CN102404323A - Automatic rejection method for network IP (Internet Protocol) attack - Google Patents
Automatic rejection method for network IP (Internet Protocol) attack Download PDFInfo
- Publication number
- CN102404323A CN102404323A CN2011103721408A CN201110372140A CN102404323A CN 102404323 A CN102404323 A CN 102404323A CN 2011103721408 A CN2011103721408 A CN 2011103721408A CN 201110372140 A CN201110372140 A CN 201110372140A CN 102404323 A CN102404323 A CN 102404323A
- Authority
- CN
- China
- Prior art keywords
- log file
- network
- data
- store files
- filter result
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Abstract
The invention provides an automatic rejection method for network IP attack, which comprises the steps of: reading a system safety log file; filtering the safety log file which is read; extracting needed IP data; directionally outputting the extracted IP data to a specified filtration result storing file; and treating the IP in the filtration result storing file according to a specified rule. The invention provides the automatic rejection method for network IP attack, which realizing adding the attack IP rejection demand automatically in an unmanned manner by a method of filtering a target IP to be rejected in the log file by AWK and adding the target IP in a fire wall, thus saving time and labor, and increasing the efficiency.
Description
Technical field
The present invention relates to computer realm, particularly relate to a kind of network attack IP and refuse method automatically.
Background technology
At present, SSH, FTP, mailbox, 80 ports etc. often receive illegal violence password cracking in the network, and network security is caused certain hidden danger.Generally speaking, when network is under attack, can refuse IP accessed main frame in the following manner: a kind of mode is through tcpwrap function refusal IP main frame; This mode need manually write service specified will refuse IP in configuration file; There is following shortcoming in this mode: as the people to destination server on mailbox, ssh is when the password violence of ftp is attempted cracking; The people is not before main frame; Do not know attack source IP, or look into daily record manually adds one by one afterwards, also might add untimely.
A kind of in addition mode is through iptables refusal main frame, and universal way is the oral affair operational motion of designated ends or is permission now, or is refusal, let certain port allow service, has just all allowed, and does not reach the Brute Force protection of not knowing password; In addition, the iptables fire compartment wall of this mode IP that will filter also needs the user manually to write file.
So, above dual mode, add in the file of appointment the IP address that all needs the user will filter by hand, lose time, and efficient is low.
Summary of the invention
The object of the present invention is to provide a kind of network attack IP to refuse method automatically, filter the Target IP that to refuse in the journal file, the method for adding fire compartment wall to through AWK; Realize the unmanned IP refusal demand of attacking of adding automatically; Reach time saving and energy saving, save time, raise the efficiency.
In order to solve above technical problem, the present invention provides a kind of network attack IP to refuse method automatically, comprising:
Reading system security log file;
The security log file that filtration reads out, the IP data that extraction needs;
The IP data-directed that extracts is outputed in the filter result store files of appointment;
Handle the IP in the filter result store files by specified rule.
Further, said reading system security log file specifically comprises:
If network support tcpwrap service is then directly with cat order reading system security log file;
If network is not supported the tcpwrap service, then getting into response actions at the used port of iptables fire compartment wall definition service earlier is the record security daily record, again with cat order reading system security log file.
Further, the security log file that said filtration reads out, the IP data that extraction needs specifically comprise:
The security log file that reads out is passed to the content that AWK filtered and exported specify columns;
Content to the output specify columns sorts, and the data after will sorting go heavily to handle;
Data after going are heavily passed to AWK filter the IP data that extraction needs.
Further, said method also comprises: IP value and preset parameter value in the filter result store files are compared, if the IP value greater than preset parameter value, is then pressed the specified rule processing to the IP in the filter result store files, otherwise, need not operate.
Further, saidly handle the IP in the filter result store files by specified rule, specifically comprise:
If network support tcpwrap service then is written to the IP in the filter result store files in the tcpwrap refusal file by specified format;
If network is not supported the tcpwrap service, then implement the circulation of the IP in the filter result store files among the iptables, the executable operations action is refusal.
