首先,我不会建议使用iptables来解决所有这些问题,确实,理想的出口Tor节点将通过一些VPN隧道来负载平衡流量,以防止ISP忽略数据包和真实的目的地,并且/或者利用缓存代理来保持出站重复请求将流行的静态内容降至最低...在研究这些选项的同时,这里提供了一项针对滥用投诉问题的创可贴;
使用的信息来源
http://www.ossramblings.com/using_iptables_rate_limiting_to_prevent_port扫描
http://blog.nintechnet.com/how-to-block-w00tw00t-at-isc-sans-dfind-and-other-web-vulnerability-scanners/
将这两个源链接组合成一些规则,这些规则可用于使试图使用Tor出口节点进行端口扫描的bot感到沮丧。请注意,这可能会使使用您的出口节点的黑客非常不满意,因为这些规则会导致nmap挂起时间。
#!/bin/bash
## Network interface used by Tor exit daemon
_tor_iface="eth1"
## Ports that Tor exit daemon binds to, maybe comma or space sepperated.
_tor_ports="9050,9051"
## Time to ban connections out in secconds, default equates to 10 minutes, same as default Tor cercut.
_ban_time="600"
## How long to monitor conections in seconds, default equates to 10 minutes.
_outgoing_tcp_update_seconds="600"
## How many new connections can be placed to a server in aloted update time limits. May nead to increes this depending on exit node usage and remote servers usages.
_outgoing_tcp_hitcount="8"
## How long to monitor connections for in minuets, default is 15 minutes but could be lessoned.
_outgoing_tcp_burst_minute="15"
## Hom many connections to accept untill un-matched
_outgoing_tcp_burst_limit="1000"
iptables -N out_temp_ban -m comment --comment "Make custom chain for tracking ban time limits" || exit 1
iptables -A out_temp_ban -m recent --set --name temp_tcp_ban -p TCP -j DROP -m comment --comment "Ban any TCP packet coming to this chain" || exit 1
iptables -N out_vuln_scan -m comment --comment "Make custom chain for mitigating port scans originating from ${_tor_iface}" || exit 1
for _tor_port in ${_tor_ports//,/ }; do
iptables -A out_vuln_scan -p TCP -o ${_tor_iface} --sport ${_tor_port} -m recent --name temp_tcp_ban --update --seconds ${_ban_time} -j DROP -m comment --comment "Update ban time if IP address is found in temp_tcp_ban list" || exit 1
iptables -A out_vuln_scan -p TCP -o ${_tor_iface} --sport ${_tor_port} -m state --state NEW -m recent --set -m comment --comment "Monitor number of new conncetions to ${_server_iface}" || exit 1
iptables -A out_vuln_scan -p TCP -o ${_tor_iface} --sport ${_tor_port} -m state --state NEW -m recent --update --seconds 30 --hitcout 10 -j out_temp_ban -m comment --comment "Ban address when to many new connections are attempted on ${_tor_iface}" || exit 1
done
iptables -A out_vuln_scan -j RETURN -m comment --comment "Return un-matched packets for further processing" || exit 1
## Add rules to accept/allow outbound packets
iptables -N tor_out -m comment --comment "Make custom chain for allowing Tor exit node services" || exit 1
for _tor_port in ${_tor_ports//,/ }; do
iptables -A tor_out -p TCP -o ${_tor_iface} --sport ${_tor_port} -m state --state NEW -m recent --set --name limit_${_tor_port} -m comment --comment "Track out-going tcp connections from port ${_tor_port}" || exit 1
iptables -A tor_out -p TCP -o ${_tor_iface} --sport ${_tor_port} -m state --state NEW -m recent --update --seconds ${_outgoing_tcp_update_seconds:-60} --hitcount ${_outgoing_tcp_hitcount:-8} --rttl --name limit_${_tor_port} -j LOG --log-prefix "TCP flooding port ${_tor_port}" -m comment --comment "Log atempts to flood port ${_tor_port} from your server" || exit 1
