When our web site encountered due to high flow access and an overload situation, we changed how to determine what is normal for customers to access IP IP, which is a malicious IP access? 1, an example of a combination of lines on my website operated before, we need to need to determine first of all is to find malicious access IP, you can make use of the script: awk -F "" '{print $ 3}' /var/log/access.log. 0 | sort | uniq -c | sort -n -r | head -10 to identify the top ten list of IP 2, find the IP anomaly, we may be added to the blacklist prohibit their malicious access. echo "IP" >> /etc/hosts.deny 3, automated script blocking malicious IP [original]:! # / bin / bash a = `awk -F" " '{print $ 3}' / var / log / access. log.0 | sort | uniq -c | sort -n -r | head -10` for i in `cat $ a` do IP =` echo $ i | awk -F = '{print $ 1}' `NUM =` echo $ i | awk -F = '{print $ 2}' if [$ NUM -gt 3000]; then grep $ IP /etc/hosts.deny> / dev / null if [$ -gt 0?]; then echo " IP ">> /etc/hosts.deny fi fi done
Reproduced in: https: //my.oschina.net/wzlee/blog/262190