Requirement: Monitor logs, if there is an attack, add the IP to the blacklist
analyze:
1. Open the log file
2. Take out the ip address
3. Determine the number of times each ip appears. If it is greater than 50 times, add it to the blacklist
4. Read every minute
log style:
178.210.90.90 - - [04/Jun/2017:03:44:13 +0800] "GET /wp-includes/logo_img.php HTTP/1.0" 302 161 "http://nnzhp.cn/wp-includes/logo_img.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/533.4 (KHTML, like Gecko) Chrome/5.0.375.99 Safari/533.4" "10.3.152.221" 178.210.90.90 - - [04/Jun/2017:03:44:13 +0800] "GET /blog HTTP/1.0" 301 233 "http://nnzhp.cn/wp-includes/logo_img.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/533.4 (KHTML, like Gecko) Chrome/5.0.375.99 Safari/533.4" "10.3.152.221" 178.210.90.90 - - [04/Jun/2017:03:44:15 +0800] "GET /blog/ HTTP/1.0" 200 38278 "http://nnzhp.cn/wp-includes/logo_img.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/533.4 (KHTML, like Gecko) Chrome/5.0.375.99 Safari/533.4" "10.3.152.221" 66.249.75.29 - - [04/Jun/2017:03:45:55 +0800] "GET /bbs/forum.php?mod=forumdisplay&fid=574&filter=hot HTTP/1.1" 200 17482 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)" "-" 37.9.169.20 - - [04/Jun/2017:03:47:59 +0800] "GET /wp-admin/security.php HTTP/1.1" 302 161 "http://nnzhp.cn/wp-admin/s
accomplish:
import time point = 0 #Record the position of the file pointer every time while True: #Continue to read the log updated in real time all_IP = [] f =open( ' access.log ' ,encoding= ' utf-8 ' ) #Cannot use read to read the file directly, the file is opened from the disk and loaded into the memory, entered into the cpu analysis, if the file is too large, the memory will be full, The computer is stuck again f.seek(point) #Move the file pointer, the IP that has been counted will no longer be counted additionally for line in f: #If a file object is looped directly, each loop is the IP of each line of the file = line. split( ' - ' )[0].strip() #take out IP all_IP.append(IP) #put IP into the list point = f.tell() #record the position of the pointer all_IP_set = set(all_IP) #set is born deduplication for i inall_IP_set: #The loop set is more efficient than the loop list, and has been deduplicated if all_IP.count(i) > 50 : print ( ' The IP added to the blacklist is %s, which appeared %s times in one minute ' % (i,all_IP .count(i))) f.close() time.sleep( 60) # read every minute