通过分析nginx log 后使用iptables来防ddos攻击

3r2e3123

[iyunv@test-host nginx]#
[iyunv@test-host nginx]#
[iyunv@test-host nginx]# pwd
/etc/nginx
[iyunv@test-host nginx]# more nginx.conf
# For more information on configuration, see:
#   * Official English Documentation: http://nginx.org/en/docs/
#   * Official Russian Documentation: http://nginx.org/ru/docs/
user              nginx;
worker_processes  2;
#worker_cpu_affinity 2;
error_log  /var/log/nginx/error.log;
#error_log  /var/log/nginx/error.log  notice;
#error_log  /var/log/nginx/error.log  info;
pid        /var/run/nginx.pid;

events {
    worker_connections  1024;
    use epoll;
}

http {
    include       /etc/nginx/mime.types;
    #default_type  application/octet-stream;
     default_type  text/plain;
    server_names_hash_bucket_size 64;
    #log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
    #                  '$status $body_bytes_sent "$http_referer" '
    #                  '"$http_user_agent" "$http_x_forwarded_for"';

    log_format  main  '$http_x_forwarded_for $remote_addr $remote_user [$time_local] "$request" '
                      '$status $upstream_addr $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" ';
    access_log  /var/log/nginx/access.log  main;
    sendfile        on;
    #tcp_nopush     on;
    #keepalive_timeout  0;
    keepalive_timeout  65;
    #gzip  on;
    gzip on;
    gzip_min_length 1k;
    gzip_buffers 16 64k;
    gzip_http_version 1.1;
    gzip_comp_level 6;
    gzip_types text/plain application/x-javascript text/css application/xml;
    gzip_vary on;
   

