码迷,mamicode.com
首页 > 其他好文 > 详细

防范DDOS攻击脚本开发

时间:2018-05-04 18:29:13      阅读:161      评论:0      收藏:0      [点我收藏+]

标签:nta   nbsp   防范   col   $1   action   rev   编程   int   

2018-05-04

要求:根据web日志或者或者网络连接数,监控当某个IP并发连接数或者短时内PV达到100,即调用防火墙命令封掉对应的IP,监控频率每隔3分钟。防火墙命令为:iptables -I INPUT -s 10.0.1.10 -j DROP。

 

1.主备一个测试用的web日志

access_2018-03-19.log

2.截取IP并统计IP出现的次数

[root@manager ~]# awk {print $1} access_2018-03-19.log|sort|uniq -c|sort -rn -k1
     94 172.15.12.33
     58 172.15.12.24
      5 172.16.1.7

sort
 -n, --numeric-sort
-r, --reverse

-k, --key=POS1[,POS2]

   start a key at POS1 (origin 1), end it at POS2


3.编程

[root@manager iptablestest]# vim ban_IP.sh

#!/bin/bash
##########################################################################
# File Name: ban_IP.sh
# Version: V1.0 
# Author:Richard Liang 
# Organization: richard
# Created Time: 2018-05-04 15:48:52
# Description:
##########################################################################

#!/bin/sh
#
[ -f /etc/init.d/functions ] && . /etc/init.d/functions
IP_file="/root/iptablestest/access_2018-05-04.log"
IP_filter_command="iptables -I INPUT -j DROP -s"
IP_recover_command="iptables -D INPUT -j DROP -s"

###IP检查#####
function IP_check(){
    awk {print $1} $IP_file|sort|uniq -c|sort -rn -k1 >/root/iptablestest/result.txt
}

#####封杀可疑IP######
function IP_filter(){
   exec < /root/iptablestest/result.txt
   while read line
   do
     IP_count=`echo $line|awk {print $1}`
     IP=`echo $line|awk {print $2}`
     IP_fil=`iptables -L -n|grep "\b${IP}\b"|wc -l`
     if [ ${IP_count} -gt 25 -a ${IP_fil} -eq 0 ];then
        ${IP_filter_command} ${IP}
        echo "${IP}" >> /root/iptablestest/ip_filtered.txt
        action "Filter ${IP}" /bin/true
     fi
   done
}
function IP_recover(){
   exec < /root/iptablestest/result.txt
   while read line
   do
     IP_count=`echo $line|awk {print $1}`
     IP=`echo $line|awk {print $2}`
     IP_fil=`iptables -L -n|grep "\b${IP}\b"|wc -l`
     if [ ${IP_count} -le 25 -a ${IP_fil} -eq 1 ];then
        ${IP_recover_command} ${IP}
        echo "${IP}" >> /root/iptablestest/ip_filtered.txt
        action "Recover ${IP}" /bin/true
     fi
   done
}
function main(){
    case "$1" in
      filter)
      IP_check
      echo "$(date +%F-%H:%M:%S) filtered by $(whoami)" >> /root/iptablestest/ip_filtered.txt
      IP_filter
      ;;
      recover)
      IP_check
      echo "$(date +%F-%H:%M:%S) recovered by $(whoami)" >> /root/iptablestest/ip_filtered.txt
      IP_recover
      ;;
      *)
      echo "USAGE:$0 {filter|recover}"
      exit 1
    esac
}
main $*

3.测试

[root@manager iptablestest]# sh ban_IP.sh filter

新开窗口,watch iptables -nL,观测规则变化情况

 

修改web日志,减少ip数量,再次测试

sh ban_IP.sh recover

查看日志

[root@manager iptablestest]# cat /root/iptablestest/ip_filtered.txt
2018-05-04-16:59:18 filtered by root
172.15.12.33
172.15.12.24
2018-05-04-17:00:23 recovered by root
172.15.12.33

定时任务

把脚本写进crontab,每隔3分钟运行一次sh ban_IP.sh filter

次日中午12点解封,sh ban_IP.sh recover

 

防范DDOS攻击脚本开发

标签:nta   nbsp   防范   col   $1   action   rev   编程   int   

原文地址:https://www.cnblogs.com/Richard-Liang/p/8991570.html

(0)
(0)
   
举报
评论 一句话评论(0
登录后才能评论!
© 2014 mamicode.com 版权所有  联系我们:gaon5@hotmail.com
迷上了代码!