#!/bin/bash
# 自动识别攻击,使用iptables封禁ip
# 每次清除防火墙规则,过滤过去30分钟日志
# author caozhi, completed on 2019-06-21, last update on 2019-07-08
# version:2.1
# 查看此脚本是否有hang住的情况,如果有 则退出
PIDFILE="/tmp/ddospid"
trap "/bin/rm -if $PIDFILE;exit" HUP INT QUIT TSTP TERM KILL
if [ -f "$PIDFILE" ];then
pid=`cat $PIDFILE`
[ -n "$pid" ] && ps -p $pid | grep $pid >/dev/null
echo "$pid"
[ $? -eq 0 ] && echo "shell is running..." && ps aux|grep ddos.sh|grep -v grep|awk '{print $2}'|xargs kill && exit 1
fi
echo $$ > "$PIDFILE"
sleep 10 # 等待nginx切割完日志
log_time=$(date +%Y%m%d%H)
before_time=$(date -d "30 minute ago" +"%d\/%b\/%G:%H:%M") # 查询过去30min到现在的日志
now_time=$(date +"%d\/%b\/%G:%H:%M")
# 异常客户端限制访问的次数配置
visit_num=1000
# 异常客户端缓冲堆积的配置 kbit
sum_bw_out_buf=8000000
host_name=`/bin/hostname`
/bin/rm -if /log/access.*.log
/bin/cp -i /log/access.${host_name}.${log_time}*.log.gz /root/
/bin/gzip -d /root/access*.log.gz
# 生成过去30分钟的日志
sed -n /${before_time}/,/${now_time}/p /root/access*.log /log/access.log > /root/access.all.log
# 查看当前连接的客户端ip:
#echo "查看当前连接的客户端ip:" > /root/ip.list
#netstat -anlp|grep 80|grep tcp|awk '{print $5}'|awk -F: '{print $1}'|grep -E -v "^10\.|127.0.0.1|^$"|sort|uniq -c|sort -nr|head -n20
#ss -o state established sport = :https |awk '{print $4}'|awk -F ':' '{print $1}'|sort |uniq -c|sort -nr |head >> /root/ip.list
#ss -o state established sport = :http |awk '{print $4}'|awk -F ':' '{print $1}'|sort |uniq -c|sort -nr |head >> /root/ip.list
# 查看访问次数过多的客户端ip:取top10 并且访问次数大于设阈值 的客户端ip
echo "查看访问次数的客户端ip:" > /root/ip.list
awk '$21~/http_access/ && $18~/Cache/ && $22~/xxx/ && $23~/EC/ && $17!~/pull/ {print $14}' /root/access.all.log | sort | uniq -c | sort -nr | head | awk '$1>${visit_num}{print $0}' >> /root/ip.list
# 查看缓冲堆积过多的客户端ip:取top10 并且访问堆积 超过设定阈值 的客户端ip
echo "查看缓冲堆积最多的客户端ip:" >> /root/ip.list
awk '$21~/pull_av_bw/ && $18~/Cache/ && $22~/xxx/ && $23~/EC/ && $17!~/pull/ {sum[$14]+=$31}END{for (i in sum){print sum[i],i}}' /root/access.all.log | sort -nrk 1 | head | awk '$1>${sum_bw_out_buf}{print $0}' >> /root/ip.list
# 取之前的规则 生成最终异常的客户端ip:
awk '{print $2}' /root/ip.list | grep -v -E "^10\.|127.0.0.1|^$|[a-Z]" | grep -E "[0-9]\.[0-9]" | sort -u > /root/ip.ip
date +%F-%T >> /root/iptables_log
echo "---------------------------" >> /root/iptables_log
/sbin/iptables -vnL >> /root/iptables_log
echo "---------------------------" >> /root/iptables_log
# 清除防火墙规则
/sbin/iptables -F
# 增加具体防火墙规则
for i in `cat /root/ip.ip`;do
/sbin/iptables -I INPUT -s $i -j DROP
echo -n $i
done
/sbin/iptables -vnL >> /root/iptables_log
echo "############################" >> /root/iptables_log
/bin/rm -if $PIDFILE
版权声明:本文为xiaozhiit原创文章,遵循CC 4.0 BY-SA版权协议,转载请附上原文出处链接和本声明。