[root@localhost eGW]# cat startAll.sh
#!/bin/bash -
#########################################################################################
# startAll.sh
# 管理所有进程的启动和配置
# version:1.0
# update:20170921
#########################################################################################
CUR_DIR=/root/eGW/config.sh
#配置sshd
source ${CUR_DIR}/sshd.sh
#配置防火墙
source ${CUR_DIR}/iptables.sh
#配置网络
source ${CUR_DIR}/net.sh
#检查环境
source ${CUR_DIR}/env.sh
#拉起主进程
source ${CUR_DIR}/ltegwd.sh
sleep 2
#配置eGW
source ${CUR_DIR}/egw.sh
#启动watchdog
source ${CUR_DIR}/watchdog.sh
[root@localhost config.sh]# cat watchdog_secure.sh
#!/bin/bash -
#########################################################################################
# watchdog_secure.sh
# 防暴力破解程序,防范远程扫描和暴力破解
# version:1.0
# update:20171123
#########################################################################################
protect_time=600
function set_sshd_protect() {
sshd_protect=`cat /root/eGW/networkcfg.conf |grep '^set_sshd_protect_enable' |awk '{ print $2 }'`
HEAD=$(lastb|grep ssh|head -n 20|tail -n 1|awk '{print $5" "$6" "$7}')
#echo $HEAD
TIME=$(($(date +%s)-$(date +%s -d "$HEAD")))
#echo $TIME
if [ $TIME -lt 600 ]; then
time_all=`date +%Y-%m-%d' '%H:%M:%S`
echo $time_all "login error too much!" >> /root/eGW/Logs/watchdog/secure.log
if [[ $sshd_protect -eq 1 ]];then
lastb|grep ssh|head -n 20 |awk '{ip[$3]++}END{ for(key in ip){ if(ip[key]>5){print key}}}' >> /root/eGW/Logs/watchdog/secure.txt
cat /root/eGW/Logs/watchdog/secure.txt |sort |uniq > /root/eGW/Logs/watchdog/secure_sort.txt
mv /root/eGW/Logs/watchdog/secure_sort.txt /root/eGW/Logs/watchdog/secure.txt
echo "#hosts.deny" > /etc/hosts.deny
while read line
do
echo "sshd:"$line >> /etc/hosts.deny
done < /root/eGW/Logs/watchdog/secure.txt
fi
fi
}
function protect_while() {
while true
do
set_sshd_protect
systemctl restart sshd
sleep $protect_time
done
}
#set_sshd_protect
protect_while &
[root@localhost config.sh]# cat egw.sh
#!/bin/bash -
#########################################################################################
#egw.sh
#配置eGW
#version:1.0
#update:20170921
#########################################################################################
#time_log=`date +%Y%m%d%H%M%S`
#egw_log_DIR=/root/eGW/Logs/config
#echo "#egw.log" > ${egw_log_DIR}/egw_${time_log}.log
#exec 1>>${egw_log_DIR}/egw_${time_log}.log
#exec 2>>${egw_log_DIR}/egw_${time_log}.log
DIR=/root/eGW
dlipsec=`cat ${DIR}/networkcfg.conf |grep "^set_dlipsec_enable" |awk -F " " '{print $2}'`
ulipsec=`cat ${DIR}/networkcfg.conf |grep "^set_ulipsec_enable" |awk -F " " '{print $2}'`
#替换配置中到EPC的链路IP地址为分配的ipsec地址
function replace_ipaddr() {
if [[ $ulipsec -eq 1 ]];then
while :
do
ip_conf=`ipsec status | grep client | grep === | awk '{print $2}' | awk 'BEGIN {FS = "/"} {print $1}'`
if [ -n "$ip_conf" ];then
echo "$ip_conf"
break
fi
sleep 2
done
sed -i "s#^lccmd set_gtp_ip uplink add .*#lccmd set_gtp_ip uplink add $ip_conf#g" /root/eGW/config.txt
prereg="^lccmd set_gwenb_link [0-9]\{1,\} [0-9]\{1,\} "
ipreg="[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}"
postreg=":.*"
sed -i "s/\($prereg\)$ipreg\($postreg\)/\1$ip_conf\2/g" /root/eGW/config.txt
fi
}
#配置gtp
function set_gtp() {
rmmod ${DIR}/gtp-relay.ko
insmod ${DIR}/gtp-relay.ko