Compared with prior art; The present invention provides a kind of network attack IP to refuse method automatically, filters the Target IP that will refuse in the journal file, the method for adding fire compartment wall to through AWK; Promptly, accomplish the analysis of specified services refusal IP through the shell script call instruction automatically and add to tcpwrap; To iptables, through allowing and record daily record earlier, the connection (Brute Force trial) that surpasses how many times in the short time is filtered extract IP again, add to automatically in the refusal restriction of iptables; Thereby realized the unmanned attack IP refusal demand of adding automatically, reached effect of saving time and labor, saved time, raised the efficiency.
Description of drawings
Accompanying drawing described herein is used to provide further understanding of the present invention, constitutes a part of the present invention, and illustrative examples of the present invention and explanation thereof are used to explain the present invention, does not constitute improper qualification of the present invention.In the accompanying drawings:
Fig. 1 is that the present invention provides a kind of network attack IP to refuse the flow chart of method automatically.
Embodiment
In order to make technical problem to be solved by this invention, technical scheme and beneficial effect clearer, clear,, the present invention is further elaborated below in conjunction with accompanying drawing and embodiment.Should be appreciated that specific embodiment described herein only in order to explanation the present invention, and be not used in qualification the present invention.
Network attack IP according to the invention refusal method automatically relates to following components: system safety daily record, AWK instrument, filter result store files.
1) system safety daily record is used for writing down failure or wrong visit.Normal IP can not arrive here.
2) AWK instrument, the instrument that script will call in filtering.Linux acquiescence down carries installation.
3) filter result store files: for the result after the extracting filtration treatment exports store files, title can oneself be decided.
As shown in Figure 1, the present invention provides a kind of network attack IP to refuse method automatically, comprising:
The first step: reading system security log file.Specifically comprise:
If network support tcpwrap service is then directly with cat order reading system security log file;
If network is not supported the tcpwrap service, then needing to get into response actions at the used port of iptables fire compartment wall definition service earlier is the record security daily record, adds the daily record note, and then with cat order reading system security log file.
Second step: filter the security log file that reads out, the IP data that extraction needs; Specifically comprise:
The security log file that reads out is passed to the content that AWK filtered and exported specify columns;
Content to the output specify columns sorts, and the data after will sorting go heavily to handle;
Data after going are heavily passed to AWK filter the IP data that extraction needs.
The 3rd step: the IP data-directed that extracts is outputed in the filter result store files of appointment.
The 4th step: IP value and preset parameter value in the filter result store files are compared, if the IP value greater than preset parameter value, then changed for the 5th step over to, otherwise, changed for the 6th step over to; Wherein, preset parameter value is to have the failure record of how many times identical ip addresses to judge parameter value.
The 5th step: handle the IP in the filter result store files by specified rule; Specifically comprise:
If network support tcpwrap service then is written to the IP in the filter result store files in the tcpwrap refusal file by specified format.
If network is not supported the tcpwrap service, then implement the circulation of the IP in the filter result store files among the iptables, the executable operations action is refusal.
The 6th step: need not operate.
The present invention provides a kind of network attack IP to refuse method automatically; Filter the Target IP that to refuse in the journal file through AWK; Add the method for fire compartment wall to,, accomplish the analysis of specified services refusal IP through the shell script call instruction automatically and add promptly to tcpwrap; To iptables, through allowing and record daily record earlier, the connection (Brute Force trial) that surpasses how many times in the short time is filtered extract IP again, add to automatically in the refusal restriction of iptables; Thereby realized the unmanned attack IP refusal demand of adding automatically, reached effect of saving time and labor, saved time, raised the efficiency.
