shekkbuilder · September 17, 2015 02:33
diff --git a/log_listening_ports.sh b/log_listening_ports.sh
 #!/bin/bash
 /sbin/iptables-save > /root/iptables.rules_`date +%s`
 ssh_port=22
 remote_ip=123.123.123.123
 external_ip=123.123.123.5
 if=$(awk '$8 ~ /00000000/ {print $1}' /proc/net/route)  
 local_ip=$(ifconfig $if | grep "inet addr" | awk -F: '{print $2}' | awk '{print $1}')
 ipt_bin="/sbin/iptables"
 echo -n "creating iptables chains for ports: "
 ss -tln|grep LISTEN|awk '{print $4}'|cut -d\: -f2|sort|uniq|xargs
 ports_array=( $(ss -tln|grep LISTEN|awk '{print $4}'|cut -d\: -f2|grep -v ${ssh_port}|sort|uniq|sed '/^$/d'|xargs) )

 $ipt_bin -L ssh-check 2>&1>/dev/null
 RESULT=$?
 if [ $RESULT == 0 ]; then
  $ipt_bin -F ssh-check
  $ipt_bin -D INPUT -p tcp -m state --state NEW --dport ${ssh_port} -j ssh-check	
 else
  $ipt_bin -N ssh-check
 fi
 $ipt_bin -I INPUT -p tcp -m state --state NEW --dport ${ssh_port} -j ssh-check
 $ipt_bin -A ssh-check -p tcp --dport ${ssh_port} -m limit --limit 4/s -j LOG --log-uid --log-prefix "ssh-port: "
 $ipt_bin -A ssh-check -m state --state ESTABLISHED,RELATED -j ACCEPT
 $ipt_bin -A ssh-check -s 127.0.0.1 -j ACCEPT
 $ipt_bin -A ssh-check -s ${external_ip}/24 -j ACCEPT
 $ipt_bin -A ssh-check -s ${local_ip} -j ACCEPT
 $ipt_bin -A ssh-check -m recent --set --name ssh-brute --rsource 
 $ipt_bin -A ssh-check -m recent --seconds 3600 --update --hitcount 4 --name ssh-brute --rsource -j LOG --log-prefix "ssh-brute: " --log-level 6 
 $ipt_bin -A ssh-check -p tcp --syn --dport ${ssh_port} -m recent --name ssh-brute --hitcount 4 --update --seconds 3600 --rsource -j DROP
 $ipt_bin -A ssh-check -s ${remote_ip}/24 -j ACCEPT
 $ipt_bin -A ssh-check -p tcp -j REJECT --reject-with tcp-reset

 if [ ${#ports_array[@]} -ne 0 ] 
    then
    for port in "${ports_array[@]}"
        do
        $ipt_bin -L ${port}-check 2>&1>/dev/null 
        RESULT=$?
        if [ $RESULT == 0 ]; then
            $ipt_bin -F ${port}-check
            $ipt_bin -D INPUT -p tcp -m state --state NEW --dport ${port} -j ${port}-check 2>&1>/dev/null
 	else
            $ipt_bin -N ${port}-check 
        fi
    $ipt_bin -I INPUT -p tcp -m state --state NEW --dport ${port} -j ${port}-check
    $ipt_bin -A ${port}-check -p tcp --dport ${port} -m limit --limit 2/s -j LOG --log-uid --log-prefix "${port}-port: "
    $ipt_bin -A ${port}-check -m state --state ESTABLISHED,RELATED -j ACCEPT
    $ipt_bin -A ${port}-check -s 127.0.0.1 -j ACCEPT
    $ipt_bin -A ${port}-check -s ${external_ip}/24 -j ACCEPT
    $ipt_bin -A ${port}-check -s ${remote_ip} -j ACCEPT
    $ipt_bin -A ${port}-check -s ${local_ip}/24 -j ACCEPT
    $ipt_bin -A ${port}-check -p tcp -j REJECT --reject-with tcp-reset
        done
 fi

