根据nginx访问日志分析并封IP

根据TCP访问情况封禁IP

#!/bin/bash  

ABNORMAL_IP=$(netstat -an |awk '$4~/:80$/ && $6~/ESTABLISHED/{gsub(/:[0-9]+/,"",$5);{a[$5]++}}END{for(i in a)if(a[i]>100)print i}')  

#gsub是将第五列（客户端IP）的冒号和端口去掉  
for IP in $ABNORMAL_IP; do  
    if [ $(sudo ufw status verbose|grep -c "$IP") -eq 0 ];then  
    then  
        sudo ufw deny from $IP
    fi  
done

编写脚本

#/bin/bash

#日志文件，你需要改成你自己的路径

logfile="/usr/local/nginx/logs"

last_minutes=1 

#开始时间1分钟之前（这里可以修改,如果要几分钟之内攻击次数多少次，这里可以自定义）

start_time= date +"%Y-%m-%d %H:%M:%S" -d '-1 minutes'

echo $start_time

#结束时间现在

stop_time=`date +"%Y-%m-%d %H:%M:%S"`

echo $stop_time

cur_date="`date +%Y-%m-%d`" 

echo $cur_date

过滤出单位之间内的日志并统计最高ip数，请替换为你的日志路径

tac $logfile/access.log | awk -v st="$start_time" -v et="$stop_time" '{t=substr($2,RSTART+14,21);if(t>=st && t<=et) {print $0}}' | awk '{print $1}' | sort | uniq -c | sort -nr > $logfile/log_ip_top10

ip_top=`cat $logfile/log_ip_top10 | head -1 | awk '{print $1}'`

ip=`cat $logfile/log_ip_top10 | awk '{if($1>2)print $2}'`

单位时间[1分钟]内单ip访问次数超过2次的ip记录入black.log,这里为了测试设置2，你需要改成其它的数字

for line in $ip

do

  echo $line >> $logfile/black.txt

  echo $line

# 这里还可以执行CF的API来提交数据到CF防火墙

done

# 填Cloudflare Email邮箱
CFEMAIL="fuzhu1156@gmail.com"
# 填Cloudflare API key
CFAPIKEY="475b666e9a0c7d1e472219449531e129cd8d7"
# 填Cloudflare Zones ID 域名对应的ID
ZONESID="b1bd21e5bdba236cc7ba5cff9764fba8"

# /data/wwwlogs/black.txt存放恶意攻击的IP列表
# IP一行一个。
IPADDR=$(<$logfile/black.txt)

# 循环提交 IPs 到 Cloudflare  防火墙黑名单
# 模式（mode）有 block, challenge, whitelist, js_challenge
for IPADDR in ${IPADDR[@]}; do
echo $IPADDR
curl --request POST \
  --url https://api.cloudflare.com/client/v4/zones/$ZONESID/firewall/access_rules/rules \
  --header 'Content-Type: application/json' \
  --header 'X-Auth-Email: $CFEMAIL' \
  --header 'X-Auth-Key: $CFAPIKEY' --data '{"configuration": {"target": "ip","value": "$IPADDR"},"mode": "block","notes": "CC Attatch"}'
done

根据负载自动切换5秒盾脚本

#!/bin/bash


# $1 = 1min, $2 = 5min, $3 = 15min
loadavg=$(cat /proc/loadavg|awk '{printf "%f", $1}')


# load is 10, you can modify this if you want load more than 10
maxload=10


# Configuration API Cloudflare
# You're Global API Key (https://dash.cloudflare.com/profile)
api_key="475b666e9a0c7d1e472219449531e129cd8d7"
# Email of your account Cloudflare
email="fuzhu1156@gmail.com"
# Zone ID (https://dash.cloudflare.com/_zone-id_/domain.com)
zone_id="b1bd21e5bdba236cc7ba5cff9764fba8"     


# create file attacking if doesn't exist
if [ ! -e $attacking ]; then
  echo 0 > $attacking
fi

attacking=./attacking


hasattack=$(cat $attacking)


if [ $(echo "$loadavg > $maxload"|bc) -eq 1 ]; then

  if [[ $hasattack = 0 && $1 = 0 ]]; then

    # Active protection
    echo 1 > $attacking
    curl -s -X PATCH "https://api.cloudflare.com/client/v4/zones/$zone_id/settings/security_level" \
            -H "X-Auth-Email: $email" \
            -H "X-Auth-Key: $api_key" \
            -H "Content-Type: application/json" \
            --data '{"value":"under_attack"}'
  fi

  else
    if [[ $hasattack = 1 && $1 = 1 ]]; then

    # Disable Protection
    echo 0 > $attacking
    curl -s -X PATCH "https://api.cloudflare.com/client/v4/zones/$zone_id/settings/security_level" \
            -H "X-Auth-Email: $email" \
            -H "X-Auth-Key: $api_key" \
            -H "Content-Type: application/json" \
            --data '{"value":"high"}'
  fi
fi

exit 0