Linux Shell实现批量关闭局域网中主机端口

共计 4421 个字符，预计需要花费 12 分钟才能阅读完成。

假设局域网中有多台主机，只能开通 ssh 服务(端口 22)，如果发现其他服务打开，则全部关闭。通过运行一个 shell 脚本，完成以上功能。在实际运维中，可以通过 puppet 等工具更快更好的完成这个功能，所以本案例仅仅用来练手，为了熟悉 sed, awk, grep 等常见的 shell 命令而已。

1、通过 nmap 命令查询局域网中所有主机打开的端口，并存入文件 nmap1.txt 中。

# 通过 nmap 命令查询局域网中所有主机打开的端口，并存入文件 nmap1.txt 中
mkdir -p /wuhao/sh/files
nmap $1 > /wuhao/sh/files/nmap1.txt

以 nmap 192.168.20.1-10 为例，输出结果为：

Starting Nmap 5.51 (http://nmap.org) at 2016-03-03 16:37 CST
Nmap scan report for oos01 (192.168.20.1)
Host is up (0.0000040s latency).
Not shown: 997 closed ports
PORT  STATE    SERVICE
21/tcp open    ftp
22/tcp open    ssh
80/tcp filtered http

Nmap scan report for oos02 (192.168.20.2)
Host is up (0.000099s latency).
Not shown: 997 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
3306/tcp open  MySQL
MAC Address: 00:1C:42:FF:5A:B5 (Parallels)

Nmap scan report for oos03 (192.168.20.3)
Host is up (0.000097s latency).
Not shown: 997 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
3306/tcp open  mysql
MAC Address: 00:1C:42:38:94:3C (Parallels)

Nmap done: 10 IP addresses (3 hosts up) scanned in 1.57 seconds

2、从文件 nmap1.txt 中提取出需要的信息(主机 ip，以及端口状态)。

# 从文件 nmap1.txt 中提取出需要的信息(主机 ip，以及端口状态)
sed -n ‘/\(Nmap scan report for\|^[0-9]\+\/\)/p’ /wuhao/sh/files/nmap1.txt > /wuhao/sh/files/nmap2.txt
hosts=($(grep -on ‘(.*)’ /wuhao/sh/files/nmap2.txt | sed -n ‘s/(\|)//gp’))
declare -i len=${#hosts[*]}
declare -i i=0
while [[$i -lt $len]]
do
  lines[$i]=$(echo ${hosts[$i]} | awk -F ‘:’ ‘{print $1}’)
  ips[$i]=$(echo ${hosts[$i]} | awk -F ‘:’ ‘{print $2}’)
  i=$i+1
done
# echo ${lines[*]}=1 5 9
# echo ${ips[*]}=192.168.20.1 192.168.20.2 192.168.20.3

3、在端口状态行首添加所对应的主机 ip 信息，并将结果保存到文件 nmap2.txt 中。

# 在端口状态行首添加所对应的主机 ip 信息
declare -i j=0
while [[$j -lt $len]]
do
  declare -i k=$j+1
  if [$j -ne $(($len-1)) ]; then
    sed -i “$((${lines[$j]}+1)),$((${lines[$k]}-1))s/^/${ips[$j]} /” /wuhao/sh/files/nmap2.txt
  else
    sed -i “$((${lines[$j]}+1)),$””s/^/${ips[$j]} /” /wuhao/sh/files/nmap2.txt
  fi
  j=$j+1
done

# 将多个空格以及 / 替换为一个空格
sed -i ‘s/ \+\|\// /g’ /wuhao/sh/files/nmap2.txt

nmap2.txt 文件内容为：

Nmap scan report for oos01 (192.168.20.1)
192.168.20.1 21 tcp open ftp
192.168.20.1 22 tcp open ssh
192.168.20.1 80 tcp filtered http
Nmap scan report for oos02 (192.168.20.2)
192.168.20.2 22 tcp open ssh
192.168.20.2 80 tcp open http
192.168.20.2 3306 tcp open mysql
Nmap scan report for oos03 (192.168.20.3)
192.168.20.3 22 tcp open ssh
192.168.20.3 80 tcp open http
192.168.20.3 3306 tcp open mysql

