找到刷脚本的ip的地址, 请将特征值改成你的,下面的指令为” 503 “, 输出的是c类ip地址段
grep " 503 " /var/log/nginx/access.log | awk '{print $1}' | awk -F '.' '{print "=="$1"."$2"."$3".0/24++"}' | sort -rn |uniq -c |awk '{print $2}'
然后批量替换
=====================================================
使用
firewall-cmd –permanent –add-rich-rule=’rule family=”ipv4″ source address=”
替换==
使用
” reject’
替换++
=====================================================
完成指令的生成
生成的指令大致为
firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="58.214.241.0/24" reject'
直接在Linux的shell中执行
重载防火墙规则
firewall-cmd --reload
到这里封禁就已经完成了
如果封错了,可以删除对应的ip段
firewall-cmd --permanent --remove-rich-rule='rule family=ipv4 source address="112.81.174.0/24" reject'
下面是定时刷新nginx的脚本
#! /bin/bash
log_nginx="/var/log/nginx"
blockfile="/etc/nginx"
domain="itseeker.net"
condition="verfyCode=134534"
# 清理历史数据
rm -rf ipc.lst
rm -rf ip.lst
rm -rf firewalld.sh
rm -rf firewalld-remove.sh
# 取出日志中符合条件的ip c类地址段写入ipc.txt,并过滤掉重复的
grep " 503 " $log_nginx/$domain.access.log | grep $condition | awk '{print $1}' | awk -F '.' '{print $1"."$2"."$3}' | sort -rn |uniq -c |awk '{print $2}' > ipc.lst
touch firewalld.sh
chmod 755 firewalld*
for ip in `cat ipc.lst`
do
result=$(grep $ip firewalld.sh)
#判断ip是否已经被屏蔽
if [ -z "$result" ]; then
#分析ip请求的次数
count=$(grep $ip $log_nginx/$domain.access.log | grep $condition | awk '{print $1}' | awk -F '.' '{print $1"."$2"."$3"."$4}' | sort -rn | uniq -c | awk '{print $2}' | wc -l)
#请求IP数大于等于10次就进行IP段屏蔽
if [ $count -ge 10 ]; then
echo "firewall-cmd --permanent --add-rich-rule='rule family=ipv4 source address=\"$ip.0/24\" reject'" >> firewalld.sh
echo "firewall-cmd --permanent --remove-rich-rule='rule family=ipv4 source address=\"$ip.0/24\" reject'" >> firewalld-remove.sh
fi
fi
done
#取出日志中符合条件的ip地址段写入ip.txt,并过滤掉重复的
grep " 503 " $log_nginx/$domain.access.log | grep $condition | awk '{print $1}' | awk -F '.' '{print $1"."$2"."$3"."$4}' | sort -rn | uniq -c | awk '{print $2}' > ip.lst
for ip in `cat ip.lst`
do
ipc=$(echo $ip | awk -F '.' '{print $1"."$2"."$3}')
result=$(grep $ipc firewalld.sh)
#判断ip是否已经被屏蔽
if [ -z "$result" ]; then
#分析ip请求的次数
count=$(grep $ip $log_nginx/$domain.access.log | grep $condition | awk '{print $1}' | awk -F '.' '{print $1"."$2"."$3"."$4}' | sort -rn | awk '{print $2}' | wc -l)
#请求IP次数大于等于10个就进行IP地址屏蔽
if [ $count -ge 10 ]; then
echo "firewall-cmd --permanent --add-rich-rule='rule family=ipv4 source address=\"$ip\" reject'" >> firewalld.sh
echo "firewall-cmd --permanent --remove-rich-rule='rule family=ipv4 source address=\"$ip\" reject'" >> firewalld-remove.sh
fi
fi
done
# 执行的脚本
/usr/bin/bash firewalld.sh