解決DDOS攻擊生產案例

根據web日誌或者或者網絡鏈接數,監控當某個IP併發鏈接數或者短時內PV達到100,即調用防火牆命令封掉對應的IP.nginx

固然各個公司的IP併發數各有不一樣,上面只是舉例說明。web

由於個人Nginx的WEB日誌天天進行切割處理,否則全部web日誌都堆在一塊兒,查看麻煩。shell

系統狀態bash

1 [root@nginx shell]# cat /etc/redhat-release 
2 CentOS release 6.7 (Final)
3 [root@nginx shell]# uname -r
4 2.6.32-573.el6.x86_64
5 [root@nginx shell]# /application/nginx/sbin/nginx -v
6 nginx version: nginx/1.10.3

一、web日誌切割腳本服務器

腳本以下,各位網友能夠根據本身的需求進行更改。網絡

此腳本能夠放在定時任務中執行,按照天數進行切割。併發

#!/bin/bash

#-------------CopyRight-------------  
#   Name:Cut Ningx logs
#   Version Number:1.1  
#   Type:sh  
#   Language:bash shell  
#   Date:2018-05-16  
#   Author:xubing
#   QQ:442656067
#   Email:eeexu123@163.com  
#   Blog:https://www.cnblogs.com/eeexu123/


#Nginx日誌輪詢切割備份
IP=$(ifconfig eth0 | awk -F "[ :]+" 'NR==2 {print $4}')

#cut every day nginx log
cut(){
  [ -d "/application/nginx/logs" ]||{
     echo "Nginx logs is not exist."
     exit 1 
  }

  cd /application/nginx/logs
  /bin/mv www_access.log www_access_$(date +%F).log
  /application/nginx/sbin/nginx -s reload
}

#tar nginx log file to /backup
backup(){
  [ -d "/backup/$IP" ]||{
     mkdir -p /backup/$IP
  }

  tar -zcf /backup/$IP/www_access_$(date +%F).log.tar.gz www_access_$(date +%F).log

  #rysnc /backup file to backup server
  rsync -avz /backup/$IP rsync_backup@172.16.1.41::backup/ --password-file=/etc/rsync.password  //推送到備份服務器上
}

#del before 7 day nginx log
del(){
  find /application/nginx/logs -type f -name "*$(date +%F).log" -mtime +7 | xargs rm -f
  find /backup/$IP -type f -name "*.tar.gz" -mtime +7 | xargs rm -f
}

main(){
  cut
  sleep 2
  backup
  sleep 2
  del
}
main

二、DOS攻擊防禦腳本app

根據上述web日誌進行PV統計。此腳本能夠放入定時任務中。也能夠在main函數中進行while循環
函數

 

#!/bin/bash

#-------------CopyRight-------------  
#   Name:defined DoS
#   Version Number:1.1 
#   Type:sh  
#   Language:bash shell  
#   Date:2018-05-16 
#   Author:xubing
#   QQ:442656067
#   Email:eeexu123@163.com  
#   Blog:https://www.cnblogs.com/eeexu123/

ch_web_log(){
  awk '{print $1}' /application/nginx/logs/www_access_$(date +%F).log|sort|uniq -c|sort -rn -k1>/tmp/ip.log  //將統計的IP訪問次數放到ip.log文件中

  while read line
  do
    PV=`echo $line|awk '{print $1}'`    //IP訪問次數
    IP=`echo $line|awk '{print $2}'`
    if [ $PV -ge 100 -a `iptables -nL|grep "$IP"|wc -l` -lt 1 ];then   //將PV大於100的IP,而且防火牆上並無封堵此IP。否則防火牆會重複封堵IP
       iptables -I INPUT -s $IP -j DROP     //防火牆封堵
       echo "$IP" >>/tmp/`date +%F`_ip.log  //將封堵的IP放到此文件中
       echo "The DROP ip is $IP"
    fi
  done</tmp/ip.log
}

#刪除被防火牆封堵的IP del(){ exec
</tmp/$(date +%F -d '1day ago')_ip.log while read line do iptables -D INPUT -s $line -j DROP done } main(){ ch_web_log sleep 2 del } main
相關文章
相關標籤/搜索