Curtir 0
Bifurcar 0

Última atividade 1721369279

zhangyw revisou este gist 1721369278. Ir para a revisão

1 file changed, 53 insertions

block_ip_with_iptables.sh(arquivo criado)

@@ -0,0 +1,53 @@
1 + # 1)屏蔽每分钟访问超过200的IP
2 +
3 + # 方法1:根据访问日志(Nginx为例)
4 +
5 + #!/bin/bash
6 + DATE=$(date +%d/%b/%Y:%H:%M)
7 + ABNORMAL_IP=$(tail -n5000 access.log |grep $DATE |awk '{a[$1]++}END{for(i in a)if(a[i]>100)print i}')
8 + #先tail防止文件过大,读取慢,数字可调整每分钟最大的访问量。awk不能直接过滤日志,因为包含特殊字符。
9 + for IP in $ABNORMAL_IP; do
10 + if [ $(iptables -vnL |grep -c "$IP") -eq 0 ];
11 + then
12 + iptables -I INPUT -s $IP -j DROP
13 + fi
14 + done
15 +
16 + # 方法2:通过TCP建立的连接
17 + #!/bin/bash
18 + ABNORMAL_IP=$(netstat -an |awk '$4~/:80$/ && $6~/ESTABLISHED/{gsub(/:[0-9]+/,"",$5);{a[$5]++}}END{for(i in a)if(a[i]>100)print i}')
19 + #gsub是将第五列(客户端IP)的冒号和端口去掉
20 + for IP in $ABNORMAL_IP; do
21 + if [ $(iptables -vnL |grep -c "$IP") -eq 0 ]; then
22 + iptables -I INPUT -s $IP -j DROP
23 + fi
24 + done
25 +
26 +
27 + # 屏蔽每分钟SSH尝试登录超过10次的IP
28 + # 方法1:通过lastb获取登录状态
29 +
30 + #!/bin/bash
31 + DATE=$(date +"%a %b %e %H:%M") #星期月天时分 %e单数字时显示7,而%d显示07
32 + ABNORMAL_IP=$(lastb |grep "$DATE" |awk '{a[$3]++}END{for(i in a)if(a[i]>10)print i}')
33 + for IP in $ABNORMAL_IP; do
34 + if [ $(iptables -vnL |grep -c "$IP") -eq 0 ];
35 + then
36 + iptables -I INPUT -s $IP -j DROP
37 + fi
38 + done
39 +
40 + # 方法2:通过日志获取登录状态
41 +
42 + #!/bin/bash
43 + DATE=$(date +"%b %d %H")
44 + ABNORMAL_IP="$(tail -n10000 /var/log/auth.log |grep "$DATE" |awk '/Failed/{a[$(NF-3)]++}END{for(i in a)if(a[i]>5)print i}')"
45 + for IP in $ABNORMAL_IP; do
46 + if [ $(iptables -vnL |grep -c "$IP") -eq 0 ]; then
47 + iptables -A INPUT -s $IP -j DROP
48 + echo "$(date +"%F %T") - iptables -A INPUT -s $IP -j DROP" >>~/ssh-login-limit.log
49 + fi
50 + done
51 +
52 +
53 +
Próximo Anterior

Desenvolvido por Opengist Load: 11ms

Português