2018-05-04
Requirements: According to the web
log or 网络
the number of connections, monitor the number of concurrent connections to a certain IP or when the PV reaches within a short period of time 100
, that is, call the firewall command to block the corresponding IP, and the monitoring frequency is every 3 minutes. The firewall command is:iptables -I INPUT -s 10.0.1.10 -j DROP。
1. Active and standby a web log for testing
access_2018-03-19.log
2. Intercept IP and count the number of IP occurrences
[root@manager ~]# awk '{print $1}' access_2018-03-19.log|sort|uniq -c|sort -rn -k1 94 172.15.12.33 58 172.15.12.24 5 172.16.1.7
sort
-n, --numeric-sort
-r, --reverse
-k, --key=POS1[,POS2]
start a key at POS1 (origin 1), end it at POS2
3. Programming
[root@manager iptablestest]# vim ban_IP.sh
#!/bin/bash ########################################################################## # File Name: ban_IP.sh # Version: V1.0 # Author:Richard Liang # Organization: richard # Created Time: 2018-05-04 15:48:52 # Description: ########################################################################## #!/bin/sh # [ -f /etc/init.d/functions ] && . /etc/init.d/functions IP_file="/root/iptablestest/access_2018-05-04.log" IP_filter_command="iptables -I INPUT -j DROP -s" IP_recover_command="iptables -D INPUT -j DROP -s" ###IP Check ##### function IP_check(){ awk '{print $1}' $IP_file|sort|uniq -c|sort -rn -k1 >/root/iptablestest/result.txt } #####Block suspicious IP###### function IP_filter(){ exec < /root/iptablestest/result.txt while read line do IP_count=`echo $line|awk '{print $1}'` IP=`echo $line|awk '{print $2}'` IP_fil=`iptables -L -n|grep "\b${IP}\b"|wc -l` if [ ${IP_count} -gt 25 -a ${IP_fil} -eq 0 ];then ${IP_filter_command} ${IP} echo "${IP}" >> /root/iptablestest/ip_filtered.txt action "Filter ${IP}" /bin/true fi done } function IP_recover(){ exec < /root/iptablestest/result.txt while read line do IP_count=`echo $line|awk '{print $1}'` IP=`echo $line|awk '{print $2}'` IP_fil=`iptables -L -n|grep "\b${IP}\b"|wc -l` if [ ${IP_count} -le 25 -a ${IP_fil} -eq 1 ];then ${IP_recover_command} ${IP} echo "${IP}" >> /root/iptablestest/ip_filtered.txt action "Recover ${IP}" /bin/true fi done } function main(){ case "$1" in filter) IP_check echo "$(date +%F-%H:%M:%S) filtered by $(whoami)" >> /root/iptablestest/ip_filtered.txt IP_filter ;; recover) IP_check echo "$(date +%F-%H:%M:%S) recovered by $(whoami)" >> /root/iptablestest/ip_filtered.txt IP_recover ;; *) echo "USAGE:$0 {filter|recover}" exit 1 esac } main $*
3. Test
[root@manager iptablestest]# sh ban_IP.sh filter
New window, watch iptables -nL, observe rule changes
Modify the web log, reduce the number of ips, and test again
sh ban_IP.sh recover
View logs
[root@manager iptablestest]# cat /root/iptablestest/ip_filtered.txt 2018-05-04-16:59:18 filtered by root 172.15.12.33 172.15.12.24 2018-05-04-17:00:23 recovered by root 172.15.12.33
timed task
Write the script into crontab and run sh ban_IP.sh filter every 3 minutes
Unblock at 12:00 noon the next day, sh ban_IP.sh recover