Filter Web attack source IP via cron timed task in Linux

Recently found that the server traffic some unusual, through the log to see a number of IP access to the server, so found this script to filter such IP, the specific rules for, if in 10,000 requests, 1000 requests from the same IP, then this IP can be judged as attack IP.

To create a new script file on the server:

VI block_ips.sh
Put it in the following sections:

#!/bin/bash

Logfiles= (
/tmp/logs/rainbow_access.log
/tmp/logs/eric_access.log
)

whitelist=$ (Last | awk ' {print $} ' | grep ^[1-9] | sort | uniq | xargs)

function Check_root () {
If [$EUID-ne 0]; Then
echo "This script must is run as root"
Exit 1
Fi
}

function Block_ips () {
blacklist=$@
if [!-Z ' ${blacklist} ']; Then
For IP in ${blacklist}
Todo
if! $ (echo ${whitelist} | Grep-wq ${ip}); Then
if! $ (/sbin/iptables-save | Grep-wq ${ip}); Then
echo "Blocked ${ip}"
/sbin/iptables-i input-s ${ip}/32-p tcp-m tcp--dport 80-j DROP
Fi
Fi
Done
Fi
}

function Check_post () {
Page=$1
Tailnum=$2
Retry=$3

Command= ' grep-w POST ${logfile} |tail-n ${tailnum} |grep-w ${page} |awk ' {print \$1} ' |sort |uniq-c |awk ' (\$1 > ${ Retry}) {print \$2} ' "
blacklist=$ (eval ${command})
Block_ips ${blacklist}
}

function Check_all () {
Tailnum=$1
Retry=$2

Command= "Tail-n ${tailnum} ${logfile} |awk ' {print \$1} ' |sort |uniq-c ' (|awk > \$1}) {print ${retry} '"
blacklist=$ (eval ${command})
Block_ips ${blacklist}
}

Check_root
For logfile in ${logfiles[@]}
Todo
Check_post wp-login.php 10000 100
Check_post wp-comments-post.php 10000 100
Check_all 10000 1000
Done

To give the file editable permissions:

chmod +x block_ips.sh
Add automatic task, not 5 minutes to execute:

Vi/etc/crontab
Add the following content:

*/5 * * * */home/rainbow/sbin/block_attack_ips.sh
* * * */etc/init.d/iptables restart
Can.

Add:

Crond is a command that Linux uses to execute programs on a regular basis. When the operating system is installed, the task Scheduling command is started by default. The Crond order will periodically check whether there is any work to be done and will automatically carry out the work if there is any work to be done.

1, Linux task scheduling is mainly divided into the following two categories:

* Work performed by the system: periodic work performed by the system, such as backing up system data, cleaning up the cache

* Work performed by a user on a regular basis, such as checking the mail server for new letters every 10 minutes, which can be set by each user.

2.crontab Command options:

-u Specifies a user,

-l lists a user's task schedule,

-R Deletes a user's task,

-e Editing a user's task

3.cron file Syntax:

Hour and Moon Week command

0-59 0-23 1-31 1-12 0-6 Command (value range, 0 for Sunday One for a row corresponding to a task)

4. Remember the meaning of several special symbols:

"*" represents the number in the range of values,

"/" stands for "every",

"-" represents from a number to a number,

"," separated by several discrete figures

I. The writing of task scheduling setup file

can be edited using the Crontab-e command, edited by the/var/spool/cron of the corresponding user's cron file, or directly modify the/etc/crontab file

The specific format is as follows:

Minute Hour Day Month dayofweek command

Minutes hours days month days per week order

Each field represents the following meanings:

Minute the first few minutes of each hour

Hour a few hours a day to perform this task

Day of the month to perform this task

Month a few months of the year to perform this task

DayOfWeek to perform the task on the first day of the week

Command Specifies the program to be executed

In these fields, except that the Command is a field that must be specified each time, the other fields are optional fields that can be determined as needed. For fields that are not specified, use "*" to fill their position.

Examples are as follows:

1.5 * * * ls//Specifies that the LS command is executed at the first 5 minutes per hour

1.30 5 * * * ls//specify daily 5:30 execute LS command

1.30 7 8 * * ls//designated 7:30 minutes per month 8th Execute LS command

1.30 5 8 6 * ls//designated every June 8 5:30 execute LS command

1.30 6 * * 0 ls//specifies 6:30 execution of the LS command per Sunday [Note: 0 for Sunday, 1 for Week 1, etc., can also be expressed in English, Sun said Sunday, Mon said Monday, etc. ]

1.30 3 10,20 * * ls//monthly 10th and 20th 3:30 Execute ls command [note: "," used to connect multiple discontinuous periods]

1.25 8-11 * * * * * ls//25 minutes per day at 8-11 o ' time execute ls command [note: "-" used to connect consecutive periods]

1.*/15 * * * ls///////////////////////////////15 min.

1.30 6 */10 * * ls///every month, every 10 days 6:30 execute the LS command [that is 1, 11, 21, 31st of every month, yes 6:30 executes the LS command once. ] Executes every executable file in the/etc/cron.daily directory as root 7:50 daily

1.50 7 * * * * root run-parts/etc/cron.daily//[Note: The Run-parts parameter indicates that all executables in the following directory are executed. ]
Second, the new scheduling task

There are two ways to add new scheduling tasks:

1, at the command line input: CRONTAB-E and then add the corresponding tasks, Wq disk exit.

2, directly edit/etc/crontab file, that is, vi/etc/crontab, add the corresponding task.

Third, view the scheduling task

Crontab-l//List all current Scheduled tasks

Crontab-l-u JP//List all scheduling tasks for user JP

Iv. Delete Task scheduling work

Crontab-r//Delete all task scheduling work

V. Steering of the implementation results of task scheduling

Example 1: Execute the LS command 5:30 every day and output the result to the/jp/test file

5 * * * ls >/jp/test 2>&1

Note: 2>&1 represents execution results and error messages.

Edit/etc/crontab File Configuration cron

The cron service does not only have to read all the files in the/var/spool/cron every minute, but also read the/etc/crontab, so we can configure the file to do something with the cron service. The crontab configuration is for a user, and editing/etc/crontab is a task for the system. The file format for this file is:

Shell=/bin/bash

Path=/sbin:/bin:/usr/sbin:/usr/bin

Mailto=root//If there is an error, or if there is data output, the data is sent to this account as mail

home=///user Run path, this is the root directory

# Run-parts

1.01 * * * * * root run-parts/etc/cron.hourly//Hourly Execution/etc/cron.hourly script 1.02 4 * * * Root run-parts/etc/cron.daily//daily execution Script within/etc/cron.daily 1.22 4 * * 0 root run-parts/etc/cron.weekly//weekly Execute/etc/cron.weekly script 1.42 4 1 * * Root Run-parts/et C/cron.monthly//Monthly to execute the script in/etc/cron.monthly everyone notice the "run-parts" This parameter, if you remove this parameter, then you can write a script to run the name, not the folder name

For example: 1, at the command line input: CRONTAB-E and then add the corresponding tasks, Wq disk exit.

2, directly edit/etc/crontab file, that is, vi/etc/crontab, add the corresponding task

1.11 2 * RM-RF/MNT/FB