linux shell實現批量關閉局域網中主機端口

時間 2019-11-11

標籤 linux shell 實現批量關閉局域網中主機端口欄目 Linux 简体版

原文原文鏈接

假設局域網中有多臺主機，只能開通ssh服務(端口22)，若是發現其餘服務打開，則所有關閉。經過運行一個shell腳本，完成以上功能。在實際運維中，能夠經過puppet等工具更快更好的完成這個功能，因此本案例僅僅用來練手，爲了熟悉sed, awk, grep等常見的shell命令而已。mysql

一、經過nmap命令查詢局域網中全部主機打開的端口，並存入文件nmap1.txt中。sql

1 # 經過nmap命令查詢局域網中全部主機打開的端口，並存入文件nmap1.txt中
2 mkdir -p /wuhao/sh/files
3 nmap $1 > /wuhao/sh/files/nmap1.txt

以nmap 192.168.20.1-10爲例，輸出結果爲：shell

Starting Nmap 5.51 ( http://nmap.org ) at 2016-03-03 16:37 CST
Nmap scan report for oos01 (192.168.20.1)
Host is up (0.0000040s latency).
Not shown: 997 closed ports
PORT   STATE    SERVICE
21/tcp open     ftp
22/tcp open     ssh
80/tcp filtered http

Nmap scan report for oos02 (192.168.20.2)
Host is up (0.000099s latency).
Not shown: 997 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
3306/tcp open  mysql
MAC Address: 00:1C:42:FF:5A:B5 (Parallels)

Nmap scan report for oos03 (192.168.20.3)
Host is up (0.000097s latency).
Not shown: 997 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
3306/tcp open  mysql
MAC Address: 00:1C:42:38:94:3C (Parallels)

Nmap done: 10 IP addresses (3 hosts up) scanned in 1.57 seconds

二、從文件nmap1.txt中提取出須要的信息(主機ip，以及端口狀態)。運維

 1 # 從文件nmap1.txt中提取出須要的信息(主機ip，以及端口狀態)
 2 sed -n '/\(Nmap scan report for\|^[0-9]\+\/\)/p' /wuhao/sh/files/nmap1.txt > /wuhao/sh/files/nmap2.txt
 3 hosts=($(grep -on '(.*)' /wuhao/sh/files/nmap2.txt | sed -n 's/(\|)//gp'))
 4 declare -i len=${#hosts[*]}
 5 declare -i i=0
 6 while [[ $i -lt $len ]]
 7 do
 8   lines[$i]=$(echo ${hosts[$i]} | awk -F ':' '{print $1}')
 9   ips[$i]=$(echo ${hosts[$i]} | awk -F ':' '{print $2}')
10   i=$i+1
11 done
12 # echo ${lines[*]}=1 5 9
13 # echo ${ips[*]}=192.168.20.1 192.168.20.2 192.168.20.3

三、在端口狀態行首添加所對應的主機ip信息，並將結果保存到文件nmap2.txt中。ssh

 1 # 在端口狀態行首添加所對應的主機ip信息
 2 declare -i j=0
 3 while [[ $j -lt $len ]]
 4 do
 5   declare -i k=$j+1
 6   if [ $j -ne $(($len-1)) ]; then
 7     sed -i "$((${lines[$j]}+1)),$((${lines[$k]}-1))s/^/${ips[$j]} /" /wuhao/sh/files/nmap2.txt
 8   else
 9     sed -i "$((${lines[$j]}+1)),$""s/^/${ips[$j]} /" /wuhao/sh/files/nmap2.txt
10   fi
11   j=$j+1
12 done
13 
14 # 將多個空格以及/替換爲一個空格
15 sed -i 's/ \+\|\// /g' /wuhao/sh/files/nmap2.txt

nmap2.txt文件內容爲：tcp

Nmap scan report for oos01 (192.168.20.1)
192.168.20.1 21 tcp open ftp
192.168.20.1 22 tcp open ssh
192.168.20.1 80 tcp filtered http
Nmap scan report for oos02 (192.168.20.2)
192.168.20.2 22 tcp open ssh
192.168.20.2 80 tcp open http
192.168.20.2 3306 tcp open mysql
Nmap scan report for oos03 (192.168.20.3)
192.168.20.3 22 tcp open ssh
192.168.20.3 80 tcp open http
192.168.20.3 3306 tcp open mysql

四、提取出須要關閉的端口(除了端口22以外，其他端口所有關閉)。經過sshpass遠程登陸到各主機，而且在iptables執行關閉端口命令。工具

 1 # 提取出須要關閉的端口(除了端口22以外，其他端口若是打開則所有關閉)
 2 awk '{if($4~/open/ && $2!=22) print $0}' /wuhao/sh/files/nmap2.txt > /wuhao/sh/files/nmap3.txt
 3 
 4 hostip=($(awk -F " " '{print $1}' /wuhao/sh/files/nmap3.txt))
 5 port=($(awk -F " " '{print $2}' /wuhao/sh/files/nmap3.txt))
 6 protocol=($(awk -F " " '{print $3}' /wuhao/sh/files/nmap3.txt))
 7 
 8 # 經過sshpass遠程登陸到各主機，而且在iptables執行關閉端口命令
 9 for((m=0;m<${#hostip[*]};m=m+1))
10 do
11   sshpass -p 123456 ssh root@${hostip[$m]} "iptables -A INPUT -p ${protocol[$m]} --dport ${port[$m]} -j DROP;service iptables save;service iptables restart;exit"
12 done
13 
14 echo "success!"

五、運行腳本，查看結果。spa

[root@oos01 sh]# sh shutdownport.sh 192.168.20.1-10
iptables: Saving firewall rules to /etc/sysconfig/iptables: [  OK  ]
iptables: Setting chains to policy ACCEPT: filter [  OK  ]
iptables: Flushing firewall rules: [  OK  ]
iptables: Unloading modules: [  OK  ]
iptables: Applying firewall rules: [  OK  ]
iptables: Saving firewall rules to /etc/sysconfig/iptables: [  OK  ]
iptables: Setting chains to policy ACCEPT: filter [  OK  ]
iptables: Flushing firewall rules: [  OK  ]
iptables: Unloading modules: [  OK  ]
iptables: Applying firewall rules: [  OK  ]
iptables: Saving firewall rules to /etc/sysconfig/iptables: [  OK  ]
iptables: Setting chains to policy ACCEPT: filter [  OK  ]
iptables: Flushing firewall rules: [  OK  ]
iptables: Unloading modules: [  OK  ]
iptables: Applying firewall rules: [  OK  ]
iptables: Saving firewall rules to /etc/sysconfig/iptables: [  OK  ]
iptables: Setting chains to policy ACCEPT: filter [  OK  ]
iptables: Flushing firewall rules: [  OK  ]
iptables: Unloading modules: [  OK  ]
iptables: Applying firewall rules: [  OK  ]
iptables: Saving firewall rules to /etc/sysconfig/iptables: [  OK  ]
iptables: Setting chains to policy ACCEPT: filter [  OK  ]
iptables: Flushing firewall rules: [  OK  ]
iptables: Unloading modules: [  OK  ]
iptables: Applying firewall rules: [  OK  ]
success!