Enterprise Web site for a daily access to an excessive number of IP to seize

Through the analysis of the log file of the Enterprise website, the daily traffic reaches a certain number of IP to seize

Scripts can pass analysis of any log through the form of a parameter.

The IPT function is sealed and the DEL function unlocks the IP that was seized yesterday

#!/bin/bash#2017-08-12if [ $# -lt 1 ];then  echo  "USAGE:$0 ARG"   exit 1fiipt () {awk  ' {print $1} '  $1|sort|uniq -c|sort -rn -k1  > /tmp/tmp.logexec</tmp/tmp.logwhile read linedoip= ' echo  $line |awk  ' { print $2} ' if [  ' echo  $line |awk  ' {print $1} '  -gt 10 -a  ' iptables -l -n|grep  "$ip" |wc -l '  -lt 1 ];then  iptables -i  INPUT -s  $ip  -j DROP  echo  $ip  >>/tmp/ip_$ (date + $F). Logfidone}del () {  touch /tmp/ip_$ (date + $F  -d  ' -1day ') .log  exec  < /tmp/ip_$ (date + $F  -d  ' -1day '). Log  while read line  do   if [  ' iptables -l -n|grep  ' $line "|wc -l '  -ge 1 ];then   iptables -d input -s  $line  -j drop  fi  done}main () {While truedo   ipt $1  sleep 5  deldone}main $*

Can be easily implemented by joining a timed task

Test execution can be done by SH <script>.sh xx_2017_xx_xx.log and start another shell

Turn on Watch Iptables-l-N for real-time viewing, and if more than a certain number of IPs enter the firewall drop list, the script execution succeeds.

This article is from the "Wxtan" blog, make sure to keep this source http://wxtan.blog.51cto.com/13124984/1955818

Enterprise Web site for a daily access to an excessive number of IP to seize