具體的指令碼內容如下:
代碼如下 |
複製代碼 |
$ vim /home/rainbow/sbin/block_attack_ips.sh #!/bin/bash logfile=/webserver/blog/logs/rainbow_access.log function check_root(){ if [ $EUID -ne 0 ]; then echo "This script must be run as root" exit 1 fi } function block_ips(){ blacklist=$@ if [ ! -z "${blacklist}" ]; then for ip in ${blacklist} do if ! $(/sbin/iptables-save | grep -wq ${ip}); then echo /sbin/iptables -I INPUT -s ${ip}/32 -p tcp -m tcp --dport 80 -j DROP /sbin/iptables -I INPUT -s ${ip}/32 -p tcp -m tcp --dport 80 -j DROP fi done fi } function check_login(){ tailnum=10000 page=wp-login.php retry=5 command="grep -w POST ${logfile} |tail -n ${tailnum} |grep -w ${page} |awk '{print $1}' |sort |uniq -c |awk '($1 > ${retry}){print $2}'" blacklist=$(eval ${command}) block_ips ${blacklist} } function check_others(){ tailnum=10000 retry=400 command="tail -n ${tailnum} ${logfile} |awk '{print $1}' |sort |uniq -c |awk '($1 > ${retry}){print $2}'" blacklist=$(eval ${command}) block_ips ${blacklist} } check_root check_login check_others $ chmod +x /home/rainbow/sbin/block_attack_ips.sh |
配置crontab計劃任務,每5分鐘檢查一次,並每天定時重啟iptables服務清除舊的記錄:
$ sudo crontab -e
代碼如下 |
複製代碼 |
*/5 * * * * /home/rainbow/sbin/block_attack_ips.sh 00 01 * * * /etc/init.d/iptables restart |