Shulou(Shulou.com)06/01 Report--

[root@linux-node1 ~] # cat fw.sh

#! / bin/bash

Cat / var/log/nginx/access.log | awk-F ":'{print $1}'| sort | uniq-c | sort-rn | head-10 | grep-v" 127.0 "| awk'{if ($2 empty null & & $1 > 4) {print $2}}'> / tmp/dropip

For i in $(cat / tmp/dropip)

Do

/ sbin/iptables-An INPUT-p tcp-- dport 80-s $I-j DROP

Echo "$i kill at date" > > / var/log/ddos

Done

Script comments:

First look at the log file, awk filter out the first column IP, and sort, de-duplicate, and then reverse sort, filter out the top 10 IP, excluding 127.0 this IP, and then filter out the second column is not empty and the number of IP is more than 4 ip, and print IP output to / tmp/dropip file.

Circular file / tmp/dropip

Block port 80 of the ip address in / tmp/dropip

Write this event to the / var/log/ddos log and cycle again.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.