[1] How
Demand, according to the access log of a web server, some high rejection to the request ip off, and every half hour to no initiation request or a request to unseal a very small amount ip
Assumptions:
1. The requested amount of 100 times greater than one minute are not considered normal request ip
2. The access log path / data / logs / access_log
Nginx line taken as an exercise log
[Core] Points
Statistics ip visits, ordering
How to mark every half an hour
iptables counter is an important criterion
Function (closure ip, unsealing ip)
【script】
block_ip() { t1=`date -d "-1 min" +%Y:%H:%M` log=/data/logs/access_log egrep "$t1:[0-9]+" $log > /tmp/tmp_last_min.log awk '{print $1}' /tmp/tmp_last_min.log | sort -n | uniq -c | sort -n | awk '$1>100 {pr int $2}' > /tmp/bad_ip.list n=`wc -l /tmp/bad_ip.list | awk '{print $1}'` if [ $n -ne 0 ]; then for ip in `cat /tmp/bad_ip.list` do iptables -I INPUT -s $ip -j REJECT done fi } unblock_ip() { iptables -nvL INPUT | sed '1d' | awk '$1<5 {print $8}' > /tmp/good_ip.list n=`wc -l /tmp/good_ip.list | awk '{print $1}'` if [ $n -ne 0 ];then for ip in `cat /tmp/good_ip.list` do iptables -D INPUT -s $ip -j REJECT done fi iptables -Z } t=`date +%M` if [ $t == "00" ] || [ $t == "30" ];then unblock_ip block_ip else block_ip fi