 $ipt_bin -t mangle -I PREROUTING -s $local_ip -j ACCEPT
 $ipt_bin -t mangle -I PREROUTING -s $external_ip -j ACCEPT
 $ipt_bin -t mangle -I OUTPUT -s $local_ip -j ACCEPT
 $ipt_bin -t mangle -I OUTPUT -s $external_ip -j ACCEPT
	#!/bin/bash
	/sbin/iptables-save > /root/iptables.rules_`date +%s`
	ssh_port=22
	remote_ip=123.123.123.123
	external_ip=123.123.123.5
	if=$(awk '$8 ~ /00000000/ {print $1}' /proc/net/route)
	local_ip=$(ifconfig $if \| grep "inet addr" \| awk -F: '{print $2}' \| awk '{print $1}')
	ipt_bin="/sbin/iptables"
	echo -n "creating iptables chains for ports: "
	ss -tln\|grep LISTEN\|awk '{print $4}'\|cut -d\: -f2\|sort\|uniq\|xargs
	ports_array=( $(ss -tln\|grep LISTEN\|awk '{print $4}'\|cut -d\: -f2\|grep -v ${ssh_port}\|sort\|uniq\|sed '/^$/d'\|xargs) )

	$ipt_bin -L ssh-check 2>&1>/dev/null
	RESULT=$?
	if [ $RESULT == 0 ]; then
	$ipt_bin -F ssh-check
	$ipt_bin -D INPUT -p tcp -m state --state NEW --dport ${ssh_port} -j ssh-check
	else
	$ipt_bin -N ssh-check
	fi
	$ipt_bin -I INPUT -p tcp -m state --state NEW --dport ${ssh_port} -j ssh-check
	$ipt_bin -A ssh-check -p tcp --dport ${ssh_port} -m limit --limit 4/s -j LOG --log-uid --log-prefix "ssh-port: "
	$ipt_bin -A ssh-check -m state --state ESTABLISHED,RELATED -j ACCEPT
	$ipt_bin -A ssh-check -s 127.0.0.1 -j ACCEPT
	$ipt_bin -A ssh-check -s ${external_ip}/24 -j ACCEPT
	$ipt_bin -A ssh-check -s ${local_ip} -j ACCEPT
	$ipt_bin -A ssh-check -m recent --set --name ssh-brute --rsource
	$ipt_bin -A ssh-check -m recent --seconds 3600 --update --hitcount 4 --name ssh-brute --rsource -j LOG --log-prefix "ssh-brute: " --log-level 6
	$ipt_bin -A ssh-check -p tcp --syn --dport ${ssh_port} -m recent --name ssh-brute --hitcount 4 --update --seconds 3600 --rsource -j DROP
	$ipt_bin -A ssh-check -s ${remote_ip}/24 -j ACCEPT
	$ipt_bin -A ssh-check -p tcp -j REJECT --reject-with tcp-reset

	if [ ${#ports_array[@]} -ne 0 ]
	then
	for port in "${ports_array[@]}"
	do
	$ipt_bin -L ${port}-check 2>&1>/dev/null
	RESULT=$?
	if [ $RESULT == 0 ]; then
	$ipt_bin -F ${port}-check
	$ipt_bin -D INPUT -p tcp -m state --state NEW --dport ${port} -j ${port}-check 2>&1>/dev/null
	else
	$ipt_bin -N ${port}-check
	fi
	$ipt_bin -I INPUT -p tcp -m state --state NEW --dport ${port} -j ${port}-check
	$ipt_bin -A ${port}-check -p tcp --dport ${port} -m limit --limit 2/s -j LOG --log-uid --log-prefix "${port}-port: "
	$ipt_bin -A ${port}-check -m state --state ESTABLISHED,RELATED -j ACCEPT
	$ipt_bin -A ${port}-check -s 127.0.0.1 -j ACCEPT
	$ipt_bin -A ${port}-check -s ${external_ip}/24 -j ACCEPT
	$ipt_bin -A ${port}-check -s ${remote_ip} -j ACCEPT
	$ipt_bin -A ${port}-check -s ${local_ip}/24 -j ACCEPT
	$ipt_bin -A ${port}-check -p tcp -j REJECT --reject-with tcp-reset
	done
	fi

	$ipt_bin -t mangle -I PREROUTING -s $local_ip -j ACCEPT
	$ipt_bin -t mangle -I PREROUTING -s $external_ip -j ACCEPT
	$ipt_bin -t mangle -I OUTPUT -s $local_ip -j ACCEPT
	$ipt_bin -t mangle -I OUTPUT -s $external_ip -j ACCEPT