Above-mentioned explanation illustrates and has described a preferred embodiment of the present invention; But as previously mentioned; Be to be understood that the present invention is not limited to the form that this paper discloses, should do not regard eliminating as, and can be used for various other combinations, modification and environment other embodiment; And can in invention contemplated scope described herein, change through the technology or the knowledge of above-mentioned instruction or association area.And change that those skilled in the art carried out and variation do not break away from the spirit and scope of the present invention, then all should be in the protection range of accompanying claims of the present invention.
Claims (5)
1. a network attack IP refuses method automatically, it is characterized in that, comprising:
Reading system security log file;
The security log file that filtration reads out, the IP data that extraction needs;
The IP data-directed that extracts is outputed in the filter result store files of appointment;
Handle the IP in the filter result store files by specified rule.
2. the method for claim 1 is characterized in that, said reading system security log file specifically comprises:
If network support tcpwrap service is then directly with cat order reading system security log file;
If network is not supported the tcpwrap service, then getting into response actions at the used port of iptables fire compartment wall definition service earlier is the record security daily record, again with cat order reading system security log file.
3. the method for claim 1 is characterized in that, the security log file that said filtration reads out, and the IP data that extraction needs specifically comprise:
The security log file that reads out is passed to the content that AWK filtered and exported specify columns;
Content to the output specify columns sorts, and the data after will sorting go heavily to handle;
Data after going are heavily passed to AWK filter the IP data that extraction needs.
4. the method for claim 1 is characterized in that, said method also comprises: IP value and preset parameter value in the filter result store files are compared; If the IP value is greater than preset parameter value; Then handle the IP in the filter result store files by specified rule, otherwise, need not operate.
5. like claim 1 or 4 described methods, it is characterized in that, saidly handle the IP in the filter result store files by specified rule, specifically comprise:
If network support tcpwrap service then is written to the IP in the filter result store files in the tcpwrap refusal file by specified format;
If network is not supported the tcpwrap service, then implement the circulation of the IP in the filter result store files among the iptables, the executable operations action is refusal.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2011103721408A CN102404323A (en) | 2011-11-18 | 2011-11-18 | Automatic rejection method for network IP (Internet Protocol) attack |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2011103721408A CN102404323A (en) | 2011-11-18 | 2011-11-18 | Automatic rejection method for network IP (Internet Protocol) attack |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN102404323A true CN102404323A (en) | 2012-04-04 |
Family
ID=45886109
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2011103721408A Pending CN102404323A (en) | 2011-11-18 | 2011-11-18 | Automatic rejection method for network IP (Internet Protocol) attack |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102404323A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102984166A (en) * | 2012-12-07 | 2013-03-20 | 苏州简约纳电子有限公司 | IP data packet filter |
| CN110401664A (en) * | 2019-07-30 | 2019-11-01 | 广东分利宝金服科技有限公司 | The method and device of hostile network CC attack-defending |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1764125A (en) * | 2005-11-10 | 2006-04-26 | 上海交通大学 | Interactive inbreak detection testing system for supporting large scale multi-user subsequent control |
| CN101399658A (en) * | 2007-09-24 | 2009-04-01 | 北京启明星辰信息技术有限公司 | Safe log analyzing method and system |
| CN101605028A (en) * | 2009-02-17 | 2009-12-16 | 北京安天电子设备有限公司 | A kind of combining log records method and system |
| CN101883017A (en) * | 2009-05-04 | 2010-11-10 | 北京启明星辰信息技术股份有限公司 | System and method for evaluating network safe state |
