180.98.113.151 - [19/Sep/2018:09:30:07 +0800] "/uc_server/avatar.php?uid=1145811&size=middle" 301 "GET HTTP/1.1" "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 9_2_1 like Mac OS X) AppleWebKit/601.1.46 (KHTML, like Gecko) Mobile/13D15 MAGAPPX|4.1.2-4.1.0-41|iPhone OS 9.2.1 iPhone 6|wenyou|C6C25422-279C-4337-8E10-F588D577B9D7|da97ede5be797f79b96d6761bf858632|426ef86c3fc2359dc90468f7bdd0f5e9|c64f2225ec641231cd612bbe08f2b40d"
61.227.224.229 - [19/Sep/2018:09:30:07 +0800] "/misc.php?mod=ranklist&type=member&view=post" 200 "GET HTTP/1.1" "http://www.wenyou.com/" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0"
183.207.95.145 [19/Sep/2018:09:30:07 +0800] "/uc_server/avatar.php?uid=1323875&size=middle" 301 "GET HTTP/1.1" "http://app.yikaidai.com/mag/circle/v1/forum/threadViewPage?tid=3446714&circle_id=&themecolor=1aadfa" "Mozilla/5.0 (iPhone; CPU iPhone OS 11_0_3 like Mac OS X) AppleWebKit/604.1.38 "
114.230.251.50 - [19/Sep/2018:09:30:07 +0800] "/core/attachment/attachment/img?url=https%3A%2F%2Fmmbiz.qpic.cn%2Fmmbiz_jpg" 302 "GET HTTP/1.1" "https://app.yikai.com/mag/info/v1/info/infoView?id=55855&themecolor=1aadfa" "Mozilla/5.0 (iPhone; CPU iPhone OS 11_3 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) "
61.227.224.229 - [19/Sep/2018:09:30:07 +0800] "/misc.php?mod=ranklist&type=member&view=onlinetime" 200 "GET HTTP/1.1" "http://www.wenyou.com/" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0"
#! /bin/bash
## 把访问量比较大的IP封掉,如果20分钟内被封的IP没有请求或者请求很少,需要解封
## 作者:阿铭
## 日期:2018-09-20
## 版本:v0.1
#定义1分钟以前的时间,用于过滤1分钟以前的日志
t1=`date -d "-1 min" +%Y:%H:%M`
log=/data/logs/access_log
block_ip()
{
egrep "$t1:[0-5]+" $log > /tmp/tmp_last_min.log
#把1分钟内访问量高于100的ip记录到一个临时文件中
awk '{print $1}' /tmp/tmp_last_min.log |sort -n |uniq -c|sort -n |awk '$1>100 {print $2}' > /tmp/bad_ip.list
#计算ip的数量
n=`wc -l /tmp/bad_ip.list|awk '{print $1}'`
#当ip数大于0时,才会用iptables封掉它
if [ $n -ne 0 ]
then
for ip in `cat /tmp/bad_ip.list`
do
iptables -I INPUT -s $ip -j REJECT
done
#将这些被封的IP记录到日志里
echo "`date` 封掉的IP有:" >> /tmp/block_ip.log
cat /tmp/bad_ip.list >> /tmp/block_ip.log
fi
}
unblock_ip()
{
#首先将包个数小于5的ip记录到一个临时文件里,把它们标记为白名单IP
iptables -nvL INPUT|sed '1d' |awk '$1<5 {print $8}' > /tmp/good_ip.list
n=`wc -l /tmp/good_ip.list|awk '{print $1}'`
if [ $n -ne 0 ]
then
for ip in `cat /tmp/good_ip.list`
do
iptables -D INPUT -s $ip -j REJECT
done
echo "`date` 解封的IP有:" >> /tmp/unblock_ip.log
cat /tmp/good_ip.list >> /tmp/unblock_ip.log
fi
#当解封完白名单IP后,将计数器清零,进入下一个计数周期
iptables -Z
}
#取当前时间的分钟数
t=`date +%M`
#当分钟数为00或者30时(即每隔30分钟),执行解封IP的函数,其他时间只执行封IP的函数
if [ $t == "00" ] || [ $t == "30" ]
then
unblock_ip
block_ip
else
block_ip
fi