gtp_a=`cat ${DIR}/networkcfg.conf |grep "^set_gtp1_1_address" |awk '{print $2}'|awk -F '.' '{print $1}'`
gtp_b=`cat ${DIR}/networkcfg.conf |grep "^set_gtp1_1_address" |awk '{print $2}'|awk -F '.' '{print $2}'`
gtp_address=`cat ${DIR}/networkcfg.conf |grep "^set_gtp1_1_address" |awk '{print $2}'`
ifconfig gtp1_1 $gtp_address 2>&1>/dev/null
if [ $gtp_a ] && [ $gtp_b ];then
var=`expr $gtp_a \* 256 + $gtp_b`
echo $var > /sys/module/gtp_relay/parameters/gtp_lip
fi
local_forward_flag=`cat ${DIR}/networkcfg.conf |grep '^set_local_forwarding' |awk '{print $2}'`
[ $local_forward_flag ] && echo $local_forward_flag > /sys/module/gtp_relay/parameters/gtp_islip
if [[ $dlipsec -eq 1 ]];then
echo 1 > /sys/module/gtp_relay/parameters/gtp_ipsec_dl
else
echo 0 > /sys/module/gtp_relay/parameters/gtp_ipsec_dl
fi
if [[ $ulipsec -eq 1 ]];then
echo 1 > /sys/module/gtp_relay/parameters/gtp_ipsec_ul
else
echo 0 > /sys/module/gtp_relay/parameters/gtp_ipsec_ul
fi
}
#读取配置
function set_configure() {
CONFIGFILE=/root/eGW/config.txt
while read line
do
if [ "${line:0:1}" != "#" ]; then
[ -z "$line" ] && continue
exename=`echo $line | cut -d' ' -f1`
#echo $exename
#echo $line
if [[ "$exename" == "lccmd" && -f /usr/sbin/$exename ]];then
usleep 4000
$line 2>&1>/dev/null &
else
echo "Unable to execute :: /usr/sbin/$exename: file not found"
fi
fi
done < $CONFIGFILE
}
function config_egw() {
replace_ipaddr
set_gtp
set_configure
}
config_egw
[root@localhost config.sh]# cat env.sh
#!/bin/bash -
#########################################################################################
# env.sh
# 环境校验
# version:1.0
# update:20170921
#########################################################################################
#启动OMC接口监听服务
function check_omc_interface() {
egw_manage=`ps -ef |grep egw_manage$ |awk '{ print $8 }'`
egw_report=`ps -ef |grep egw_report$ |awk '{ print $8 }'`
if [[ $egw_manage != '/root/eGW/OMC/egw_manage' ]];then
spawn-fcgi -a 127.0.0.1 -p 4001 -f /root/eGW/OMC/egw_manage 2>&1>/dev/null
fi
if [[ $egw_report != '/root/eGW/OMC/egw_report' ]];then
/root/eGW/OMC/egw_report & 2>&1>/dev/null
fi
}
function check_nginx_interface() {
systemctl start nginx
}
function check_redis_interface() {
systemctl start redis
}
check_omc_interface
check_nginx_interface
check_redis_interface
[root@localhost config.sh]# cat iptables.sh
#!/bin/bash -
#########################################################################################
# iptables.sh
# 防火墙程序,定义iptables规则,对公网口进行过滤
# version:1.0
# update:20170921
#########################################################################################
function init_iptables() {
iptables -F #删除所有链中所有规则
iptables -F -t nat #删除nat表中的所有规则
iptables -X #删除用户定义规则链
iptables -Z #清空计数器
}
function set_default_policy_iptables() {
iptables -P INPUT ACCEPT #允许所有包进入
iptables -P OUTPUT ACCEPT #允许所有包出去
iptables -P FORWARD ACCEPT #允许所有包转发
}
function set_firewalld_iptables() {
iptables_switch=`cat /root/eGW/networkcfg.conf |grep '^set_iptables_enable' |awk '{print $2}'`
public_interface=`cat /root/eGW/networkcfg.conf |grep '^set_public_address' |awk '{print $2}' |awk -F ':' '{print $1}'`
if [[ $iptables_switch -eq 1 ]];then
iptables -A INPUT -p udp --sport 53 -j ACCEPT #允许DNS
iptables -A INPUT -p udp --dport 53 -j ACCEPT #允许DNS
iptables -A INPUT -p tcp --dport 50683 -j ACCEPT #允许SSH登录
