Due to a large number of customers under the core of the room, which unavoidably many large customers, is so-called tall tree catches, the recent computer room some customers are always traffic attacks, the prevention method can only be found specifically attacked IP address, and then in the upper core of the IP configuration of the empty route will attack traffic interception in the backbone layer, so as not to affect the normal use , at present, I have done a mirror port at each core, the uplink traffic mirroring to a CentOS grab server, each time the failure of the time directly tcpdump capture packet analysis, but the recent attacks are in the middle of the night, crawling up to grab the bag when the attack has stopped, do not say to solve the problem, Even the late fault description can not be out, so in order to retain the data capture, on the internet to find some information based on environmental testing to write a simple automatic packet capture script, the following post:
1: Grab Package script tcpdump.sh
#!/bin/sh
While [1]
Do
Stime= ' date +%f ' @ '%h%m%s '
Date_dir= ' Date +%f '
if [!-d/data/$DATE _dir];then
Mkdir-p/data/$DATE _dir
Fi
/usr/sbin/tcpdump-i eth1-c 30000-w/data/$DATE _dir/$STIME pcap >/dev/null 2>&1 & #后台抓包, monitoring eth1 ports, each time from Clutch 3w automatically stop and save to the appropriate directory, this value can be modified as needed
Sleep 1m grab and stop for 1 minutes to continue scratching
Done
2: Monitor hard disk usage script monitor-disk.sh, because the continuous capture will generate a lot of pcap data files, very hard disk space, so monitoring the use of hard disk is to ensure the healthy operation of the monitoring script prerequisites, write a script, you can set a scheduled task, every 6 hours to execute, Monitor hard disk usage greater than 50% (can be modified as appropriate), automatically filter out the oldest backup folder and delete
#!/bin/bash
freedisk= ' df-h|grep '/dev/sda1 ' |awk ' {print $} ' |awk-f% ' {print '} '
Headmost= ' ls-l/data|grep ^d|awk ' {print $NF} ' |sort|head-n 1 '
#check free disk status
If ["$FREEDISK"-ge "];then"
rm-rf/data/"$HEADMOST"
Fi
Add the above script to the scheduled task, end
Automatic packet Capture shell script
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
