I believe everyone is familiar with the netstat command, the main use of this command, the online spread of the DDoS deflate tool is to use the number of IP to count external connections, and then combined with Iptables method to implement an IP blacklist and unblock an IP
Netstat-ntu | awk ' {print $} ' | Cut-d:-f1 | Sort | uniq-c | Sort-n
one of the commands used, there are obvious deficiencies, such as not determining whether the local connection 127.0.0.1 or any address identifies 0.0.0.0 or empty case, also did not remove the netstat output of the first two lines of text header, and should be output in descending order
My own version:
Netstat-ant |sed ' d ' | awk ' {print $} ' | Sort | cut-d:-f1 |awk ' {if ($1!= "0.0.0.0" && $1!= "" && $1!= "127.0.0.1") {print $}} ' | Uniq-c |SORT-NR
the output is :
2 173.194.72.95
1 98.254.64.168
1 91.189.89.144
1 91.122.59.53
1 82.208.89.58
1 81.7.14.114
1 70.112.226.65
1 180.76.22.33
1 143.215.130.46
1 126.107.72.9
1 117.79.93.218
Set a threshold value if, at some point, the total number of IP1 for an external connection exceeds this value, the Ip1,starttime is added to the blacklist and then Iptables-t filter-a input-s IP1 DROP.
Copyright NOTICE: This article for Bo Master original article, without Bo Master permission not reproduced.
Linux monitors external IP connectivity at some point