Through the analysis of the log file of the Enterprise website, the daily traffic reaches a certain number of IP to seize
Scripts can pass analysis of any log through the form of a parameter.
The IPT function is sealed and the DEL function unlocks the IP that was seized yesterday
#!/bin/bash#2017-08-12if [ $# -lt 1 ];then echo "USAGE:$0 ARG" exit 1fiipt () {awk ' {print $1} ' $1|sort|uniq -c|sort -rn -k1 > /tmp/tmp.logexec</tmp/tmp.logwhile read linedoip= ' echo $line |awk ' { print $2} ' if [ ' echo $line |awk ' {print $1} ' -gt 10 -a ' iptables -l -n|grep "$ip" |wc -l ' -lt 1 ];then iptables -i INPUT -s $ip -j DROP echo $ip >>/tmp/ip_$ (date + $F). Logfidone}del () { touch /tmp/ip_$ (date + $F -d ' -1day ') .log exec < /tmp/ip_$ (date + $F -d ' -1day '). Log while read line do if [ ' iptables -l -n|grep ' $line "|wc -l ' -ge 1 ];then iptables -d input -s $line -j drop fi done}main () {While truedo ipt $1 sleep 5 deldone}main $*
Can be easily implemented by joining a timed task
Test execution can be done by SH <script>.sh xx_2017_xx_xx.log and start another shell
Turn on Watch Iptables-l-N for real-time viewing, and if more than a certain number of IPs enter the firewall drop list, the script execution succeeds.
This article is from the "Wxtan" blog, make sure to keep this source http://wxtan.blog.51cto.com/13124984/1955818
Enterprise Web site for a daily access to an excessive number of IP to seize