forked from goodffd/tool
-
Notifications
You must be signed in to change notification settings - Fork 0
/
ssh_limit.sh
112 lines (105 loc) · 3.59 KB
/
ssh_limit.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
#!/bin/bash
if [[ $(/usr/bin/id -u) -ne 0 ]]; then
sudoCmd="sudo"
else
sudoCmd=""
fi
#copied & modified from atrandys trojan scripts
#copy from 秋水逸冰 ss scripts
if [[ -f /etc/redhat-release ]]; then
release="centos"
systemPackage="yum"
elif cat /etc/issue | grep -Eqi "debian"; then
release="debian"
systemPackage="apt-get"
elif cat /etc/issue | grep -Eqi "ubuntu"; then
release="ubuntu"
systemPackage="apt-get"
elif cat /etc/issue | grep -Eqi "centos|red hat|redhat"; then
release="centos"
systemPackage="yum"
elif cat /proc/version | grep -Eqi "debian"; then
release="debian"
systemPackage="apt-get"
elif cat /proc/version | grep -Eqi "ubuntu"; then
release="ubuntu"
systemPackage="apt-get"
elif cat /proc/version | grep -Eqi "centos|red hat|redhat"; then
release="centos"
systemPackage="yum"
fi
install_iptables() {
if [[ "${systemPackage}" == "yum" ]]; then
${sudoCmd} systemctl stop firewalld
${sudoCmd} systemctl disable firewalld
${sudoCmd} ${systemPackage} install iptables-services -y -qq
else
${sudoCmd} ${systemPackage} install iptables -y -qq
fi
}
create_ssh-confs_shell() {
${sudoCmd} cat > /etc/ssh-confs.sh <<-EOF
#!/bin/bash
common() {
if ! iptables -C INPUT -s 92.38.189.201 -p tcp --dport 22 -j ACCEPT; then
iptables -A INPUT -s 92.38.189.201 -p tcp --dport 22 -j ACCEPT
fi
if ! iptables -C INPUT -s 195.133.197.58 -p tcp --dport 22 -j ACCEPT; then
iptables -A INPUT -s 195.133.197.58 -p tcp --dport 22 -j ACCEPT
fi
if ! iptables -C INPUT -s 89.208.253.8 -p tcp --dport 22 -j ACCEPT; then
iptables -A INPUT -s 89.208.253.8 -p tcp --dport 22 -j ACCEPT
fi
if ! iptables -C INPUT -s 154.17.2.166 -p tcp --dport 22 -j ACCEPT; then
iptables -A INPUT -s 154.17.2.166 -p tcp --dport 22 -j ACCEPT
fi
if ! iptables -C INPUT -s 14.128.60.161 -p tcp --dport 22 -j ACCEPT; then
iptables -A INPUT -s 14.128.60.161 -p tcp --dport 22 -j ACCEPT
fi
if ! iptables -C INPUT -s 103.102.5.81 -p tcp --dport 22 -j ACCEPT; then
iptables -A INPUT -s 103.102.5.81 -p tcp --dport 22 -j ACCEPT
fi
if ! iptables -C INPUT -s 103.136.184.211 -p tcp --dport 22 -j ACCEPT; then
iptables -A INPUT -s 103.136.184.211 -p tcp --dport 22 -j ACCEPT
fi
if ! iptables -C INPUT -s 89.208.253.98 -p tcp --dport 22 -j ACCEPT; then
iptables -A INPUT -s 89.208.253.98 -p tcp --dport 22 -j ACCEPT
fi
if ! iptables -C INPUT -i lo -j ACCEPT; then
iptables -A INPUT -i lo -j ACCEPT
fi
if ! iptables -C INPUT -p tcp --dport 22 -j DROP; then
iptables -A INPUT -p tcp --dport 22 -j DROP
else
iptables -D INPUT -p tcp --dport 22 -j DROP
iptables -A INPUT -p tcp --dport 22 -j DROP
fi
}
common &
sleep infinity
EOF
${sudoCmd} chmod +x /etc/ssh-confs.sh
}
create_ssh-confs_service() {
${sudoCmd} cat > /etc/systemd/system/ssh-confs.service <<-EOF
[Unit]
Description=ssh confs service
After=network.target network-online.target nss-lookup.target
Wants=network-online.target
[Service]
ExecStart=/etc/ssh-confs.sh
Restart=on-failure
[Install]
WantedBy=default.target
EOF
}
${sudoCmd} systemctl stop ssh-confs.service
${sudoCmd} systemctl disable ssh-confs.service
${sudoCmd} rm -f /etc/systemd/system/ssh-confs.service
${sudoCmd} rm -f /etc/systemd/system/ssh-confs.service
${sudoCmd} rm -f /etc/ssh-confs.sh
install_iptables
create_ssh-confs_shell
create_ssh-confs_service
${sudoCmd} systemctl enable ssh-confs.service
${sudoCmd} systemctl start ssh-confs.service