iptables -A tor_out -p TCP -o ${_tor_iface} --sport ${_tor_port} -m state --state NEW -m recent --update --seconds ${_outgoing_tcp_update_seconds:-60} --hitcount ${_outgoing_tcp_hitcount:-8} --rttl --name limit_${_tor_port} -j DROP -m comment --comment "Drop attempts to flood port ${_tor_port} from your server" || exit 1
iptables -A tor_out -p TCP -o ${_tor_iface} --sport ${_tor_port} -m limit --limit ${_outgoing_tcp_burst_minute:-15}/minute --limit-burst ${_outgoing_tcp_burst_limit:-1000} -j ACCEPT -m comment --comment "Accept with conditions new connections from port ${_tor_port} from your server" || exit 1
done
iptables -A tor_out -j RETURN -m comment ---comment "Reurn un-matched packets for further filtering or default polices to take effect." || exit 1
## Activate jumps from default output chain to new custom filtering chains
iptables -A OUTPUT -p TCP -o ${_tor_iface} -j out_vuln_scan -m comment --comment "Jump outbound packets through vulnerability scaning mitigation" || exit 1
iptables -A OUTPUT -p TCP -o ${_tor_iface} -j tor_out -m comment --comment "Jump outbound packets through conditional acceptance" || exit 1
跑到上面,bash
对带有,
cammas的变量执行魔术,即;
user@host~# bash iptables_limit_tor.sh
这又是变量列表
_tor_iface="eth1"
_tor_ports="9050,9051"
_ban_time="600"
_outgoing_tcp_update_seconds="600"
_outgoing_tcp_hitcount="8"
_outgoing_tcp_burst_minute="15"
_outgoing_tcp_burst_limit="1000"
请注意,您可能还希望过滤一些新的出站连接,以查找某些机器人用于发现可利用服务器的-m state NEW ! --syn
各种有趣的事务,这是一个示例链,您可能不希望上述两个对象进一步过滤此类格式错误的聊天记录
iptables -N out_bad_packets -m comment --comment "Make new chain for filtering malformed packets" || exit 1
iptables -A out_bad_packets -p TCP --fragment -j out_temp_ban -m comment --comment "Drop all fragmented packets" || exit 1
iptables -A out_bad_packets -p TCP -m state --state INVALID -j out_temp_ban -m comment --comment "Drop all invalid packets" || exit 1
iptables -A out_bad_packets -p TCP ! --syn -m state --state NEW -j out_temp_ban -m comment --comment "Drop new non-syn packets" || exit 1
iptables -A out_bad_packets -p TCP --tcp-flags ALL NONE -j out_temp_ban -m comment --comment "Drop NULL scan" || exit 1
iptables -A out_bad_packets -p TCP --tcp-flags ALL ALL -j out_temp_ban -m comment --comment "Drop XMAS scan"|| exit 1
iptables -A out_bad_packets -p TCP --tcp-flags ALL FIN,URG,PSH -j out_temp_ban -m comment --comment "Drop stealth scan 1" || exit 1
iptables -A out_bad_packets -p TCP --tcp-flags ALL SYN,RST,ACK,FIN,URG -j out_temp_ban -m comment --comment "Drop pscan 1"|| exit 1
iptables -A out_bad_packets -p TCP --tcp-flags SYN,FIN SYN,FIN -j out_temp_ban -m comment --comment "Drop pscan 2" || exit 1
iptables -A out_bad_packets -p TCP --tcp-flags FIN,RST FIN,RST -j out_temp_ban -m comment --comment "Drop pscan 3" || exit 1
iptables -A out_bad_packets -p TCP --tcp-flags SYN,RST SYN,RST -j out_temp_ban -m comment --comment "Drop SYN-RST scan" || exit 1
iptables -A out_bad_packets -p TCP --tcp-flags ACK,URG URG -j out_temp_ban -m comment --comment "Drop URG scans" || exit 1
iptables -A out_bad_packets -p TCP --tcp-flags ALL SYN,FIN -j out_temp_ban -m comment --comment "Drop SYNFIN scan" || exit 1