| CN101894059A (en) * | 2010-06-11 | 2010-11-24 | 中兴通讯股份有限公司 | Method and system for detecting operating condition |
| CN101997730A (en) * | 2009-08-20 | 2011-03-30 | 中国移动通信集团辽宁有限公司 | Method and system for warning service triggering |
| CN102055818A (en) * | 2010-12-30 | 2011-05-11 | 北京世纪互联工程技术服务有限公司 | Distributed intelligent DNS (domain name server) library system |
| US20110158393A1 (en) * | 2009-12-24 | 2011-06-30 | Canon Kabushiki Kaisha | Communication apparatus performing communication via network using phone number, control method for the same, and storage medium |
-
2011
- 2011-11-18 CN CN2011103721408A patent/CN102404323A/en active Pending
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1764125A (en) * | 2005-11-10 | 2006-04-26 | 上海交通大学 | Interactive inbreak detection testing system for supporting large scale multi-user subsequent control |
| CN101399658A (en) * | 2007-09-24 | 2009-04-01 | 北京启明星辰信息技术有限公司 | Safe log analyzing method and system |
| CN101605028A (en) * | 2009-02-17 | 2009-12-16 | 北京安天电子设备有限公司 | A kind of combining log records method and system |
| CN101883017A (en) * | 2009-05-04 | 2010-11-10 | 北京启明星辰信息技术股份有限公司 | System and method for evaluating network safe state |
| CN101997730A (en) * | 2009-08-20 | 2011-03-30 | 中国移动通信集团辽宁有限公司 | Method and system for warning service triggering |
| US20110158393A1 (en) * | 2009-12-24 | 2011-06-30 | Canon Kabushiki Kaisha | Communication apparatus performing communication via network using phone number, control method for the same, and storage medium |
| CN101894059A (en) * | 2010-06-11 | 2010-11-24 | 中兴通讯股份有限公司 | Method and system for detecting operating condition |
| CN102055818A (en) * | 2010-12-30 | 2011-05-11 | 北京世纪互联工程技术服务有限公司 | Distributed intelligent DNS (domain name server) library system |
Non-Patent Citations (1)
| Title |
|---|
| 耿晓菊 等: "一种基于Netlink和Libipq实现安全模块联动的设计", 《计算机应用于软件》 * |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102984166A (en) * | 2012-12-07 | 2013-03-20 | 苏州简约纳电子有限公司 | IP data packet filter |
| CN102984166B (en) * | 2012-12-07 | 2015-10-07 | 苏州简约纳电子有限公司 | A kind of IP packet filtering |
| CN110401664A (en) * | 2019-07-30 | 2019-11-01 | 广东分利宝金服科技有限公司 | The method and device of hostile network CC attack-defending |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN100534096C (en) | System and method for reverse network fishing | |
| CN101374047B (en) | User authentication system using IP address and method thereof | |
| CN101087259A (en) | A system for filtering spam in Internet and its implementation method | |
| CN112511524A (en) | Access control policy configuration method and device | |
| CN114006771B (en) | Flow detection method and device | |
| WO2006062546A3 (en) | System and method of filtering electronic messages | |
| CN106713351B (en) | Secure communication method and device based on serial server | |
| CN112019449B (en) | Traffic identification packet capturing method and device | |
| CN103544298B (en) | The log analysis method and analytical equipment of component | |
| CN103609078B (en) | Network equipment and E-mail request processing method | |
| CN111314301A (en) | Website access control method and device based on DNS (Domain name Server) analysis | |
| CN102404323A (en) | Automatic rejection method for network IP (Internet Protocol) attack | |
| CN101588276B (en) | Method and device for detecting zombie network | |
| CN105262728A (en) | Control method and system for SMTP (Simple Message Transfer Protocol) non-encrypted email | |
| CN111818077A (en) | Industrial control mixed honeypot system based on SDN technology | |
| CN112559463A (en) | Method and device for processing compressed file | |
| CN104270317B (en) | A kind of control method, system and the router of router operation application program | |
| CN113357767B (en) | Method and device for controlling environment purification equipment and environment purification equipment | |
| CN109104424B (en) | Safety protection method and device for OPC communication | |
| CN202261380U (en) | Network security system | |
| CN104601578A (en) | Recognition method and device for attack message and core device | |
| US8498622B2 (en) | Data processing system with synchronization policy | |
| CN100499599C (en) | Rubbish mail filtration system and method based on email server | |
| CN104601442A (en) | Information updating method and device | |
| CN101184085A (en) | IP telephone terminal and safety communication method thereof |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20120404 |