iptables -A INPUT -p udp --dport 500 -j ACCEPT #允许IPSEC握手
iptables -A INPUT -p udp --dport 4500 -j ACCEPT #允许IPSEC隧道包
iptables -A INPUT -p sctp --dport 36412 -j ACCEPT #允许SCTP包
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT #允许已经建链的包和响应包
iptables -A INPUT -p icmp -j ACCEPT #允许ICMP包
iptables -A INPUT -p esp -j ACCEPT #允许ESP包
[ $public_interface ] && iptables -A INPUT -p all -i ${public_interface} -j DROP #丢弃指定端口包
fi
}
function set_nat_iptables() {
local_forward_enable=`cat /root/eGW/networkcfg.conf |grep '^set_local_forwarding' |awk '{print $2}'`
gtpnat_interface=`cat /root/eGW/networkcfg.conf |grep '^set_gtpnat_address' |awk '{print $2}' |awk -F ':' '{print $1}'`
gtpnat_ip=`cat /root/eGW/networkcfg.conf |grep '^set_gtpnat_address' |awk '{print $2}' |awk -F ':' '{print $2}'`
gtp_a=`cat /root/eGW/networkcfg.conf |grep "^set_gtp1_1_address" |awk '{print $2}'|awk -F '.' '{print $1}'`
gtp_b=`cat /root/eGW/networkcfg.conf |grep "^set_gtp1_1_address" |awk '{print $2}' |awk -F '.' '{print $2}'`
if [[ $local_forward_enable -eq 1 ]] && [ $gtp_a ] && [ $gtp_b ] && [ $gtpnat_interface ] && [ $gtpnat_ip ];then
iptables -t nat -A POSTROUTING -s ${gtp_a}.${gtp_b}.0.0/16 -o $gtpnat_interface -j SNAT --to-source $gtpnat_ip #nat转换
fi
}
function config_iptables() {
init_iptables
set_default_policy_iptables
set_firewalld_iptables
set_nat_iptables
}
config_iptables
[root@localhost config.sh]# cat ltegwd.sh
#!/bin/bash -
#########################################################################################
# ltegwd.sh
# 启动ltegwd进程
# version:1.0
# update:20170925
#########################################################################################
function start_ltegwd() {
/root/eGW/ltegwd 0 1 & 2>&1>/dev/null
}
start_ltegwd
[root@localhost config.sh]# cat net.sh
#!/bin/bash -
#########################################################################################
# net.sh
# 配置网络
# version:1.0
# update:20170921
#########################################################################################
function init_net() {
systemctl stop NetworkManager.service
#systemctl restart network.service
}
function start_ipsec() {
ipsec_down=`cat /root/eGW/networkcfg.conf |grep "^set_dlipsec_enable" |awk '{print $2}'`
ipsec_up=`cat /root/eGW/networkcfg.conf |grep "^set_ulipsec_enable" |awk '{print $2}'`
if [[ $ipsec_down -eq 1 ]];then
ipsec start
fi
if [[ $ipsec_up -eq 1 ]];then
ipsec start
fi
}
#读取networkcfg.conf并配置
function set_net(){
while read line
do
if [ "${line:0:1}" != "#" ]; then
[ -z "$line" ] && continue
$line 2>&1>/dev/null
fi
done < /root/eGW/networkcfg.conf
}
function config_net() {
init_net
set_net
start_ipsec
}
config_net
[root@localhost config.sh]# cat sshd.sh
#!/bin/bash -
#########################################################################################
# sshd.sh
# 远程登录程序,定义ssh登录端口,防范远程扫描和暴力破解
# version:1.0
# update:20171023
#########################################################################################
function set_sshd() {
sshd_port=`cat /root/eGW/networkcfg.conf |grep '^set_sshd_port' |awk '{ print $2 }'`
if [[ -n $sshd_port ]];then
#grep '^Port' /etc/ssh/sshd_config 2>&1>/dev/null
sshd_config_port=`cat /etc/ssh/sshd_config |grep '^Port' |awk '{ print $2 }'`
if [[ ! -n $sshd_config_port ]];then