iptables -A out_bad_packets -p TCP --tcp-flags ALL URG,PSH,FIN -j out_temp_ban -m comment --comment "Drop nmap Xmas scan" || exit 1
iptables -A out_bad_packets -p TCP --tcp-flags ALL FIN -j out_temp_ban -m comment --comment "Drop FIN scan" || exit 1
iptables -A out_bad_packets -p TCP --tcp-flags ALL URG,PSH,SYN,FIN -j out_temp_ban -m comment --comment "Drop nmap-id scan" || exit 1
iptables -A out_bad_packets -p TCP --tcp-flags RST RST -o ${_tor_iface} --sport ${_tor_port} -m limit --limit 2/second --limit-burst 3 -j out_temp_ban -m comment --comment "Mitigate Smurf attacks from excesive RST packets"
iptables -A out_bad_packets -p TCP --tcp-flags RST RST -o ${_tor_iface} --sport ${_tor_port} -m limit --limit 2/second --limit-burst 2 -j RETURN -m comment --comment "Ban Smurf attacks using excesive RST packets"
iptables -A out_bad_packets -j RETURN -m comment --comment "Return un-matched packets for further processing." || exit 1
然而,上述链将是非常严格任何匹配的数据包将有IP被封锁。(可能更改-j out_temp_ban
到-j DROP
或-j REJECT
测试)在该连锁店的规则,但是选择多少秒。当客户端端编码错误的应用通过新的Tor cercut重新连接时,这组规则也可能导致误判。
~~~~~
可以考虑进一步减少流量的软件签出firejail
Linux版本,其源代码位于Github和Source forge 上,手册页位于旧主页,wordpress子域中,并且DigitalOcean拥有Nginx的PHP和Firejail指南,稍加修改就可以让您更加激怒网络应该限制在哪里。还有其他工具,如KVM
太可用于降低运营boundries内spiciffic服务,让店铺角落找寻,找到一个为你的系统效果最好。
还有一种选择fail2ban
是以这样一种方式运行的:当一个疯狂的系统管理员试图将一个HTTP或SSL连接到您的IP时,将添加一条规则以删除该IP。-m state --state NEW
与请求您的退出通知页面的用户的连接。如果这与合理的不受时间限制的限制相结合,则可能使远程服务器休息,而系统管理员则在抱怨日志污染;-)但是,这超出了当前答案的范围,取决于您使用的软件类型退出通知页面;提示:如果现在请求URL,则nginx和apache都将在配置中提供第一个vhost或服务器块。如果使用apache或nginx以外的其他方式,则需要查阅手册页,但对我而言,这就像将第一个虚拟主机设置为登录到其他文件一样简单,并且使用fail2ban将该日志中的所有IP添加到临时禁止列表中; 这对于禁止公共服务器上的僵尸程序也非常有用,因为它们通常使用IP地址,并且在提供僵尸程序陷阱的服务器上不提供域请求结果,
我倾向于使用有限的Tor出口策略(看起来像您已经解决了的那样)来让rdards运行,然后将流量通过VPN隧道,额外的信用点(用于在多通道隧道之间进行负载平衡)来推动流量。因为这将减少对Tor网络流量的干扰,并使您的ISP目不转睛地注意到您正在运行出口节点……除非他们希望承认并嗅探和破解您的VPN流量。这是因为运行临时禁止或允许远程主机自我禁止的规则可能会导致您节点的客户端的隐私受到侵犯,因为将流量推送到VPN(或更少)会有助于您客户端的隐私并保持您的ISP不会由于任何能够运行的政府而被您的网络流量日志请求所困扰whois www.some.domain
。
~~~~
编辑/更新
~~~~
我参观了一些详尽的笔记,并整理了我使用的公共服务器的配置
这是fail2ban jail.local
节
[apache-ipscan]
enabled = true
port = http,https
filter = apache-ipscan
logpath = /var/log/apache*/*error_ip*
action = iptables-repeater[name=ipscan]
maxretry = 1
这是过滤器apache-ipscan.conf
文件
[DEFAULT]
_apache_error_msg = \[[^]]*\] \[\S*:error\] \[pid \d+\] \[client <HOST>(:\d{1,5})?\]
[Definition]
failregex = \[client <HOST>\] client denied by server .*(?i)/.*
#^<HOST>.*GET*.*(?!)/.*
# ^%(_apache_error_msg)s (AH0\d+: )?client denied by server configuration: (uri )?.*$
# ^%(_apache_error_msg)s script '\S+' not found or unable to stat(, referer: \S+)?\s*$
ignoreregex =
# DEV Notes:
# the web server only responds to clients with a valid Host:
# header. anyone who tries using IP only will get shunted into
# the dummy-error.log and get a client-denied message
#
# the second regex catches folks with otherwise valid CGI paths but no good Host: header
#
# Author: Paul Heinlein
这是动作iptables-repeater.conf
文件
# Fail2Ban configuration file
#
# Author: Phil Hagen <phil@identityvector.com>
# Author: Cyril Jaquier
# Modified by Yaroslav Halchenko for multiport banning and Lukas Camenzind for persistent banning
# Modified by S0AndS0 to combine features of previous Authors and Modders
#
[Definition]
# Option: actionstart
# Notes.: command executed once at the start of Fail2Ban.
# Values: CMD
#
actionstart = iptables -N fail2ban-BADIPS-<name>
iptables -A fail2ban-BADIPS-<name> -j RETURN
iptables -I INPUT -j fail2ban-BADIPS-<name>
## Comment above line and uncomment bello line to use multiport and protocol in addition to named jails
#iptables -I INPUT -p <protocol> -m multiport --dports <port> -j fail2ban-BADIPS-<name>
# set up from the static file
#cat /etc/fail2ban/ip.blocklist.<name> |grep -v ^\s*#|awk '{print $1}' | while read IP; do iptables -I fail2ban-BADIPS-<name> 1 -s $IP -j DROP; done
cat /etc/fail2ban/ip.blocklist.<name> |grep -v ^\s*#|awk '{print $1}' | while read IP; do iptables -I fail2ban-BADIPS-<name> 1 -d $IP -j DROP; done
## Comment above line and uncomment bellow line to check if there are blacklist files to load before attempting to load them
# if [ -f /etc/fail2ban/ip.blacklist.<name> ]; then cat /etc/fail2ban/ip.blacklist.<name> | grep -e <name>$ | cut -d "," -s -f 1 | while read IP; do iptables -I fail2ban-BADIPS-<name> 1 -s $IP -j DROP; done; fi
# Option: actionstop
# Notes.: command executed once at the end of Fail2Ban
# Values: CMD
#
actionstop = iptables -D INPUT -p <protocol> -m multiport --dports <port> -j fail2ban-BADIPS-<name>
iptables -F fail2ban-BADIPS-<name>
iptables -X fail2ban-BADIPS-<name>
# Option: actioncheck
# Notes.: command executed once before each actionban command
# Values: CMD
#
#actioncheck = iptables -n -L INPUT | grep -q fail2ban-BADIPS-<name>
actioncheck = iptables -n -L OUTPUT | grep -q fail2ban-BADIPS-<name>
# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: <ip> IP address
# <failures> number of failures
# <time> unix timestamp of the ban time
# Values: CMD
#
#actionban = if ! iptables -C fail2ban-BADIPS-<name> -s <ip> -j DROP; then iptables -I fail2ban-BADIPS-<name> 1 -s <ip> -j DROP; fi
actionban = if ! iptables -C fail2ban-BADIPS-<name> -d <ip> -j DROP; then iptables -I fail2ban-BADIPS-<name> 1 -d <ip> -j DROP; fi
# Add offenders to local blacklist, if not already there
if ! grep -Fxq '<ip>,<name>' /etc/fail2ban/ip.blocklist.<name>; then echo "<ip>,<name> # fail2ban/$( date '+%%Y-%%m-%%d %%T' ): auto-add for BadIP offender" >> /etc/fail2ban/ip.blocklist.<name>; fi
# Report offenders to badips.com
# wget -q -O /dev/null www.badips.com/add/<name>/<ip>
# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: <ip> IP address
# <failures> number of failures
# <time> unix timestamp of the ban time
# Values: CMD
#
#actionunban = iptables -D fail2ban-REPEAT-<name> -s <ip> -j DROP
actionunban = iptables -D fail2ban-REPEAT-<name> -d <ip> -j DROP
# Disabled clearing out entry from ip.blacklist (somehow happens after each stop of fail2ban)
#sed --in-place '/<ip>,<name>/d' /etc/fail2ban/ip.blacklist.<name>
[Init]
# Defaut name of the chain
#
# Defaut name of the chain
name = BADIPS
# Option: port
# Notes.: specifies port to monitor
# Values: [ NUM | STRING ] Default:
#
#port = ssh
# Option: protocol
# Notes.: internally used by config reader for interpolations.
# Values: [ tcp | udp | icmp | all ] Default: tcp
请注意,上面的过滤器已经过编辑,可以阻止OUTPUT
开始/停止操作,但是您仍然希望将-p TCP -m state --state NEW
配置添加到每行,以仅使新的出站连接被记录的IP地址禁止。
最后是设置一个Apache vHost配置,该配置将那些不请求域的用户路由到特定的访问和错误日志,并设置允许访问或拒绝访问,以使其始终出错,甚至环回也不能拉出页面而不会弹出错误。最后但并非最不重要的一点是,将Apache的错误页面设置为Tor的默认退出通知,以便代替503
或404
平淡的消息。或者,如果将状态行添加到了fail2ban的iptables操作中,则可以轻松地指向退出通知所使用的同一日志文件。结果是您的服务器将无法与检查您的IP地址的服务器IP建立新连接,但仍然可以建立并建立相关连接,即它们仍可以浏览您的其他页面,但您无法浏览这些页面。