多数CC攻击在web服务器日志中都有相同攻击的特征,我们可以根据这些特征过滤出攻击的ip,利用iptables来阻止
- #!/bin/bash
- #by yeho
- #BLOG: https://linuxeye.com
- OLD_IFS=$IFS
- IFS=$'\n'
- for status in `grep '特征字符串' /data/wwwlogs/linuxeye.com_nginx.log | awk '{print $1}'
- | sort -n | uniq -c`
- do
- IFS=$OLD_IFS
- NUM=`echo $status | awk '{print $1}'`
- IP=`echo $status | awk '{print $2}'`
- #echo $status
- if [ -z "`iptables -nvL | grep "dpt:80" | awk '{print $8}' | grep "$IP"`" ];then
- if [ $NUM -gt 250 ];then
- #echo IP:$IP is over $NUM, BAN IT!
- /sbin/iptables -I INPUT -p tcp -s $IP --dport 80 -j DROP
- fi
- fi
- done