ufw deny规则排序

2023.09.24

前言

服务器炸了几天，手机没留意消息了，21号才看到。

you are not sorry

–

上代码


#!/usr/bin/env bash

# 使用 ufw status 命令获取规则列表
rules=$(ufw status | grep "DENY" | grep -v "Anywhere (v6)" | awk '{print $1 " " $3}')

IFS=$'\n' read -r -d '' -a rule_array <<<"$rules"

for rule in "${rule_array[@]}"; do
    to=$(echo "$rule" | awk '{print $1}')
    from=$(echo "$rule" | awk '{print $2}')
    echo " ==================== $to From: $from ==================== "

    if [ "$to" != "Anywhere" ] && [ "$from" == "Anywhere" ]; then
        to_port=$(echo "$to" | awk -F'/' '{print $1}')
        to_proto=$(echo "$to" | awk -F'/' '{print $2}')
        proto_arg=""
        if [ -z "$to_proto" ]; then
            proto_arg=""
        else
            proto_arg="proto $to_proto"
        fi

        ufw delete deny to any port ${to_port} ${proto_arg}

        ufw insert 1 deny from 0.0.0.0/0 to any port ${to_port} ${proto_arg}
        ufw insert $(ufw status numbered | grep '(v6)' | awk '{print $1}' | grep -o '[0-9]*' | head -n 1) deny from ::/0 to any port ${to_port} ${proto_arg}

    elif
        [ "$to" == "Anywhere" ] && [ "$from" != "Anywhere" ]
    then
        ufw delete deny from ${from}
        if [[ "$from" =~ : ]]; then
            # shellcheck disable=SC2046
            ufw insert $(ufw status numbered | grep '(v6)' | awk '{print $1}' | grep -o '[0-9]*' | head -n 1) deny from ${from} to any port ${to}
        else
            ufw insert 1 deny from ${from}
        fi

    elif [ "$to" != "Anywhere" ] && [ "$from" != "Anywhere" ]; then
        to_port=$(echo "$to" | awk -F'/' '{print $1}')
        to_proto=$(echo "$to" | awk -F'/' '{print $2}')

        if [[ "$from" =~ : ]]; then
            rule_number=$(ufw status numbered | grep '(v6)' | awk '{print $1}'| grep -o '[0-9]*' | head -n 1)
        else
            rule_number=1
        fi

        proto_arg=""
        if [ -z "$to_proto" ]; then
            proto_arg=""
        else
            proto_arg="proto $to_proto"
        fi

        ufw delete deny from ${from} to any port ${to_port} ${proto_arg}
        ufw insert $rule_number deny from ${from} to any port ${to_port} ${proto_arg}
    fi
done
ufw reload

结果测试

屏蔽一些扫描


## censys
ufw delete deny from  162.142.125.0/24
ufw delete deny from 167.94.138.0/24
ufw delete deny from 167.94.145.0/24
ufw delete deny from 167.94.146.0/24
ufw delete deny from  167.248.133.0/24
ufw delete deny from 2602:80d:1000:b0cc:e::/80
ufw delete deny from 2620:96:e000:b0cc:e::/80

ufw insert 1 deny from  162.142.125.0/24
ufw insert 1 deny from 167.94.138.0/24
ufw insert 1 deny from 167.94.145.0/24
ufw insert 1 deny from 167.94.146.0/24
ufw insert 1 deny from  167.248.133.0/24
ufw insert `ufw status numbered | grep '(v6)' | grep -o '[0-9]*' | head -n 1` deny from 2602:80d:1000:b0cc:e::/80
ufw insert `ufw status numbered | grep '(v6)' | grep -o '[0-9]*' | head -n 1` deny from 2620:96:e000:b0cc:e::/80

## driftnet.io

ufw delete deny from 87.236.176.0/24
ufw delete deny from 193.163.125.0/24
ufw delete deny from 68.183.53.77/24
ufw delete deny from 104.248.203.191/24
ufw delete deny from 104.248.204.195/24
ufw delete deny from 142.93.191.98/24
ufw delete deny from 157.245.216.203/24
ufw delete deny from 165.22.39.64/24
ufw delete deny from 167.99.209.184/24
ufw delete deny from 188.166.26.88/24
ufw delete deny from 206.189.7.178/24
ufw delete deny from 209.97.152.248/24
ufw delete deny from 2a06:4880::/32
ufw delete deny from 2604:a880:800:10::c4b:f000/124
ufw delete deny from 2604:a880:800:10::c51:a000/124
ufw delete deny from 2604:a880:800:10::c52:d000/124
ufw delete deny from 2604:a880:800:10::c55:5000/124
ufw delete deny from 2604:a880:800:10::c56:b000/124
ufw delete deny from 2a03:b0c0:2:d0::153e:a000/124
ufw delete deny from 2a03:b0c0:2:d0::1576:8000/124
ufw delete deny from 2a03:b0c0:2:d0::1577:7000/124
ufw delete deny from 2a03:b0c0:2:d0::1579:e000/124
ufw delete deny from 2a03:b0c0:2:d0::157c:a000/124


ufw insert 1 deny from 87.236.176.0/24
ufw insert 1 deny from 193.163.125.0/24
ufw insert 1 deny from 68.183.53.77/24
ufw insert 1 deny from 104.248.203.191/24
ufw insert 1 deny from 104.248.204.195/24
ufw insert 1 deny from 142.93.191.98/24
ufw insert 1 deny from 157.245.216.203/24
ufw insert 1 deny from 165.22.39.64/24
ufw insert 1 deny from 167.99.209.184/24
ufw insert 1 deny from 188.166.26.88/24
ufw insert 1 deny from 206.189.7.178/24
ufw insert 1 deny from 209.97.152.248/24

ufw insert `ufw status numbered | grep '(v6)' | grep -o '[0-9]*' | head -n 1` deny from 2a06:4880::/32
ufw insert `ufw status numbered | grep '(v6)' | grep -o '[0-9]*' | head -n 1` deny from 2604:a880:800:10::c4b:f000/124
ufw insert `ufw status numbered | grep '(v6)' | grep -o '[0-9]*' | head -n 1` deny from 2604:a880:800:10::c51:a000/124
ufw insert `ufw status numbered | grep '(v6)' | grep -o '[0-9]*' | head -n 1` deny from 2604:a880:800:10::c52:d000/124
ufw insert `ufw status numbered | grep '(v6)' | grep -o '[0-9]*' | head -n 1` deny from 2604:a880:800:10::c55:5000/124
ufw insert `ufw status numbered | grep '(v6)' | grep -o '[0-9]*' | head -n 1` deny from 2604:a880:800:10::c56:b000/124
ufw insert `ufw status numbered | grep '(v6)' | grep -o '[0-9]*' | head -n 1` deny from 2a03:b0c0:2:d0::153e:a000/124
ufw insert `ufw status numbered | grep '(v6)' | grep -o '[0-9]*' | head -n 1` deny from 2a03:b0c0:2:d0::1576:8000/124
ufw insert `ufw status numbered | grep '(v6)' | grep -o '[0-9]*' | head -n 1` deny from 2a03:b0c0:2:d0::1577:7000/124
ufw insert `ufw status numbered | grep '(v6)' | grep -o '[0-9]*' | head -n 1` deny from 2a03:b0c0:2:d0::1579:e000/124
ufw insert `ufw status numbered | grep '(v6)' | grep -o '[0-9]*' | head -n 1` deny from 2a03:b0c0:2:d0::157c:a000/124

The End

←Previous
Next→