Linux monitors external IP connections at a certain time point, and linux monitors

Linux monitors external IP connections at a certain time point, and linux monitors

I believe everyone is familiar with the netstat command. This command is mainly used here.The DDoS Deflate tool uses the number of IP addresses to measure the number of external connections. Then, it uses Iptables to add an IP address to the blacklist and disable an IP address.

netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

The commands used have obvious shortcomings. For example, if the local connection 127.0.0.1 is not determined or any address is identified as 0.0.0.0 or null, the first two headers output by netstat are not removed, and output in descending order

My own version:

Netstat-ant | sed '1, 2 d' | awk '{print $5}' | sort | cut-d:-f1 | awk '{if ($1! = "0.0.0.0" & $1! = "" & $1! = "127.0.0.1") {print $1} '| uniq-c | sort-nr

Output:

2 173.194.72.95
1 98.254.64.168
1 91.189.89.144
1 91.122.59.53
1 82.208.89.58
1 81.7.14.114
1 70.112.226.65
1 180.76.22.33
1 143.215.130.46
1 126.107.72.9
1 117.79.93.218
Sets a threshold value. If the total number of IP1 connections to an external connection exceeds this value at a certain time point, the IP address (IP1, starttime) is added to the blacklist, then iptables-t filter-a input-s IP1 DROP.

Copyright Disclaimer: This article is an original article by the blogger and cannot be reproduced without the permission of the blogger.