参考日志

180.98.113.151 - [19/Sep/2018:09:30:07 +0800]  "/uc_server/avatar.php?uid=1145811&size=middle" 301 "GET  HTTP/1.1" "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 9_2_1 like Mac OS X) AppleWebKit/601.1.46 (KHTML, like Gecko) Mobile/13D15 MAGAPPX|4.1.2-4.1.0-41|iPhone OS 9.2.1 iPhone 6|wenyou|C6C25422-279C-4337-8E10-F588D577B9D7|da97ede5be797f79b96d6761bf858632|426ef86c3fc2359dc90468f7bdd0f5e9|c64f2225ec641231cd612bbe08f2b40d" 
61.227.224.229 - [19/Sep/2018:09:30:07 +0800]  "/misc.php?mod=ranklist&type=member&view=post" 200 "GET  HTTP/1.1" "http://www.wenyou.com/" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0" 
183.207.95.145  [19/Sep/2018:09:30:07 +0800]  "/uc_server/avatar.php?uid=1323875&size=middle" 301 "GET  HTTP/1.1" "http://app.yikaidai.com/mag/circle/v1/forum/threadViewPage?tid=3446714&circle_id=&themecolor=1aadfa" "Mozilla/5.0 (iPhone; CPU iPhone OS 11_0_3 like Mac OS X) AppleWebKit/604.1.38 "
114.230.251.50 - [19/Sep/2018:09:30:07 +0800]  "/core/attachment/attachment/img?url=https%3A%2F%2Fmmbiz.qpic.cn%2Fmmbiz_jpg" 302 "GET HTTP/1.1" "https://app.yikai.com/mag/info/v1/info/infoView?id=55855&themecolor=1aadfa" "Mozilla/5.0 (iPhone; CPU iPhone OS 11_3 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) "
61.227.224.229 - [19/Sep/2018:09:30:07 +0800]  "/misc.php?mod=ranklist&type=member&view=onlinetime" 200 "GET HTTP/1.1" "http://www.wenyou.com/" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0"

参考脚本

#! /bin/bash
## 把访问量比较大的IP封掉，如果20分钟内被封的IP没有请求或者请求很少，需要解封
## 作者：阿铭
## 日期：2018-09-20
## 版本：v0.1

#定义1分钟以前的时间，用于过滤1分钟以前的日志
t1=`date -d "-1 min" +%Y:%H:%M`
log=/data/logs/access_log

block_ip()
{
    egrep "$t1:[0-5]+" $log > /tmp/tmp_last_min.log

    #把1分钟内访问量高于100的ip记录到一个临时文件中
    awk '{print $1}' /tmp/tmp_last_min.log |sort -n |uniq -c|sort -n |awk '$1>100 {print $2}' > /tmp/bad_ip.list

    #计算ip的数量
    n=`wc -l /tmp/bad_ip.list|awk '{print $1}'`

    #当ip数大于0时，才会用iptables封掉它
    if [ $n -ne 0 ]
    then
        for ip in `cat /tmp/bad_ip.list`
        do
            iptables -I INPUT -s $ip -j REJECT
        done
        #将这些被封的IP记录到日志里
        echo "`date` 封掉的IP有：" >> /tmp/block_ip.log
        cat /tmp/bad_ip.list >> /tmp/block_ip.log
    fi
}

unblock_ip()
{
    #首先将包个数小于5的ip记录到一个临时文件里，把它们标记为白名单IP
    iptables -nvL INPUT|sed '1d' |awk '$1<5 {print $8}' > /tmp/good_ip.list
    n=`wc -l /tmp/good_ip.list|awk '{print $1}'`
    if [ $n -ne 0 ]
    then
        for ip in `cat /tmp/good_ip.list`
        do
            iptables -D INPUT -s $ip -j REJECT
        done
        echo "`date` 解封的IP有：" >> /tmp/unblock_ip.log
        cat /tmp/good_ip.list >> /tmp/unblock_ip.log
    fi
    #当解封完白名单IP后，将计数器清零，进入下一个计数周期
    iptables -Z
}

#取当前时间的分钟数
t=`date +%M`

#当分钟数为00或者30时（即每隔30分钟），执行解封IP的函数，其他时间只执行封IP的函数
if [ $t == "00" ] || [ $t == "30" ]
then
   unblock_ip
   block_ip
else
   block_ip
fi

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

4.md

4.md

参考日志

参考脚本

Files

4.md

Latest commit

History

4.md

File metadata and controls

参考日志

参考脚本