linux shell实现批量关闭局域网中主机端口

时间 2019-11-11

标签 linux shell 实现批量关闭局域网中主机端口栏目 Linux 繁體版

原文原文链接

假设局域网中有多台主机，只能开通ssh服务(端口22)，若是发现其余服务打开，则所有关闭。经过运行一个shell脚本，完成以上功能。在实际运维中，能够经过puppet等工具更快更好的完成这个功能，因此本案例仅仅用来练手，为了熟悉sed, awk, grep等常见的shell命令而已。mysql

一、经过nmap命令查询局域网中全部主机打开的端口，并存入文件nmap1.txt中。sql

1 # 经过nmap命令查询局域网中全部主机打开的端口，并存入文件nmap1.txt中
2 mkdir -p /wuhao/sh/files
3 nmap $1 > /wuhao/sh/files/nmap1.txt

以nmap 192.168.20.1-10为例，输出结果为：shell

Starting Nmap 5.51 ( http://nmap.org ) at 2016-03-03 16:37 CST
Nmap scan report for oos01 (192.168.20.1)
Host is up (0.0000040s latency).
Not shown: 997 closed ports
PORT   STATE    SERVICE
21/tcp open     ftp
22/tcp open     ssh
80/tcp filtered http

Nmap scan report for oos02 (192.168.20.2)
Host is up (0.000099s latency).
Not shown: 997 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
3306/tcp open  mysql
MAC Address: 00:1C:42:FF:5A:B5 (Parallels)

Nmap scan report for oos03 (192.168.20.3)
Host is up (0.000097s latency).
Not shown: 997 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
3306/tcp open  mysql
MAC Address: 00:1C:42:38:94:3C (Parallels)

Nmap done: 10 IP addresses (3 hosts up) scanned in 1.57 seconds

二、从文件nmap1.txt中提取出须要的信息(主机ip，以及端口状态)。运维

 1 # 从文件nmap1.txt中提取出须要的信息(主机ip，以及端口状态)
 2 sed -n '/\(Nmap scan report for\|^[0-9]\+\/\)/p' /wuhao/sh/files/nmap1.txt > /wuhao/sh/files/nmap2.txt
 3 hosts=($(grep -on '(.*)' /wuhao/sh/files/nmap2.txt | sed -n 's/(\|)//gp'))
 4 declare -i len=${#hosts[*]}
 5 declare -i i=0
 6 while [[ $i -lt $len ]]
 7 do
 8   lines[$i]=$(echo ${hosts[$i]} | awk -F ':' '{print $1}')
 9   ips[$i]=$(echo ${hosts[$i]} | awk -F ':' '{print $2}')
10   i=$i+1
11 done
12 # echo ${lines[*]}=1 5 9
13 # echo ${ips[*]}=192.168.20.1 192.168.20.2 192.168.20.3

三、在端口状态行首添加所对应的主机ip信息，并将结果保存到文件nmap2.txt中。ssh

 1 # 在端口状态行首添加所对应的主机ip信息
 2 declare -i j=0
 3 while [[ $j -lt $len ]]
 4 do
 5   declare -i k=$j+1
 6   if [ $j -ne $(($len-1)) ]; then
 7     sed -i "$((${lines[$j]}+1)),$((${lines[$k]}-1))s/^/${ips[$j]} /" /wuhao/sh/files/nmap2.txt
 8   else
 9     sed -i "$((${lines[$j]}+1)),$""s/^/${ips[$j]} /" /wuhao/sh/files/nmap2.txt
10   fi
11   j=$j+1
12 done
13 
14 # 将多个空格以及/替换为一个空格
15 sed -i 's/ \+\|\// /g' /wuhao/sh/files/nmap2.txt

nmap2.txt文件内容为：tcp

Nmap scan report for oos01 (192.168.20.1)
192.168.20.1 21 tcp open ftp
192.168.20.1 22 tcp open ssh
192.168.20.1 80 tcp filtered http
Nmap scan report for oos02 (192.168.20.2)
192.168.20.2 22 tcp open ssh
192.168.20.2 80 tcp open http
192.168.20.2 3306 tcp open mysql
Nmap scan report for oos03 (192.168.20.3)
192.168.20.3 22 tcp open ssh
192.168.20.3 80 tcp open http
192.168.20.3 3306 tcp open mysql

四、提取出须要关闭的端口(除了端口22以外，其他端口所有关闭)。经过sshpass远程登陆到各主机，而且在iptables执行关闭端口命令。工具

 1 # 提取出须要关闭的端口(除了端口22以外，其他端口若是打开则所有关闭)
 2 awk '{if($4~/open/ && $2!=22) print $0}' /wuhao/sh/files/nmap2.txt > /wuhao/sh/files/nmap3.txt
 3 
 4 hostip=($(awk -F " " '{print $1}' /wuhao/sh/files/nmap3.txt))
 5 port=($(awk -F " " '{print $2}' /wuhao/sh/files/nmap3.txt))
 6 protocol=($(awk -F " " '{print $3}' /wuhao/sh/files/nmap3.txt))
 7 
 8 # 经过sshpass远程登陆到各主机，而且在iptables执行关闭端口命令
 9 for((m=0;m<${#hostip[*]};m=m+1))
10 do
11   sshpass -p 123456 ssh root@${hostip[$m]} "iptables -A INPUT -p ${protocol[$m]} --dport ${port[$m]} -j DROP;service iptables save;service iptables restart;exit"
12 done
13 
14 echo "success!"

五、运行脚本，查看结果。spa

[root@oos01 sh]# sh shutdownport.sh 192.168.20.1-10
iptables: Saving firewall rules to /etc/sysconfig/iptables: [  OK  ]
iptables: Setting chains to policy ACCEPT: filter [  OK  ]
iptables: Flushing firewall rules: [  OK  ]
iptables: Unloading modules: [  OK  ]
iptables: Applying firewall rules: [  OK  ]
iptables: Saving firewall rules to /etc/sysconfig/iptables: [  OK  ]
iptables: Setting chains to policy ACCEPT: filter [  OK  ]
iptables: Flushing firewall rules: [  OK  ]
iptables: Unloading modules: [  OK  ]
iptables: Applying firewall rules: [  OK  ]
iptables: Saving firewall rules to /etc/sysconfig/iptables: [  OK  ]
iptables: Setting chains to policy ACCEPT: filter [  OK  ]
iptables: Flushing firewall rules: [  OK  ]
iptables: Unloading modules: [  OK  ]
iptables: Applying firewall rules: [  OK  ]
iptables: Saving firewall rules to /etc/sysconfig/iptables: [  OK  ]
iptables: Setting chains to policy ACCEPT: filter [  OK  ]
iptables: Flushing firewall rules: [  OK  ]
iptables: Unloading modules: [  OK  ]
iptables: Applying firewall rules: [  OK  ]
iptables: Saving firewall rules to /etc/sysconfig/iptables: [  OK  ]
iptables: Setting chains to policy ACCEPT: filter [  OK  ]
iptables: Flushing firewall rules: [  OK  ]
iptables: Unloading modules: [  OK  ]
iptables: Applying firewall rules: [  OK  ]
success!