echo "Port $sshd_port" >> /etc/ssh/sshd_config
systemctl restart sshd
elif [[ -n $sshd_config_port ]];then
if [[ $sshd_port -ne $sshd_config_port ]];then
sed -i "s/${sshd_config_port}/${sshd_port}/g" /etc/ssh/sshd_config
systemctl restart sshd
fi
else
echo "ERROR"
fi
fi
}
set_sshd
[root@eGW config.sh]# cat watchdog_cdr_log.sh
#!/bin/bash -
#########################################################################################
# watchdog_cdr_log.sh
# 看门狗程序,定时上传话单,归档话单,删除话单,删除log
# version:1.0
# update:20170926
#########################################################################################
cdr_log_interval_time=5 #脚本运行间隔时间
time_HM_reset='0000'
function cdr_upload() {
cdr_tftp_ip=`cat /root/eGW/config.txt |grep "set_charge_service " |awk '{print $5}'` #tftp上传地址
list_cdr=`ls -lt /root/eGW/CDR/*.dat 2>/dev/null |awk '{if(NR>=2){print $9}}'`
for i in $list_cdr
do
{
#echo $i
cdr_tmp=`echo $i |awk -F '_' '{print $4}'`
#echo ${cdr_tmp:0:8}
if [ ! -d "/root/eGW/CDR/cdrDat/${cdr_tmp:0:8}" ];then
mkdir -p /root/eGW/CDR/cdrDat/${cdr_tmp:0:8}
fi
#tftp $cdr_tftp_ip -c put $i
mv $i /root/eGW/CDR/cdrDat/${cdr_tmp:0:8}
} &
done
}
function cdr_compress() {
list_cdr_fold=`ls -lt /root/eGW/CDR/cdrDat |grep '^d' |awk '{if(NR>=2){print $9}}'`
cd /root/eGW/CDR/cdrDat
for i in $list_cdr_fold
do
{
tar -zcvf ${i}.tar.gz $i
rm -rf $i
} &
done
}
function cdr_del() {
time_HM=`date +%H%M`
if [ $time_HM -eq $time_HM_reset ];then
ls -lt /root/eGW/CDR/cdrDat/*.tar.gz |awk '{if(NR>=10){print $9}}' |xargs rm -rf
fi
}
function log_compress() {
time_Ymd_HM=`date +%Y%m%d%H%M`
size_watchdog_log=`ls -lt /root/eGW/Logs/watchdog/ps.log |awk '{ print $5}'`
if [[ $size_watchdog_log -gt 1024000 ]];then
mv /root/eGW/Logs/watchdog/ps.log /root/eGW/Logs/watchdog/${time_Ymd_HM}.ps.log.bak
fi
list_history_log=`ls -lt /root/eGW/Logs/history/*.log |awk '{ print $9}'`
for i in $list_history_log
do
{
size_history_log=`ls -lt $i |awk '{ print $5}'`
ii=`echo $i|awk -F '.' '{print $1}'`
if [[ $size_history_log -gt 1024000 ]];then
mv $i /root/eGW/Logs/history/${time_Ymd_HM}.log.bak
fi
} &
done
}
function log_del() {
time_HM=`date +%H%M`
if [ $time_HM -eq $time_HM_reset ];then
ls -lt /root/eGW/Logs/ltegwd/* |awk '{if(NR>=10){print $9}}' |xargs rm -rf
ls -lt /root/eGW/Logs/manage/* |awk '{if(NR>=10){print $9}}' |xargs rm -rf
ls -lt /root/eGW/Logs/report/* |awk '{if(NR>=10){print $9}}' |xargs rm -rf
ls -lt /root/eGW/Logs/watchdog/*.bak |awk '{if(NR>=10){print $9}}' |xargs rm -rf
ls -lt /root/eGW/Logs/history/*.bak |awk '{if(NR>=10){print $9}}' |xargs rm -rf
fi
}
function cdr_log_manager() {
while true
do
cdr_upload
cdr_compress
log_compress
log_del
cdr_del
sleep $cdr_log_interval_time
done
}
cdr_log_manager &
[root@localhost config.sh]# cat watchdog_iostatic.sh
#!/bin/bash -
#########################################################################################
# watchdog_iostatic.sh
# 看门狗程序,统计流量
# version:1.0
# update:20170926
#########################################################################################
iostatic_interval_time=20
time_HM_check='2359'
time_HM_reset='0000'
flag_iostatic=0 #流量统计重置标志
function check_fold_iostatic() {
if [ ! -d "/root/eGW/static/dailystatic" ]; then
mkdir -p /root/eGW/static/dailystatic
fi
}
function iostatic() {
time_HM=`date +%H%M`
