Last active
November 30, 2023 04:54
-
-
Save winguse/41cd189c64b85ddc68ed4293696d3a3a to your computer and use it in GitHub Desktop.
a very strict block scan script, ref: https://github.com/EtherDream/anti-portscan/tree/master
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env bash | |
| PORT_SCAN_MAX=1 | |
| IP_DENY_SECOND=300 | |
| IP_SET_MAX=1024000 | |
| NET_IF=eth0 | |
| ipset create pub-port-set bitmap:port range 0-65535 | |
| ipset add pub-port-set 22 | |
| ipset add pub-port-set 80 | |
| ipset add pub-port-set 443 | |
| ipset create scanner-ip-set hash:ip \ | |
| timeout $IP_DENY_SECOND \ | |
| maxelem $IP_SET_MAX \ | |
| counters | |
| iptables \ | |
| -N trap-scan | |
| iptables \ | |
| -A trap-scan \ | |
| -m set --match-set scanner-ip-set src \ | |
| -j DROP | |
| iptables \ | |
| -A trap-scan \ | |
| -j SET \ | |
| --add-set scanner-ip-set src | |
| iptables \ | |
| -A trap-scan \ | |
| -j DROP | |
| iptables \ | |
| -i $NET_IF \ | |
| -A INPUT \ | |
| -p tcp --syn \ | |
| -m set ! --match-set pub-port-set dst \ | |
| -j trap-scan | |
| # DROP connection when it attempts more than setting times | |
| # -p tcp --syn \ | |
| iptables \ | |
| -i $NET_IF \ | |
| -A INPUT \ | |
| -m set ! --update-counters \ | |
| --match-set scanner-ip-set src \ | |
| --packets-gt $PORT_SCAN_MAX \ | |
| -j DROP | |
| # will not response to unknown port for those scaning not using sync | |
| iptables \ | |
| -i $NET_IF \ | |
| -A INPUT \ | |
| -p tcp ! --syn \ | |
| -m conntrack ! --ctstate ESTABLISHED,RELATED \ | |
| -j DROP | |
| # keep existing connection | |
| iptables \ | |
| -i $NET_IF \ | |
| -I INPUT \ | |
| -m conntrack --ctstate ESTABLISHED,RELATED \ | |
| -j ACCEPT | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment