Nginx日志内发现大量恶意ip自动加入防火墙脚本

#!/bin/bash #_日志位置 _log_Path="/data0/nginx/weblogs/" #_日志文件名称 _log_FileName="access_blog.kinggoo.com.log" #_要被屏蔽的ip访问端口,默认80 _port="80" _nginx_deny="/opt/webserver/nginx/conf/deny.conf" _nginx_bin="/opt/webserver/nginx/sbin/nginx" _logfilepath=${_log_Path}${_log_FileName} #初始化被禁ip变量  _drop_Ip="" #检测文件 test -e ${_nginx_deny} || touch ${_nginx_deny} for _drop_Ip in $( tail -n50000 "${_logfilepath}" |awk '{print $1,$12}' |grep -i -v -E "google|yahoo|baidu|msnbot|FeedSky|sogou|WordPress" |awk '{print $1}'|sort|uniq -c|sort -rn |awk '{if($1>1000)print ""$2""}' ); do grep -q "${_drop_Ip}" ${_nginx_deny} && eg=1 || eg=0 ; if (( ${eg}==0 ));then echo "deny ${_drop_Ip};" >> ${_nginx_deny} ${_nginx_bin} -s  reload
                iptables -I INPUT -p tcp --dport ${_port} -s ${_drop_Ip} -j DROP
                echo ">>>>> `date '+%Y-%m-%d %H%M%S'` - 发现攻击源地址 ->  ${_drop_Ip} " >> /tmp/nginx_deny.log; echo "iptables -I INPUT -p tcp --dport ${_port} -s ${_drop_Ip} -j DROP" >> /tmp/nginx_deny.log fi done

你可能感兴趣的:(Nginx日志内发现大量恶意ip自动加入防火墙脚本)