根據web日誌或者或者網絡鏈接數,監控當某個IP併發鏈接數或者短時內PV達到100,即調用防火牆命令封掉對應的IP.nginx
固然各個公司的IP併發數各有不一樣,上面只是舉例說明。web
由於個人Nginx的WEB日誌天天進行切割處理,否則全部web日誌都堆在一塊兒,查看麻煩。shell
系統狀態:bash
1 [root@nginx shell]# cat /etc/redhat-release 2 CentOS release 6.7 (Final) 3 [root@nginx shell]# uname -r 4 2.6.32-573.el6.x86_64 5 [root@nginx shell]# /application/nginx/sbin/nginx -v 6 nginx version: nginx/1.10.3
一、web日誌切割腳本服務器
腳本以下,各位網友能夠根據本身的需求進行更改。網絡
此腳本能夠放在定時任務中執行,按照天數進行切割。併發
#!/bin/bash #-------------CopyRight------------- # Name:Cut Ningx logs # Version Number:1.1 # Type:sh # Language:bash shell # Date:2018-05-16 # Author:xubing # QQ:442656067 # Email:eeexu123@163.com # Blog:https://www.cnblogs.com/eeexu123/ #Nginx日誌輪詢切割備份 IP=$(ifconfig eth0 | awk -F "[ :]+" 'NR==2 {print $4}') #cut every day nginx log cut(){ [ -d "/application/nginx/logs" ]||{ echo "Nginx logs is not exist." exit 1 } cd /application/nginx/logs /bin/mv www_access.log www_access_$(date +%F).log /application/nginx/sbin/nginx -s reload } #tar nginx log file to /backup backup(){ [ -d "/backup/$IP" ]||{ mkdir -p /backup/$IP } tar -zcf /backup/$IP/www_access_$(date +%F).log.tar.gz www_access_$(date +%F).log #rysnc /backup file to backup server rsync -avz /backup/$IP rsync_backup@172.16.1.41::backup/ --password-file=/etc/rsync.password //推送到備份服務器上 } #del before 7 day nginx log del(){ find /application/nginx/logs -type f -name "*$(date +%F).log" -mtime +7 | xargs rm -f find /backup/$IP -type f -name "*.tar.gz" -mtime +7 | xargs rm -f } main(){ cut sleep 2 backup sleep 2 del } main
二、DOS攻擊防禦腳本app
根據上述web日誌進行PV統計。此腳本能夠放入定時任務中。也能夠在main函數中進行while循環
函數
#!/bin/bash #-------------CopyRight------------- # Name:defined DoS # Version Number:1.1 # Type:sh # Language:bash shell # Date:2018-05-16 # Author:xubing # QQ:442656067 # Email:eeexu123@163.com # Blog:https://www.cnblogs.com/eeexu123/ ch_web_log(){ awk '{print $1}' /application/nginx/logs/www_access_$(date +%F).log|sort|uniq -c|sort -rn -k1>/tmp/ip.log //將統計的IP訪問次數放到ip.log文件中 while read line do PV=`echo $line|awk '{print $1}'` //IP訪問次數 IP=`echo $line|awk '{print $2}'` if [ $PV -ge 100 -a `iptables -nL|grep "$IP"|wc -l` -lt 1 ];then //將PV大於100的IP,而且防火牆上並無封堵此IP。否則防火牆會重複封堵IP iptables -I INPUT -s $IP -j DROP //防火牆封堵 echo "$IP" >>/tmp/`date +%F`_ip.log //將封堵的IP放到此文件中 echo "The DROP ip is $IP" fi done</tmp/ip.log }
#刪除被防火牆封堵的IP del(){ exec </tmp/$(date +%F -d '1day ago')_ip.log while read line do iptables -D INPUT -s $line -j DROP done } main(){ ch_web_log sleep 2 del } main