# FileName: ddos.sh
# Revision: 1.0
# Date: 2021-10-25
# Author: Linux_Boy
# Description: DDos攻击处理
file=$1
while true; do
awk '{print $1}' $1|grep -v "^$"|sort|uniq -c > /tmp/tmp.log
cat /tmp/tmp.log|while read line; do
ip=`echo $line|awk '{print $2}'`
count=`echo $line|awk '{print $1}'`
if [ $count -gt 500 ] && [ `iptables -L -n|grep "$ip"|wc -l` -lt 1 ]; then
iptables -I INPUT -s $ip -j DROP
echo "$line is dropped" >> /tmp/droplist_$(date +%F).log
fi
#statements
done
#statements
sleep 30
done
#!/bin/bash
logfile=/home/jht/projects/nginx-1.12.1/logs/access.log
while true; do
echo -e "开始巡检 $(date +%F' '%H:%M)" >> /tmp/tmp.log
for (( i = 0; i < 4; i++ )); do
grep "^$(date +%d/.*/%Y:%H:%M" -d "-$i min")" $logfile >> /tmp/tmp.log
done
awk '{print $1}' /tmp/tmp.log|grep -v "^$"|sort|uniq -c > /tmp/tmp2.log
cat /tmp/tmp2.log|while read line; do
ip=`echo $line|awk '{print $2}'`
count=`echo $line|awk '{print $1}'`
if [ $count -gt 500 ] && [ `iptables -L -n|grep "$ip"|wc -l` -lt 1 ]; then
iptables -I INPUT -s $ip -j DROP
echo "$line is dropped" >> /tmp/droplist_$(date +%F).log
fi
done
# 每5分钟统计一次
sleep 300
done
# grep `date +%d/.*/%Y:%H:%M` access.log
[jht@dlpt-jcpt-xmpp logs]$ grep `date +%d/.*/%Y:%H:%M` access.log
120.79.141.235 - - [25/Oct/2021:16:57:01 +0800] "POST /cloud HTTP/1.1" 200 2864 {x22attributesx22:{},x22dataItemsx22:[{x22attributesx22:{x22SUBSYSTEM_CODEx22:x22p191115859x22,x22URLx22:x22http://127.0.0.1/JSTPay/BookSearchByCarNO.aspx?sign_type=MD5&service_version=1.0&input_charset=GBK&partner=000000008013724&gcode_id=p191115859&goods_name=JSPAY&is_member=&member_no=&level=&coupon_list=&mer_gid=%BD%F2A2H887&sign=495E14FCCD51FE831ACCF5EC408DFAA5x22},x22objectIdx22:x22x22,x22operateTypex22:x22READx22,x22subItemsx22:[]}],x22requestTypex22:x22DIRECTIVEx22,x22seqIdx22:x22n9ha1g_ariuqx22,x22serviceIdx22:x22NISSP_JSPAY_ORDERx22} "-" "Apache-HttpClient/4.5.3 (Java/1.8.0_112)" -
120.79.141.235 - - [25/Oct/2021:16:57:02 +0800] "POST /cloud HTTP/1.1" 200 2864 {x22attributesx22:{},x22dataItemsx22:[{x22attributesx22:{x22SUBSYSTEM_CODEx22:x22p191115859x22,x22URLx22:x22http://127.0.0.1/JSTPay/BookSearchByCarNO.aspx?sign_type=MD5&service_version=1.0&input_charset=GBK&partner=000000008013724&gcode_id=p191115859&goods_name=JSPAY&is_member=&member_no=&level=&coupon_list=&mer_gid=%BD%F2A2H887&sign=495E14FCCD51FE831ACCF5EC408DFAA5x22},x22objectIdx22:x22x22,x22operateTypex22:x22READx22,x22subItemsx22:[]}],x22requestTypex22:x22DIRECTIVEx22,x22seqIdx22:x22n9ha1g_ariv5x22,x22serviceIdx22:x22NISSP_JSPAY_ORDERx22} "-" "Apache-HttpClient/4.5.3 (Java/1.8.0_112)" -
120.79.172.90 - - [25/Oct/2021:16:57:05 +0800] "POST /cloud HTTP/1.1" 200 2868 {x22attributesx22:{},x22dataItemsx22:[{x22attributesx22:{x22SUBSYSTEM_CODEx22:x22p191115859x22,x22URLx22:x22http://127.0.0.1/JSTPay/BookSearchByCarNO.aspx?sign_type=MD5&service_version=1.0&input_charset=GBK&partner=000000008013724&gcode_id=p191115859&goods_name=JSPAY&is_member=&member_no=&level=&coupon_list=&mer_gid=%BD%F2ADQ6982&sign=22ADE0D462227BF3269215CEF405E94Cx22},x22objectIdx22:x22x22,x22operateTypex22:x22READx22,x22subItemsx22:[]}],x22requestTypex22:x22DIRECTIVEx22,x22seqIdx22:x22m8jcv9_ari1wx22,x22serviceIdx22:x22NISSP_JSPAY_ORDERx22} "-" "Apache-HttpClient/4.5.3 (Java/1.8.0_112)" -
