The day before yesterday wrote a anti-CC attack shell script, did not expect so soon to use, because of the 360 website Guardian Cache Blacklist suddenly unable to filter the background, resulting in WordPress can not login! Although you can fix the problem by modifying the local Hosts file, you want to temporarily remove the Cdn acceleration and protection to test the server for performance optimization and security protection.
The day before yesterday, the shell script is added to the Crontab scheduled task execution, every 5 minutes, the actual test today, can still be used, but feel 5 minutes time a bit too long, can not be closely protected. So slightly improved the next code, now simple to share under!
First, Shell code
#!/bin/bash #Author: Zhangge #Desc: Auto Deny black_ip Script. #Date: 2014-11-05 #取得参数 is a concurrent threshold, and the default allows single IP maximum 100 concurrency if left blank (actual test found that 2M bandwidth, more than 10 concurrent servers are no longer accessible! ) if [[Z $]];then num=50 else num=$1 fi #巧妙的进入到脚本工作目录 CD $ (CD $ (dirname $BASH _source) && pwd) #请求检查 , judgment and pull black main function function check () {iplist= ' Netstat-an |grep ^tcp.*:80|egrep-v ' listen|127.0.0.1 ' |awk-f ' []+|[:] ' ' {print
$} ' |sort|uniq-c|sort-rn|awk-v str= $num ' {if ($1>STR) {print $}} ' if [[!-Z $iplist]]; Then >./iplist/black_ip.txt for black_ip in $iplist do #白名单过滤中已取消IP段的判断功能 can be modified to suit your needs The following code (please refer to the script written the day before yesterday) #exclude_ip = ' echo $black _ip | Awk-f "." ' {print $. ' $ "." $} ' #grep-q $exclude _ip/white_ip.txt grep-q $black _ip./white_ip.txt if [[$? e Q 0]];then echo "$black _ip (white_ip)" >>./black_ip.txt else echo $blac K_ip >>./black_ip.txt iptables -NL | grep $black _ip | | (iptables-i input-s $black _ip-j DROP & echo "$black _ip ' date +%y-%m-%h:%m:%s '" >>./iplist/denylog.txt & EC HO 1 >./sendmail) fi done #存在并发超过阈值的单IP就发送邮件 if [[' Cat./sendmail ' = 1]];then se Ndmsg;fi fi} #发邮件函数 function sendmsg () {NETSTAT-NUTLP | grep "SendMail" >/dev/null 2>&1 | |/etc/init. D/sendmail start >/dev/null 2>&1 echo-e "from: Email address @qq.com\nto: Email address @qq.com\nsubject:someone Attacking R system!! \nits Ip is ">./message cat/black_ip.txt >>./message/usr/sbin/sendmail-f Email address @qq.com-t Email address @qq.com -I <./message >./sendmail} #间隔10s无限循环检查函数 while true do check #每隔10s检查一次, the time can be customized to sleep don E
Ii. Executing scripts
After you save the above code as DENY_BLACKIP.SH, use the following command to run the script backstage (the following 50 indicates the number of concurrent, adjustable):
Copy Code code as follows:
After execution, the following message appears:
[Root@mars_server iptables]# nohup/deny_blackip.sh &
[1] 23630
[root@mars_server iptables]#-Nohup: Ignoring input and appending output to ' nohup.out '
Indicates that if the script produces output information, it will be written to the Nohup.out file, and you can see that the current directory has generated an empty nohup.out:
[Root@mars_server iptables]# ll nohup.out
-rw-------1 root root 0 Nov 5 21:15 nohup.out
All right, now you perform the implementation PS aux should be able to find the following process:
Root 23630 0.0 0.2 5060 1224 pts/0 S 21:15 0:00/bin/bash ./deny_blackip.sh
Root 23964 0.0 0.0 4064 508 pts/0 S 21:19 0:00 sleep 10
①, simulation of CC attack Server screenshot:
② , the CC attack of the server screenshot:
③, attack IP pulled black alarm message:
Test, simulate 55 concurrent attacks 20s, immediately was pulled black, the effect is very obvious!
Four, additional instructions
①, script mail needs to be installed SendMail, if not installed please perform yum-y install SendMail install and start;
②, to stop a script running in the background, simply use the PS aux command to locate the PID thread number of the script, and then execute the kill-9 PID number to complete the
③, the single IP concurrency limit on the script, I actually test at the same time open a blog multiple pages and continue to refresh, at most, it will produce more than 10 concurrent, so single IP more than 50 concurrent has a lot of problems! Of course, the threshold of the article set to 50 is also only recommended value, you can adjust to the needs of their own;
④, write this script, mainly to make up for the crontab execution time interval is only a minimum of 1 minutes, you can make CC protection more rigorous, even every 1S execution once! Although the script is not resource-intensive, it is advisable to recommend 10s to perform once, not too extreme, right?
⑤, for whitelist filtering, as long as the white list IP saved to the script in the same directory in the White_ip.txt file, if the attack IP found in the whitelist, the script will not directly pull black, but send an e-mail to you, let yourself judge this white list attack you are for Mao? If the whitelist needs to support IP segments, please refer to the script I wrote the day before yesterday.
Wordy so much, mainly to use their own, and then share out for people who need some reference, personal VPS Server Although few people attack, but the basic installation of protection or must do! Hope this article is helpful to you!
Original: Http://zhangge.net/4649.html