根据访问日志封IP

#! /bin/bash

iptables=/sbin/iptables

blacklist() {

DAY=`date +"%y%m%d"`

TIME=`date +"%Y%m%d %H:%M:%S"`

http_who()

{

        tail -1000 /var/log/httpd/slist_access_log |awk '{name[$1]++ }; END {for (count in name) print count,name[count]}' |sort -k2 -rn|awk '{print $1"="$2;}'

}

for _un in $(http_who)

do

        IP=`echo $_un|gawk -F'=' '{print $1}'`

        NUM=`echo $_un|awk -F'=' '{print $2}'`

        if [ $NUM -gt 300 ] && [ -z "`iptables -L -n|grep "$IP"`" ]

        then

                iptables -I INPUT -p tcp -m tcp -s "$IP" --dport 80 -j DROP

                echo "$TIME WEB $IP NUM: $NUM" >> /var/log/dropip.log

        fi

done

}

while [ : ]

do

blacklist

#tail -n 5 /var/log/dropip.log

#echo ""

sleep 5

done