120.79.172.90 - - [25/Oct/2021:16:57:06 +0800] "POST /cloud HTTP/1.1" 200 2868 {x22attributesx22:{},x22dataItemsx22:[{x22attributesx22:{x22SUBSYSTEM_CODEx22:x22p191115859x22,x22URLx22:x22http://127.0.0.1/JSTPay/BookSearchByCarNO.aspx?sign_type=MD5&service_version=1.0&input_charset=GBK&partner=000000008013724&gcode_id=p191115859&goods_name=JSPAY&is_member=&member_no=&level=&coupon_list=&mer_gid=%BD%F2ADQ6982&sign=22ADE0D462227BF3269215CEF405E94Cx22},x22objectIdx22:x22x22,x22operateTypex22:x22READx22,x22subItemsx22:[]}],x22requestTypex22:x22DIRECTIVEx22,x22seqIdx22:x22m8jcv9_ari27x22,x22serviceIdx22:x22NISSP_JSPAY_ORDERx22} "-" "Apache-HttpClient/4.5.3 (Java/1.8.0_112)" -
120.79.172.90 - - [25/Oct/2021:16:57:07 +0800] "POST /cloud HTTP/1.1" 200 2863 {x22attributesx22:{},x22dataItemsx22:[{x22attributesx22:{x22SUBSYSTEM_CODEx22:x22p191115859x22,x22URLx22:x22http://127.0.0.1/JSTPay/BookSearchByCarNO.aspx?sign_type=MD5&service_version=1.0&input_charset=GBK&partner=000000008013724&gcode_id=p191115859&goods_name=JSPAY&is_member=&member_no=&level=&coupon_list=&mer_gid=%BD%F2JLB066&sign=D38298FAC1BA2EB4E09A1ED2E574A540x22},x22objectIdx22:x22x22,x22operateTypex22:x22READx22,x22subItemsx22:[]}],x22requestTypex22:x22DIRECTIVEx22,x22seqIdx22:x22-257wvt_arid0x22,x22serviceIdx22:x22NISSP_JSPAY_ORDERx22} "-" "Apache-HttpClient/4.5.3 (Java/1.8.0_112)" -
120.79.172.90 - - [25/Oct/2021:16:57:08 +0800] "POST /cloud HTTP/1.1" 200 2863 {x22attributesx22:{},x22dataItemsx22:[{x22attributesx22:{x22SUBSYSTEM_CODEx22:x22p191115859x22,x22URLx22:x22http://127.0.0.1/JSTPay/BookSearchByCarNO.aspx?sign_type=MD5&service_version=1.0&input_charset=GBK&partner=000000008013724&gcode_id=p191115859&goods_name=JSPAY&is_member=&member_no=&level=&coupon_list=&mer_gid=%BD%F2JLB066&sign=D38298FAC1BA2EB4E09A1ED2E574A540x22},x22objectIdx22:x22x22,x22operateTypex22:x22READx22,x22subItemsx22:[]}],x22requestTypex22:x22DIRECTIVEx22,x22seqIdx22:x22-257wvt_aridax22,x22serviceIdx22:x22NISSP_JSPAY_ORDERx22} "-" "Apache-HttpClient/4.5.3 (Java/1.8.0_112)" -
120.77.205.233 - - [25/Oct/2021:16:57:15 +0800] "POST /cloud HTTP/1.1" 200 2862 {x22attributesx22:{x22__jht_orig_req_idx22:x22x22},x22dataItemsx22:[{x22attributesx22:{x22SUBSYSTEM_CODEx22:x22p191115859x22,x22URLx22:x22http://127.0.0.1/JSTPay/BookSearchByCarNO.aspx?attach=&gcode_id=p191115859&goods_name=JSPAY&input_charset=GBK&member_no=&mer_gid=%C2%B3-Q6QA99&partner=000000008013724&service_version=1.0&sign_type=MD5&sign=9E733AE3543A07C179FB9836AFED7C4Cx22,x22favourListx22:[]},x22failItemsx22:[],x22objectIdx22:x22x22,x22operateTypex22:x22READx22,x22subItemsx22:[]}],x22requestTypex22:x22DIRECTIVEx22,x22seqIdx22:x22eeff2c387af74c4f9420eea793c9e3e2x22,x22serviceIdx22:x22NISSP_JSPAY_ORDERx22,x22sourcex22:x22x22} "-" "okhttp/3.11.0" -
120.79.172.90 - - [25/Oct/2021:16:57:23 +0800] "POST /cloud HTTP/1.1" 200 2899 {x22attributesx22:{},x22dataItemsx22:[{x22attributesx22:{x22SUBSYSTEM_CODEx22:x22p191115859x22,x22URLx22:x22http://127.0.0.1/JSTPay/BookSearchByCarNO.aspx?sign_type=MD5&service_version=1.0&input_charset=GBK&partner=000000008013724&gcode_id=p191115859&goods_nam