Shell script attack prevention example

I don't know which kind of fairy has been offended. I received a nagios alarm and found a website with a CC attack. It seems that the volume is not small, and the server load is more than 40. Although the website can be opened, it is very slow to open. If the configuration is not high, it is estimated that the server has crashed. It seems that it is not a sleep night.
Quickly view nginx access logs:
# Tail-f access. log

 

It looks like this.

 
First, I manually blocked several Ip addresses with relatively high traffic.
# Iptables-a input-s 83.187.133.58-j DROP
# Iptables-a input-s 80.171.24.172-j DROP
......
After several ip addresses were urgently blocked, the load dropped and the Website access speed improved. However, a new batch of Ip addresses were coming soon, so it seems that there is no way to deal with it. I wrote a shell script and caught it. The attack status is the same. Each attack ip address is followed by an HTTP/1.1 "499 0"-"" Opera/9.02 (Windows NT 5.1; U; ru) field, then we will search for this field.
# Vim fengip. sh
 
#! /Bin/bash
For I in 'seq 1 32400'
Do
Sleep 1
X = 'Tail-500 access. log | grep 'HTTP/1.1 "499 0"-"" Opera/100' | awk '{print $1}' | sort-n | uniq'
If [-z "$ x"]; then
Echo "kong">/dev/null
Else
For ip in 'echo $ x'
Do
Real = 'grep-l ^ $ ip $ all'
If [$? -Eq 1]; then
Echo iptables-a input-s $ ip-p tcp -- dport 80-j DROP
Iptables-a input-s $ ip-p tcp -- dport 80-j DROP
Echo $ ip> all
Fi
Done
Fi
Done
The script has been written.

Let's run it. After several minutes, as shown in

After half an hour's observation, the server load also dropped to 0. A few times, and the script was constantly sealing some CC attack ip addresses. Keep him running. You should be able to get a good night's sleep.

Next, let's explain the script.
# Vim fengip. sh
 
#! /Bin/bash
Touch all # create an all file, which will be useful later
For I in 'seq 1 100' # loop 32400 times, estimated time by AM
Do
Sleep 1
 
X = 'Tail-500 access. log | grep 'HTTP/1.1 "499 0"-"" Opera/100' | awk '{print $1}' | sort-n | uniq' # view access log, retrieve and sort the ip addresses of the rows containing 'HTTP/1.1 "499 0"-"" Opera/100' and repeat them.
If [-z "$ x"]; then
Echo "kong">/dev/null # If $ x is null, no operation will be executed. This indicates that the operation is in line 500, no line www.2cto.com with 'HTTP/1.1 "499 0"-"" Opera/100'
Else
For ip in 'echo $ x' # If yes, we will traverse these ip addresses
Do
Real = 'grep-l ^ $ ip $ all' # check whether this ip address exists in the all file. Because every time a file is sent, the ip address will be written to the all file later, if this ip address exists in the all file, it indicates that the firewall has been blocked.
If [$? -Eq 1]; then # If the above execution fails, that is, it is not found in the all file, use the following firewall statement to block the ip address and write the ip address to the all file.
Echo iptables-a input-s $ ip-p tcp -- dport 80-j DROP
Iptables-a input-s $ ip-p tcp -- dport 80-j DROP
Echo $ ip> all
Fi
Done
Fi
Done
The script is very simple. Daniel skipped it...

 

Please join QQ to study QQ: 410018348