Web访问异常简单报警
先分享一个简单的报警脚本:#!/bin/bash#Writer:lin_credible@163.com#---------------10分钟内访问超过600次的访问IP---------------------------#+ 这个10分钟来得不严谨!#-----------------------------------if [ $# -ne 1 ]then echo "Wrong Enter!" echo "Usage: `basename $0` logs_file's_path" exit 1fiif [ ! -e $1 ]then echo "The log_file is not exists!" exit 1fi#-----------------------------------date_now=`date +%d/%b/%Y:%H:%M`date=`date -d "10 minute ago" +%d/%b/%Y:%H:%M`date1=${date%[0-9]}cat $1|grep "$date1"|awk '{print $3}'|sort|uniq -c|sort -nr|awk '{if($1 > 30) print $2}'> ip_list_10minute.txtwhile read ado arr[x++]="${a}";done < ip_list_10minute.txtj="${#arr[@]}"if [ $j -gt 0 ] then echo "10分钟内访问数超过600次的ip列表如下" >> bad_ip_list.txt else exit 0fifor (( i=$(( $j - 1 ));i>=0;i-- ))do echo "${date_now} ----> IP: ${arr[$i]}" >> bad_ip_list.txt cat $1|grep -E "\s${arr[$i]}\s"|sort -nr|awk 'NR==1{print $0}' >>bad_ip_list.txt echo " " >>bad_ip_list.txtdonesend_mail(){ while (( $# > 0 )) do mail -s "web访问报警" $1@163.com < bad_ip_list.txt shift done}#send_mail lin_credible xxx yyy zzzsend_mail lin_crediblerm -rf bad_ip_list.txt &> /dev/null rm -rf ip_list_10minute.txt &> /dev/null链接限制的iptables规则:
#iptables -I INPUT -p tcp –dport 80 -m connlimit –connlimit-above 10 -j REJECT
Notice:如果相关站点做了CDN加速的,别错杀了连接!
PS: 转了一篇好文章!Nginx简单防御CC攻击的两种方法