标签:nta nbsp 防范 col $1 action rev 编程 int
2018-05-04
要求:根据web日志或者或者网络连接数,监控当某个IP并发连接数或者短时内PV达到100,即调用防火墙命令封掉对应的IP,监控频率每隔3分钟。防火墙命令为:iptables -I INPUT -s 10.0.1.10 -j DROP。
1.主备一个测试用的web日志
access_2018-03-19.log
2.截取IP并统计IP出现的次数
[root@manager ~]# awk ‘{print $1}‘ access_2018-03-19.log|sort|uniq -c|sort -rn -k1 94 172.15.12.33 58 172.15.12.24 5 172.16.1.7
sort
-n, --numeric-sort
-r, --reverse
-k, --key=POS1[,POS2]
start a key at POS1 (origin 1), end it at POS2
3.编程
[root@manager iptablestest]# vim ban_IP.sh
#!/bin/bash ########################################################################## # File Name: ban_IP.sh # Version: V1.0 # Author:Richard Liang # Organization: richard # Created Time: 2018-05-04 15:48:52 # Description: ########################################################################## #!/bin/sh # [ -f /etc/init.d/functions ] && . /etc/init.d/functions IP_file="/root/iptablestest/access_2018-05-04.log" IP_filter_command="iptables -I INPUT -j DROP -s" IP_recover_command="iptables -D INPUT -j DROP -s" ###IP检查##### function IP_check(){ awk ‘{print $1}‘ $IP_file|sort|uniq -c|sort -rn -k1 >/root/iptablestest/result.txt } #####封杀可疑IP###### function IP_filter(){ exec < /root/iptablestest/result.txt while read line do IP_count=`echo $line|awk ‘{print $1}‘` IP=`echo $line|awk ‘{print $2}‘` IP_fil=`iptables -L -n|grep "\b${IP}\b"|wc -l` if [ ${IP_count} -gt 25 -a ${IP_fil} -eq 0 ];then ${IP_filter_command} ${IP} echo "${IP}" >> /root/iptablestest/ip_filtered.txt action "Filter ${IP}" /bin/true fi done } function IP_recover(){ exec < /root/iptablestest/result.txt while read line do IP_count=`echo $line|awk ‘{print $1}‘` IP=`echo $line|awk ‘{print $2}‘` IP_fil=`iptables -L -n|grep "\b${IP}\b"|wc -l` if [ ${IP_count} -le 25 -a ${IP_fil} -eq 1 ];then ${IP_recover_command} ${IP} echo "${IP}" >> /root/iptablestest/ip_filtered.txt action "Recover ${IP}" /bin/true fi done } function main(){ case "$1" in filter) IP_check echo "$(date +%F-%H:%M:%S) filtered by $(whoami)" >> /root/iptablestest/ip_filtered.txt IP_filter ;; recover) IP_check echo "$(date +%F-%H:%M:%S) recovered by $(whoami)" >> /root/iptablestest/ip_filtered.txt IP_recover ;; *) echo "USAGE:$0 {filter|recover}" exit 1 esac } main $*
3.测试
[root@manager iptablestest]# sh ban_IP.sh filter
新开窗口,watch iptables -nL,观测规则变化情况
修改web日志,减少ip数量,再次测试
sh ban_IP.sh recover
查看日志
[root@manager iptablestest]# cat /root/iptablestest/ip_filtered.txt 2018-05-04-16:59:18 filtered by root 172.15.12.33 172.15.12.24 2018-05-04-17:00:23 recovered by root 172.15.12.33
定时任务
把脚本写进crontab,每隔3分钟运行一次sh ban_IP.sh filter
次日中午12点解封,sh ban_IP.sh recover
标签:nta nbsp 防范 col $1 action rev 编程 int
原文地址:https://www.cnblogs.com/Richard-Liang/p/8991570.html
