.net封连接数超过500的IP5分钟

#!/bin/bash

#by jack

 

tail -50000 /apps/logs/haproxy/haproxy.log |grep api_backend|awk -F":" '{ print $4}'| sort | uniq -c | sort -k1,1 -rn | head -n 10 > /tmp/connet

#tail -150000 /apps/logs/haproxy/haproxy.log |grep api_backend|awk -F":" '{ print $4}'| sort | uniq -c | sort -k1,1 -rn | head -n 10 > /tmp/connet

 

echo ''> /tmp/blockip

while read IP

do

count=`echo "$IP"|awk -F" " '{print $1}'`

address=`echo "$IP"|awk -F" " '{print $2}'`

    if [ "$count" -gt 500 ];then

    echo `date` >> /apps/logs/haproxy/connect.log

    echo "count     ip" >> /apps/logs/haproxy/connect.log

    echo "$IP" >> /apps/logs/haproxy/connect.log

    iptables -A INPUT  -s "$address" -j DROP

    echo "iptables -D INPUT  -s "$address" -j DROP" >> /tmp/blockip

    fi

 

done < /tmp/connet

 

sleep 300

 

while read blockip

do

$blockip

echo clean iptables rule

done < /tmp/blockip