自动化防御脚本:
1. 取的每分钟调用接口频繁的IP地址
#!/usr/bin/perl
#取文件行数
##循环开始清空文件
use POSIX;
use CGI;
use DBI;
use HTTP::Date qw(time2iso str2time time2iso time2isoz);
use Net::SMTP;
sub send_mail{
if (@_ != 2){print "请输入2个参数
";exit 1};
($m,$n) = @_; #将参数赋值给变量
my $to_address = $m;
my $CurrTime = time2iso(time());
my $to_address = $m;
my $mail_user = 'zhaoyangjian@zjcap.cn';
my $mail_pwd = 'xxxx55';
my $mail_server = 'smtp.exmail.qq.com';
my $from = "From: $mail_user
";
my $subject = "Subject: zjcap info
";
my $info = "$CurrTime--$n";
my $message = <<CONTENT;
$info
CONTENT
my $smtp = Net::SMTP->new($mail_server);
$smtp->auth($mail_user, $mail_pwd) || die "Auth Error! $!";
$smtp->mail($mail_user);
$smtp->to($to_address);
$smtp->data(); # begin the data
$smtp->datasend($from); # set user
$smtp->datasend($subject); # set subject
$smtp->datasend("
");
$smtp->datasend("$message
"); # set content
$smtp->dataend();
$smtp->quit();
};
my $SDATE = strftime("%Y-%m-%d",localtime());
my $XDATE = strftime("%Y%m%d%H%M%S",localtime());
my $dir = '/usr/local/apache-tomcat-7.0.55_8081/logs';
my $file = "localhost_access_log.$SDATE.txt";
$mon_file = "$dir/$file";
print "$mon_file is $mon_file
";
##如果文件存在,清空文件
if (-f "tmp.out"){
open FILE,">tmp.out";
close FILE;}
if (-f "sum_acc.log"){
open FILE,">sum_acc.log";
close FILE;}
if (-f "ip.txt"){
open FILE,">ip.txt";
close FILE;}
###上次文件的记录数
open( A, "<", "count.txt" );
while (<A>) {
$count = $_;
};
print "上次记录的记录数为$count
";
###文件的最新记录数
open(my $fh, '<', "$mon_file");
$. = 0;
while (<$fh>) {
($num=$.) if eof;
};
print "文件最新的记录数为$num"."
";
###最新的文件记录数 写入count.txt
open( B, ">", "count.txt" );
print B ("$num
");
##记录最新的日志
if ( defined($count) && $num != $count && $num !=0 )
{print "开始处理
";
open( C, "<", "$mon_file" ) || die "$!
";
while (<C>) {
if ($. > "$count" ){
open( D, ">>", "tmp.out" );
print D ("$_");
}
}
};
close D;
##########监控关键字,以空格隔开################
open (LOG ,"<","/home/tomcat/sum_acc/tmp.out");
while (<LOG>) {
chomp;
if ($_ =~ /.*s+"GETs*(.*?)=.*s+(d{1,3}.d{1,3}.d{1,3}.d{1,3})$/){
$ip=$2;
$hash{$ip}++;
}
};
while(my($ip, $times) = each %hash) {
print "$ip access count(*) == $times
";
open( E, ">>", "sum_acc.log" );
print E ("$ip access count(*) == $times
");
open( F, ">>", "ip.txt" );
if ( "$times" > "30" ){send_mail('zhaoyangjian@zjcap.cn',"flow01-$ip access count(*) == $times
");print F ("$ip
");;
close E;
close F;
}};
2. 把地址rsync到前台
. ~/.bash_profile
passwd=xxx
expect <<!
spawn rsync -avH ip.txt root@121.0.1.108:/root/sbin/
expect {
"(yes/no)?" {
send "yes
"
expect "password:"
send "$passwd
"
}
"password:" {
send "$passwd
"
}
}
expect eof
exit
!
##########################################################
expect <<!
spawn rsync -avH ip.txt root@11.40.16.5:/root/sbin/
expect {
"(yes/no)?" {
send "yes
"
expect "password:"
send "$passwd
"
}
"password:" {
send "$passwd
"
}
}
expect eof
exit
!
第三步: 加入到iptables
cd /root/sbin
while :
do
if [ -s "ip.txt" ]
then
cat ip.txt |grep -v '115.236.160.82' | while read A
do
if [ $(grep $A /etc/sysconfig/iptables |grep -v grep |wc -l ) -eq 0 ]
then
sh ./reject_ip.sh $A
else
continue
fi
done
fi
sleep 10
done