4、提取出需要关闭的端口(除了端口 22 之外，其余端口全部关闭)。通过 sshpass 远程登录到各主机，并且在 iptables 执行关闭端口命令。

# 提取出需要关闭的端口(除了端口 22 之外，其余端口如果打开则全部关闭)
awk ‘{if($4~/open/ && $2!=22) print $0}’ /wuhao/sh/files/nmap2.txt > /wuhao/sh/files/nmap3.txt

hostip=($(awk -F ” ” ‘{print $1}’ /wuhao/sh/files/nmap3.txt))
port=($(awk -F ” ” ‘{print $2}’ /wuhao/sh/files/nmap3.txt))
protocol=($(awk -F ” ” ‘{print $3}’ /wuhao/sh/files/nmap3.txt))

# 通过 sshpass 远程登录到各主机，并且在 iptables 执行关闭端口命令
for((m=0;m<${#hostip[*]};m=m+1))
do
  sshpass -p 123456 ssh root@${hostip[$m]} “iptables -A INPUT -p ${protocol[$m]} –dport ${port[$m]} -j DROP;service iptables save;service iptables restart;exit”
done

echo “success!”

5、运行脚本，查看结果。

[root@oos01 sh]# sh shutdownport.sh 192.168.20.1-10
iptables: Saving firewall rules to /etc/sysconfig/iptables: [OK]
iptables: Setting chains to policy ACCEPT: filter [OK]
iptables: Flushing firewall rules: [OK]
iptables: Unloading modules: [OK]
iptables: Applying firewall rules: [OK]
iptables: Saving firewall rules to /etc/sysconfig/iptables: [OK]
iptables: Setting chains to policy ACCEPT: filter [OK]
iptables: Flushing firewall rules: [OK]
iptables: Unloading modules: [OK]
iptables: Applying firewall rules: [OK]
iptables: Saving firewall rules to /etc/sysconfig/iptables: [OK]
iptables: Setting chains to policy ACCEPT: filter [OK]
iptables: Flushing firewall rules: [OK]
iptables: Unloading modules: [OK]
iptables: Applying firewall rules: [OK]
iptables: Saving firewall rules to /etc/sysconfig/iptables: [OK]
iptables: Setting chains to policy ACCEPT: filter [OK]
iptables: Flushing firewall rules: [OK]
iptables: Unloading modules: [OK]
iptables: Applying firewall rules: [OK]
iptables: Saving firewall rules to /etc/sysconfig/iptables: [OK]
iptables: Setting chains to policy ACCEPT: filter [OK]
iptables: Flushing firewall rules: [OK]
iptables: Unloading modules: [OK]
iptables: Applying firewall rules: [OK]
success!

更多 Nmap 相关教程见以下内容：

Ubuntu 14.04 安装 Nmap 6.46.1  http://www.linuxidc.com/Linux/2014-04/100658.htm

Linux 下的端口扫描工具 nmap http://www.linuxidc.com/Linux/2012-12/75752.htm

nmap 详解 – 网络扫描和嗅探工具包 http://www.linuxidc.com/Linux/2012-08/67593.htm

nmap 应用技巧 http://www.linuxidc.com/Linux/2012-08/68602.htm

RedHat Enterprise Linux 5 下 nmap 的一次曲折安装 http://www.linuxidc.com/Linux/2011-01/31085.htm

Linux 中让 nmap 命令跟防火墙捉迷藏 http://www.linuxidc.com/Linux/2009-09/21924.htm

Nmap 7 发布，网络安全审计工具  http://www.linuxidc.com/Linux/2015-11/125354.htm

本文永久更新链接地址：http://www.linuxidc.com/Linux/2016-03/129090.htm