    # Load config files from the /etc/nginx/conf.d directory
    # The default server is in conf.d/default.conf
    include /etc/nginx/conf.d/*.conf;
}
[iyunv@test-host nginx]#
[iyunv@test-host nginx]#
[iyunv@test-host nginx]#  tail /var/log/nginx/access.log
- 183.222.154.40 - [20/Jan/2015:11:32:01 +0800] "POST /index.php?m=awmembers&c=ajax&a=ajax_check_account HTTP/1.1" 200 10.80.124.46:8081 2 "http://www.jedy.com/index.php?m=awmembers&c=ajax&a=ajax_check_account" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
- 116.207.86.146 - [20/Jan/2015:11:32:01 +0800] "GET /UpdateClientVersion.ini HTTP/1.1" 400 10.80.124.46:8081 39 "-" "UpdateClient_Updater"
- 113.139.38.21 - [20/Jan/2015:11:32:01 +0800] "POST /index.php?m=awmembers&c=ajax&a=ajax_check_account HTTP/1.0" 200 10.80.124.46:8081 2 "http://www.jedy.com/index.php?m=awmembers&c=ajax&a=ajax_check_account" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
- 190.75.114.131 - [20/Jan/2015:11:32:02 +0800] "POST /index.php?m=awmembers&c=ajax&a=ajax_check_account HTTP/1.0" 200 10.80.124.46:8081 2 "http://www.jedy.com/index.php?m=awmembers&c=ajax&a=ajax_check_account" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
- 116.207.86.146 - [20/Jan/2015:11:32:02 +0800] "GET /api.php?op=game&target=popad&clientid=AM1AWBFBJQQBCYAAGElTRN1VdFlBStACCYFXbdAUDYgVQJQVUNVXSdwCDAQVAAQSJYFUTBgVEYQVEkwU HTTP/1.1" 302 10.80.124.46:8082 0 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)"
- 186.94.184.28 - [20/Jan/2015:11:32:02 +0800] "POST /index.php?m=awmembers&c=ajax&a=ajax_check_account HTTP/1.0" 200 10.80.124.46:8081 2 "http://www.jedy.com/index.php?m=awmembers&c=ajax&a=ajax_check_account" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
- 190.38.80.164 - [20/Jan/2015:11:32:02 +0800] "POST /index.php?m=awmembers&c=ajax&a=ajax_check_account HTTP/1.0" 200 10.80.124.46:8081 2 "http://www.jedy.com/index.php?m=awmembers&c=ajax&a=ajax_check_account" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
- 27.192.40.74 - [20/Jan/2015:11:32:02 +0800] "POST /index.php?m=awmembers&c=ajax&a=ajax_check_account HTTP/1.0" 200 10.80.124.46:8081 2 "http://www.jedy.com/index.php?m=awmembers&c=ajax&a=ajax_check_account" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
- 200.84.196.41 - [20/Jan/2015:11:32:02 +0800] "POST /index.php?m=awmembers&c=ajax&a=ajax_check_account HTTP/1.0" 200 10.80.124.46:8081 2 "http://www.jedy.com/index.php?m=awmembers&c=ajax&a=ajax_check_account" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
181.225.58.165 200.62.19.43 - [20/Jan/2015:11:32:02 +0800] "POST /index.php?m=awmembers&c=ajax&a=ajax_check_account HTTP/1.1" 200 10.80.124.46:8081 2 "http://www.jedy.com/index.php?m=awmembers&c=ajax&a=ajax_check_account" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
[iyunv@test-host nginx]#
[iyunv@test-host nginx]#
[iyunv@test-host nginx]# more ~/ddos.sh               
#!/bin/sh
date1=`date +%d/%b/%Y:%H:%M -d "1 minute ago"`
access=`more /var/log/nginx/access.log | grep $date1 |awk '{print $1,$2}' | sort -nr`
add1=`echo "$access" | awk '{print $1}'|grep -v - | sort -nr |uniq -c|sort -nr|head -1`
add2=`echo "$access" | awk '{print $2}'|grep -v - | sort -nr |uniq -c|sort -nr|head -1`
echo "$add1"
echo "$add2"
if [ -n "$add1" ]
then
    NUM1=`echo "$add1" |awk '{print $1}'`
    IP1=`echo "$add1" |awk '{print $2}'`
        if [ $NUM1 -gt 1000 ]
        then
                echo "`date`  IP:$IP1 is over $NUM1, BAN IT!" >>/root/ddos.log
                /sbin/iptables -I DROP_WEB 1 -s $IP1 -j DROP
        fi
fi
NUM2=`echo "$add2" |awk '{print $1}'`
IP2=`echo "$add2" |awk '{print $2}'`
#result2=`echo "$NUM2 > 1000" | bc`
#if [ $result2 = 1 ]
if [ $NUM2 -gt 1000 ]
        then
        echo "`date`  IP:$IP2 is over $NUM2, BAN IT!" >>/root/ddos.log
        /sbin/iptables -I DROP_WEB 1 -s $IP2 -j DROP
fi
[iyunv@test-host nginx]#
[iyunv@test-host nginx]#
[iyunv@test-host nginx]#  crontab -l
*/1 * * * * /root/ddos.sh
#0 * * * * /root/nginx-log.sh
[iyunv@test-host nginx]#
[iyunv@test-host nginx]#
[iyunv@test-host ~]# iptables -nvL
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination         
306M  283G DROP_WEB   all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  269  173K ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
33255   13M ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 1/sec burst 10
    0     0 ACCEPT     tcp  --  *      *       192.168.0.0/16       0.0.0.0/0           tcp dpt:22
#####################################################
######################略#############################
#####################################################
        
   76  3916 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:80 #conn/32 > 100 reject-with icmp-port-unreachable
338M  306G ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
15124  814K LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x17/0x02 recent: CHECK seconds: 6 hit_count: 20 name: webpool side: source LOG flags 4 level 5 prefix `DDOS:'
191K   11M DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x17/0x02 recent: CHECK seconds: 6 hit_count: 20 name: webpool side: source
  10M  547M ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x17/0x02 recent: SET name: webpool side: source
43799 3012K REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination         
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 62M packets, 39G bytes)
pkts bytes target     prot opt in     out     source               destination        
Chain DROP_WEB (1 references)
pkts bytes target     prot opt in     out     source               destination         
[iyunv@test-host ~]#