自动封杀脚本

自动化防御脚本:
1. 取的每分钟调用接口频繁的IP地址
#!/usr/bin/perl
#取文件行数
##循环开始清空文件
use POSIX;
use CGI;
use DBI;
use HTTP::Date qw(time2iso str2time time2iso time2isoz);  
use Net::SMTP;
sub send_mail{
if (@_ != 2){print "请输入2个参数
";exit 1};
    ($m,$n) = @_; #将参数赋值给变量  
    my $to_address  = $m;
my $CurrTime = time2iso(time());
    my $to_address  = $m;

 my $mail_user   = 'zhaoyangjian@zjcap.cn';
    my $mail_pwd    = 'xxxx55';
    my $mail_server = 'smtp.exmail.qq.com';

    my $from    = "From: $mail_user
";
    my $subject = "Subject: zjcap info
";
    my $info = "$CurrTime--$n";
     my $message = <<CONTENT; 
     $info
CONTENT
    my $smtp = Net::SMTP->new($mail_server);

    $smtp->auth($mail_user, $mail_pwd) || die "Auth Error! $!";
    $smtp->mail($mail_user);
    $smtp->to($to_address);

    $smtp->data();             # begin the data
    $smtp->datasend($from);    # set user
    $smtp->datasend($subject); # set subject
    $smtp->datasend("

");
    $smtp->datasend("$message
"); # set content
    $smtp->dataend();
    $smtp->quit();
};

my $SDATE = strftime("%Y-%m-%d",localtime());
my $XDATE = strftime("%Y%m%d%H%M%S",localtime());
my $dir  = '/usr/local/apache-tomcat-7.0.55_8081/logs';
my $file = "localhost_access_log.$SDATE.txt";
$mon_file = "$dir/$file";
print "$mon_file is $mon_file
";
##如果文件存在,清空文件
if (-f "tmp.out"){
open FILE,">tmp.out";
close FILE;}

if (-f "sum_acc.log"){
open FILE,">sum_acc.log";
close FILE;}

if (-f "ip.txt"){
open FILE,">ip.txt";
close FILE;}
###上次文件的记录数
open( A, "<", "count.txt" );
            while (<A>) {
            $count = $_;
                        };
print "上次记录的记录数为$count
";

###文件的最新记录数
open(my $fh, '<', "$mon_file");
$. = 0;
while (<$fh>) {
    ($num=$.) if eof;
};
print "文件最新的记录数为$num"."
";
###最新的文件记录数 写入count.txt
open( B, ">", "count.txt" );
print B ("$num
");

##记录最新的日志
if ( defined($count)  && $num != $count && $num !=0  )
{print "开始处理
";
     open( C, "<", "$mon_file" ) || die "$!
";
       while (<C>) {
             if  ($. > "$count" ){ 
              open( D, ">>", "tmp.out" );
              print D ("$_");
             }
                  }
};
               close D;
##########监控关键字，以空格隔开################
open (LOG ,"<","/home/tomcat/sum_acc/tmp.out");  
                    while (<LOG>) {  
                    chomp; 
 if ($_ =~ /.*s+"GETs*(.*?)=.*s+(d{1,3}.d{1,3}.d{1,3}.d{1,3})$/){
$ip=$2;
 $hash{$ip}++;
}
                               };
while(my($ip, $times) = each %hash) {
                   print "$ip access count(*) ==   $times
";
open( E, ">>", "sum_acc.log" );
print E ("$ip access count(*) ==   $times
");                     
open( F, ">>", "ip.txt" );
if ( "$times" > "30" ){send_mail('zhaoyangjian@zjcap.cn',"flow01-$ip access count(*) ==   $times
");print F ("$ip 
");;
close E;
close F;
}};


2. 把地址rsync到前台
. ~/.bash_profile
passwd=xxx
expect <<!
spawn rsync -avH ip.txt root@121.0.1.108:/root/sbin/
expect {
    "(yes/no)?" {
        send "yes
"
        expect "password:"
        send "$passwd
"
    }
        "password:" {
        send "$passwd
"
    }
 }
expect eof
exit
!
##########################################################
expect <<!
spawn rsync -avH ip.txt root@11.40.16.5:/root/sbin/
expect {
    "(yes/no)?" {
        send "yes
"
        expect "password:"
        send "$passwd
"
    }
        "password:" {
        send "$passwd
"
    }
 }
expect eof
exit
!


第三步: 加入到iptables
cd /root/sbin
while :
do
if [ -s "ip.txt" ]
   then
cat ip.txt |grep -v '115.236.160.82' | while read A
   do
    if [ $(grep $A /etc/sysconfig/iptables |grep -v grep |wc -l ) -eq 0  ] 
        then
          sh ./reject_ip.sh $A
        else
          continue
   fi
done
fi
sleep 10
done