Nginx+iptables block access to Web page too frequently IP of DDOS malicious access collector
- 2020-05-06 12:13:53
- OfStack
The script is as follows:
You can also filter out frequent access to IP by analyzing the nginx logs, and block the IP directly with iptables instead of rebooting nginx, which is even better.
The command for a single IP is
iptables -I INPUT -s 124.115.0.199 -j DROP
The command to seal the IP segment is
iptables -I INPUT -s 124.115.0.0/16 -j DROP
The command to seal the entire segment is
iptables -I INPUT -s 194.42.0.0/8 -j DROP
The command to seal several segments is
iptables -I INPUT -s 61.37.80.0/24 -j DROP
iptables -I INPUT -s 61.37.81.0/24 -j DROP
Just now carelessly make of oneself all can't connect on -_-!!
Es38en-I INPUT-p tcp dport 80-s 124.115.0.0/24-j DROP
In the future with this only 80 port on the line, not a problem!
iptables -I INPUT p tcp dport 80-s 124.115.0.0/24 -j DROP
iptables -I INPUT -s 61.37.81.0/24 -j DROP
Unlock
iptables -F
Empty
iptables -D INPUT Numbers
#!/bin/sh
nginx_home = /Data/app_1/nginx
log_path = /Data/logs
/usr/bin/tail -n50000 $log_path/access.log \
|awk ' $8 ~/aspx/{print $2,$13}' \
|grep -i -v -E " google|yahoo|baidu|msnbot|FeedSky|sogou " \
|awk ' {print $1}'|sort|uniq -c |sort -rn \
|awk ' {if($1>150)print " deny " $2 " ; " }'> $nginx_home/conf/vhosts/blockip.conf
/bin/kill -HUP `cat $nginx_home/nginx.pid`
You can also filter out frequent access to IP by analyzing the nginx logs, and block the IP directly with iptables instead of rebooting nginx, which is even better.
The command for a single IP is
iptables -I INPUT -s 124.115.0.199 -j DROP
The command to seal the IP segment is
iptables -I INPUT -s 124.115.0.0/16 -j DROP
The command to seal the entire segment is
iptables -I INPUT -s 194.42.0.0/8 -j DROP
The command to seal several segments is
iptables -I INPUT -s 61.37.80.0/24 -j DROP
iptables -I INPUT -s 61.37.81.0/24 -j DROP
Just now carelessly make of oneself all can't connect on -_-!!
Es38en-I INPUT-p tcp dport 80-s 124.115.0.0/24-j DROP
In the future with this only 80 port on the line, not a problem!
iptables -I INPUT p tcp dport 80-s 124.115.0.0/24 -j DROP
iptables -I INPUT -s 61.37.81.0/24 -j DROP
Unlock
iptables -F
Empty
iptables -D INPUT Numbers