不管肉雞，還是代理，CC識別就封殺！

標籤：style   blog   color   os   ar   for   sp   檔案   div   

這幾天的心得，匯成代碼。

PYTHON版，我編的。

#!/usr/bin/env python# -*- coding: utf-8 -*-import os,sys,timeimport commands,logging#以下為手工命令時的動作#time format 17/Oct/2014:10:00:00#time format Sat Oct 18 12:35:43 2014#awk ‘$4>"[17/Oct/2014:14:00:00"&&$4<"[17/Oct/2014:14:02:00"‘ xxx.log|awk ‘{a[$7]++}END{for(i in a)print a[i],i}‘|sort -n|tail -n 10|column -t | 500#awk ‘$4>"[17/Oct/2014:14:00:00"&&$4<"[17/Oct/2014:14:02:00"‘ xxx.log|grep ‘uc_server/images/noavatar_small.gif‘|awk ‘{a[$1]++}END{for(i in a)print a[i],i}‘|sort -n|tail -n 10|column -t | 100#定義預警觸發時的CC訪問數及IP訪問CC網址的次數urlAlert = 500ipAlert = 50print ‘urlAler is:‘,urlAlert, ‘, ipAlert is:‘, ipAlert#定義LOG檔案地址logPath = "xxx.log"#120秒的處理間隔endtime = time.time()strEndTime = time.ctime(endtime).split()strBeginTime = time.ctime(endtime-120).split()#規整格式，使PYTHON時間格式對應NGINX的日誌時間格式endTime = "%s/%s/%s:%s"%(strEndTime[2],strEndTime[1],strEndTime[4],strEndTime[3])beginTime = "%s/%s/%s:%s"%(strBeginTime[2],strBeginTime[1],strBeginTime[4],strBeginTime[3])#LOGGIN記錄功能logging.basicConfig(level=logging.INFO,                format=‘%(asctime)s %(filename)s[line:%(lineno)d] %(levelname)s %(message)s‘,                datefmt=‘%a, %d %b %Y %H:%M:%S‘,                filename=‘XXX.log‘,                filemode=‘a‘)#通用的命令處理函數def exec_Cmd(Cmd):    (status,output) = commands.getstatusoutput(Cmd)    try:        if int(status) == 0:            print Cmd + " is OK!"            logging.info(Cmd + " ---is OK!")            return output        else:            logging.info(Cmd + " cant‘t finish...")            print Cmd + " can‘t finish...."            sys.exit(1)    except:        logging.info(Cmd + " is Wrong")        print Cmd + " is Wrong!"        sys.exit(1)#擷取最可能的CC的URL列表def CCDef_url():    global urlAlert, logPath, beginTime, endTime    #封裝BASH SHELL命令，搜尋日誌為目前時間前兩分鐘內，也可以用TAIL -F，省時間，AWK文法我有些搞不懂，營運兄弟提供    urlCmd = "awk ‘$4>\"[" + beginTime + "\"&&$4<\"[" + endTime + "\"‘ " + logPath + "|awk ‘{a[$7]++}END{for(i in a)print a[i],i}‘|sort -n|tail -n 10|column -t"    urlOutput = exec_Cmd(urlCmd)    urlList = []    #規範輸出格式並擷取大於預警的URL地址清單    for line in (urlOutput.split(‘\n‘)):    urlCountList = line.split()    if int(urlCountList[0]) > urlAlert:        urlList.append(urlCountList[1])        #logging.info("cc‘s url is:", urlCountList[1])    return urlList#擷取訪問過這些URL的IP地址清單def CCDef_ip(urlList):    global ipAlert, logPath, beginTime, endTime    ipList = []    for url in urlList:        #更改一下AWK，擷取        ipCmd = "awk ‘$4>\"[" + beginTime + "\"&&$4<\"[" + endTime + "\"‘ " + logPath + "|grep " + url + "|awk ‘{a[$1]++}END{for(i in a)print a[i],i}‘|sort -n|tail -n 10|column -t"    ipOutput = exec_Cmd(ipCmd)    #規範輸出格式並擷取大於預警的IP地址清單        for line in (ipOutput.split(‘\n‘)):            ipCountList = line.split()            if int(ipCountList[0]) > ipAlert:                ipList.append(ipCountList[1])                #logging.info("cc‘s url is:", urlCountList[1])    return ipList#將最可以疑的攻擊IP加入防火牆def dropIptables(ipList):    drop_ip_list = []    #先列出已有的IPTABLES的IP，達到過濾，去重的目的    iptablesOutput = exec_Cmd(‘iptables -vnL‘)    for line in iptablesOutput.split(‘\n‘):    line = line.split()    if not line[0].isdigit():            continue    drop_ip_list.append(line[7])    for ip in ipList:    if ip in drop_ip_list:        continue    dropCmd = "iptables -I INPUT -s " + ip + " -j DROP"    print dropCmd    #幹之！！！    exec_Cmd(dropCmd)def main():    urlList = CCDef_url()    ipList = CCDef_ip(urlList)    print ipList    dropIptables(ipList)    passif __name__=="__main__":    main()

BASH SHELL版，營運兄弟寫的，真的省好多行。要好好攻一下SHELL指令碼了。

#!/bin/bash#while true#do        tail -f XXX.log > url.txt &        echo "wait 120s"        sleep 120s        kill -9 `ps -ef | grep "tail -f" | grep -v grep | awk ‘{print $2}‘ | xargs` > /dev/null        sleep 1        one=`head -1 url.txt | awk ‘{print $4}‘`        two=`tail -1 url.txt | awk ‘{print $4}‘`        #awk -v one=$one -v two=$two ‘$4>one&&$4<two‘ url.txt|awk ‘{a[$7]++}END{for(i in a)print a[i],i}‘|sort -n|tail -n 10|column -t        url_max=`awk -v one=$one -v two=$two ‘$4>one&&$4<two‘ url.txt|awk ‘{a[$7]++}END{for(i in a)print a[i],i}‘|sort -n|tail -n 10|column -t | awk ‘{if ($1 > 500) print $2}‘ | xargs`        echo $url_max >> url.log        for i in $url_max        do            ipaddress=`awk -v one=$one -v two=$two ‘$4>one&&$4<two‘ url.txt|grep "$i"|awk ‘{a[$1]++}END{for(i in a)print a[i],i}‘|sort -n|tail -n 10|column -t | awk ‘{if ($1 > 100) print $2}‘|xargs`            for ip in $ipaddress            do                iptables -L -n | grep "$ip"                if [ $? != 0 ]                then                    echo $ip >> url.log                    iptables -I INPUT -s $ip -j DROP                fi            done        done#done

 

不管肉雞，還是代理，CC識別就封殺！