Linux shell script for simple CC attacks

The first script is to find ip addresses that are frequently accessed in logs and shield them with iptables.
#! /Bin/bash
Cur = 'date + % H % M % s'
Becur = 'date-d "1 minute ago" + % H % M % s'
Badip = 'Tail-n 10000/home/www. centos. bz/log/access. log | egrep-v "\. (gif | jpg | jpeg | png | css | js) "| awk-v a =" $ becur "-v B =" $ cur "-F ['':] '{t = $5 $6 $7; if (t> = a & t <= B) print $1} '| sort | uniq-c | awk' {if ($1> = 20) print $2 }''
If [! -Z "$ badip"]; then
For ip in $ badip;
Do
If test-z "'/sbin/iptables-nL | grep $ ip'"; then
/Sbin/iptables-I INPUT-s $ ip-j DROP
Fi
Done
Fi www.2cto.com
Save the code as ban. sh and add cronjob to execute the code once every minute.
This script uses iptables to block more than 20 IP addresses accessing pages per minute. These pages have excluded static files such as images, css, and js.
The second script is to block cc attack features in logs.
#! /Bin/bash
Keyword = "cc-atack"
Badip = 'Tail-n 5000/home/www. centos. bz/log/access. log | grep "$ keyword" | awk '{print $1}' | sort | uniq-c | sort-nr | awk '{print $2 }''
If [! -Z "$ badip"]; then
For ip in $ badip;
Do
If test-z "'/sbin/iptables-nL | grep $ ip'"; then
/Sbin/iptables-I INPUT-s $ ip-j DROP
Fi
Done
Fi
Keyword is the cc feature in the log, which can be replaced with valid.