1. 建立新的任务计划每分钟执行一次
crontab -e
*/1 * * * * sh /data/bin/blockhacker.sh
2. 在/blockhacker.sh里面写下面内容:
#exit
log=`find /data/apachelog/xxx/ -name 'access' -mtime 0 |xargs ls -t |head -n 1`
#log变量是日志文件路径,我的日志文件是每天分开存放的,就这么写
fkey="\[`date +%d/%b/%G:%H:%M:`[0-9]\{2\} +0800\] \\\"POST /forum.php?mod=post&action=newthread&fid=[0-9]\{1,3\}&extra=&topicsubmit=yes"
#fkey变量是要查找的关键词\[`date +%d/%b/%G:%H:%M:`[0-9]\{2\} +0800\]是 时间正则,
#\\\"POST /forum.php?mod=post&action=newthread&fid=[0-9]\{1,3\}&extra=&topicsubmit=yes是页面正则
#echo ${log}
#echo ${fkey}
# count>=10
records=`grep "${fkey}" ${log} |awk '{print $1 }' |sort |uniq -c |sort -n -r |grep -P '(([5-9]\d)|(\d{2,}))\b[^\.]'`
#echo ${records}
IFS='
'
for record in ${records}
do
ip=`echo ${record}|awk '{print $2}'`
# cnt=`echo ${record}|awk '{print $1}'`
#if [ ${cnt} -ge 10 ] ; then #判断IP数是否超过10次,上面${records}中'(([5-9]\d)|(\d{2,}))\b[^\.]'` 已经判断了超过10次了,就把这个注释掉了
# echo ${ip}
#echo ${cnt}
iptables --list |grep -c ${ip} #获取iptable 中被drop次数
if [ $? -ne 0 ] ; then #如果上一条语句中返回值不等于0
iptables -I INPUT -s ${ip} -j DROP
echo `date` ${ip} >>/data/bin/blockhacker.log
echo "IP ${ip} blocked: visit more than 10 times in 1 minute on ServerName" | mail -s "ServerName IP DROP" xxxxxx@qq.com xxxx@163.com
echo "${ip} blocked"
fi
#fi
done