if [ $time_HM -eq $time_HM_check ] && [ $flag_iostatic -eq 0 ];then
#/root/eGW/dailystatic.py $time_Ymd
#/root/eGW/emailontime.py
flag_iostatic=1
fi
if [ $time_HM -eq $time_HM_reset ];then
flag_iostatic=0
fi
}
function iostatic_manager() {
while true
do
check_fold_iostatic
iostatic
sleep $iostatic_interval_tim
done
}
iostatic_manager &
[root@localhost config.sh]# cat watchdog_ps.sh
#!/bin/bash -
#########################################################################################
# watchdog_ps.sh
# 看门狗程序,定时检测进程
# version:1.1
# update:20171023
#########################################################################################
interval_time=5 #脚本运行间隔时间
function ps_ltegwd() {
ltegwd=`ps -aux |grep 'ltegwd 0 1'$ |awk '{ print $11 }'`
ltegwd_stat=`ps -aux |grep 'ltegwd 0 1'$ |awk '{ print $8 }'`
if [[ $ltegwd != '/root/eGW/ltegwd' ]];then
time_all=`date +%Y-%m-%d' '%H:%M:%S`
echo $time_all " watchdog: ltegwd restart" >> /root/eGW/Logs/watchdog/ps.log
/root/eGW/config.sh/ltegwd.sh
sleep 2
/root/eGW/config.sh/egw.sh
fi
}
function ps_egw_manage() {
egw_manage=`ps -ef |grep egw_manage$ |awk '{ print $8 }'`
if [[ $egw_manage != '/root/eGW/OMC/egw_manage' ]];then
time_all=`date +%Y-%m-%d' '%H:%M:%S`
echo $time_all " watchdog: egw_manage restart" >> /root/eGW/Logs/watchdog/ps.log
spawn-fcgi -a 127.0.0.1 -p 4001 -f /root/eGW/OMC/egw_manage
fi
}
function ps_egw_report() {
egw_report=`ps -ef |grep egw_report$ |awk '{ print $8 }'`
if [[ $egw_report != '/root/eGW/OMC/egw_report' ]];then
time_all=`date +%Y-%m-%d' '%H:%M:%S`
echo $time_all " watchdog: egw_report restart" >> /root/eGW/Logs/watchdog/ps.log
/root/eGW/OMC/egw_report &
fi
}
function ps_while() {
while true
do
ps_ltegwd
ps_egw_manage
ps_egw_report
sleep $interval_time
done
}
ps_while &
[root@localhost config.sh]# cat watchdog_userstatic.sh
#!/bin/bash -
#########################################################################################
# watchdog_userstatic.sh
# 看门狗程序,定时统计用户数
# version:1.0
# update:20170926
#########################################################################################
userstatic_interval_time=20 #脚本运行间隔时间
time_M_check='59'
time_M_reset='00'
flag_userstatic=0 #用户数统计重置标志
function check_fold_userstatic() {
if [ ! -d "/root/eGW/static/userstatic" ]; then
mkdir -p /root/eGW/static/userstatic
fi
}
function userstatic() {
time_Ymd=`date +%Y%m%d`
if [ $time_M -eq $time_M_check ] && [ $flag2 -eq 0 ];then
str=$(printf "%-190s" "*")
tmp_userstatic=`/root/eGW/lccmd show_enb_list`
echo "${str// /*}" >> /root/eGW/static/userstatic/${time_Ymd}.txt
echo -e "`date` \n" >> /root/eGW/static/userstatic/${time_Ymd}.txt
echo -e "$tmp_userstatic \n" >> /root/eGW/static/userstatic/${time_Ymd}.txt
flag_userstatic=1
fi
if [ $time_M -eq $time_M_reset ];then
flag_userstatic=0
fi
}
function userstatic_manager() {
while true
do
check_fold_userstatic
userstatic
sleep $userstatic_interval_time
done
}
userstatic_manager &
[root@localhost config.sh]# cat watchdog.sh
#!/bin/bash -
#########################################################################################
# watchdog.sh
# 看门狗程序,定时上传话单,删除话单,删除log,统计流量和用户数
# version:2.0
# update:20170926
#########################################################################################
. /root/eGW/config.sh/watchdog_ps.sh
. /root/eGW/config.sh/watchdog_cdr_log.sh
