Shell Daily Combat Dos attack

Depending on the Web log or the number of network connections, monitoring when an IP concurrent connection number or a short time PV reached 100, that is, call the firewall command to seal off the corresponding IP, monitoring frequency every 3 minutes. The firewall command is: iptables-i input-s 10.0.1.10-j DROP. This script is based on the iptables weekend will firewalld firewall script to share to everyone

#!/bin/sh

#

[-f/etc/init.d/functions] &&. /etc/init.d/functions

Ip_file= "/server/scripts/ddos.txt"

ip_filter_command= "Iptables-i input-j drop-s"

ip_recover_command= "iptables-d input-j drop-s"

function Ip_check () {

grep "EST" ${ip_file}|awk-f "[|:]+" ' {print $6} ' |sort |uniq-c|sort-rn-k1 >/server/scripts/ip.txt

}

function Ip_filter () {

EXEC </server/scripts/ip.txt

While Read line

Do

Ip_count= ' echo $line |awk ' {print $} '

Ip= ' echo $line |awk ' {print $} '

Ip_fil= ' Iptables-l-n|grep ' ${ip} ' |wc-l '

If [${ip_count}-gt 25-a ${ip_fil}-eq 0];then

${ip_filter_command} ${ip}

echo "${ip}" >>/server/scripts/ip_filtered.txt

Action "Filter ${ip}"/bin/true

Fi

Done

}

function Ip_recover () {

EXEC </server/scripts/ip.txt

While Read line

Do

Ip_count= ' echo $line |awk ' {print $} '

Ip= ' echo $line |awk ' {print $} '

Ip_fil= ' Iptables-l-n|grep ' ${ip} ' |wc-l '

If [${ip_count}-le 25-a ${ip_fil}-eq 1];then

${ip_recover_command} ${ip}

echo "${ip}" >>/server/scripts/ip_filtered.txt

Action "Recover ${ip}"/bin/true

Fi

Done

}

function Main () {

Case "$" in

Filter

Ip_check

echo "$ (date +%f-%h:%m:%s) filtered by $ (whoami)" >>/server/scripts/ip_filtered.txt

Ip_filter

;;

Recover

Ip_check

echo "$ (date +%f-%h:%m:%s) recovered by $ (whoami)" >>/server/scripts/ip_filtered.txt

Ip_recover

;;

*)

echo "usage:$0 {filter|recover}"

Exit 1

Esac

}

Main $*

Shell Daily Combat Dos attacks