根据web日志或者或者网络连接数,监控当某个IP并发连接数或者短时内PV达到100,即调用防火墙命令封掉对应的IP,监控频率每隔3分钟。防火墙命令为:iptables -I INPUT -s 10.0.1.10 -j DROP。这个脚本是基于IPTABLES的周末将firewalld的防火墙脚本写好分享给大家
#!/bin/sh
#
[ -f /etc/init.d/functions ] && . /etc/init.d/functions
IP_file="/server/scripts/ddos.txt"
IP_filter_command="iptables -I INPUT -j DROP -s"
IP_recover_command="iptables -D INPUT -j DROP -s"
function IP_check(){
grep "EST" ${IP_file}|awk -F "[ |:]+" '{print $6}'|sort |uniq -c|sort -rn -k1 > /server/scripts/ip.txt
}
function IP_filter(){
exec < /server/scripts/ip.txt
while read line
do
IP_count=`echo $line|awk '{print $1}'`
IP=`echo $line|awk '{print $2}'`
IP_fil=`iptables -L -n|grep "${IP}"|wc -l`
if [ ${IP_count} -gt 25 -a ${IP_fil} -eq 0 ];then
${IP_filter_command} ${IP}
echo "${IP}" >> /server/scripts/ip_filtered.txt
action "Filter ${IP}" /bin/true
fi
done
}
function IP_recover(){
exec < /server/scripts/ip.txt
while read line
do
IP_count=`echo $line|awk '{print $1}'`
IP=`echo $line|awk '{print $2}'`
IP_fil=`iptables -L -n|grep "${IP}"|wc -l`
if [ ${IP_count} -le 25 -a ${IP_fil} -eq 1 ];then
${IP_recover_command} ${IP}
echo "${IP}" >> /server/scripts/ip_filtered.txt
action "Recover ${IP}" /bin/true
fi
done
}
function main(){
case "$1" in
filter)
IP_check
echo "$(date +%F-%H:%M:%S) filtered by $(whoami)" >> /server/scripts/ip_filtered.txt
IP_filter
;;
recover)
IP_check
echo "$(date +%F-%H:%M:%S) recovered by $(whoami)" >> /server/scripts/ip_filtered.txt
IP_recover
;;
*)
echo "USAGE:$0 {filter|recover}"
exit 1
esac
}
main $*