'https://qyapi.weixin.qq.com/cgi-bin/webhook/send?key=自己去申请'
ip_count = defaultdict(int)
log_file = "/tmp/log/alist.log"
output_file = "/root/alist_eip.log" # 拉黑前请手动添加白ip
def send_wx(ip, dip, count):
message_data = {
"msgtype": "text",
"text": {
"content": f"Alist可疑ip 错{count}次 已拉黑\n{ip}\n\n洗白\n{dip}"
}
}
response = requests.post(url=webhook_url, json=message_data, headers={'Content-Type': 'application/json; charset=UTF-8'})
def find_new_ips(log_file, output_file):
ipv4_pattern = r'\b(?:\d{1,3}\.){3}\d{1,3}\b'
ipv6_pattern = r'\b(?:[A-Fa-f0-9]{1,4}{7}[A-Fa-f0-9]{1,4}\b'
found_ips = set()
existing_ips = set()
if os.path.exists(output_file):
with open(output_file, 'r') as f:
for line in f:
existing_ips.add(line.strip())
with open(log_file, 'r') as file:
for line in file:
if "handshake error from" in line:
ipv4_match = re.search(ipv4_pattern, line)
ipv6_match = re.search(ipv6_pattern, line)
if ipv4_match:
found_ips.add(ipv4_match.group())
ip_count[ipv4_match.group()] += 1
elif ipv6_match:
found_ips.add(ipv6_match.group())
ip_count[ipv6_match.group()] += 1
new_ips = found_ips - existing_ips
with open(output_file, 'a') as f:
for ip, count in ip_count.items():
if ip in new_ips and count > 2:
f.write(f"{ip}\n")
# print(f"恶意ip{ip} 错误{count}次")
if ":" in ip:
subprocess.run(["ip6tables", "-A", "INPUT", "-s", ip, "-j", "DROP"])
dip = f"ip6tables -D INPUT -s {ip} -j DROP"
else:
subprocess.run(["iptables", "-A", "INPUT", "-s", ip, "-j", "DROP"])
dip = f"iptables -D INPUT -s {ip} -j DROP"
send_wx(ip, dip, count)
if __name__ == "__main__":
find_new_ips(log_file, output_file)
流程说明:
先从alist日志读取包含handshake error from的错误日志,读取ip并计数
2024/09/28 18:02:16 http: TLS handshake error from [2409::670c]:37512: tls: first record does not look like a TLS handshake
2024/09/28 18:03:10 http: TLS handshake error from 111.*.*.*:2254: tls: first record does not look like a TLS handshake
如/root/alist_eip.log不存在此ip且错误计数大于2就写入此ip并拉黑。
切记!!!
运行脚本前先在/root/alist_eip.log添加白名单。运行后也可以防火墙放行。
请不要胡乱输入以及粘贴、复制等方式灌水
请尊重作者、并共同维护网站的正常阅读,否则账户将会被限制发帖、回帖,并且积分可能会被清零,站内短信以及阅读权限等都会受到影响,谢谢。
具体限制方式:https://www.right.com.cn/forum/thread-8307840-1-1.html
|
|