windtear 追求完美

« March 24, 2004 | Main | March 26, 2004 »

March 25, 2004

代理自动封禁 squid autodeny.pl 我爱网络

和 www 一样这里判断了deny次数#!/usr/bin/perl## squid log 自动封禁# 用法：#       tail -f /opt/old_access/access.log | /opt/old_access/autodeny.pl## Zhang Xiuling (windtear@ipcn.org)#use strict;# 数组，记录 IP/DENIED次数my %BADLIST = ();my %DENIEDLIST = ();my ($line, $badip, $date);while (<STDIN>){        chomp $_;        $line = $_;        $badip="";        if ( $line =~ /(.*)\ (\d+\.\d+\.\d+\.\d+)\ TCP_DENIED(.*)/ ) {                $badip=$2;        }        if (! $badip ) {                next;        }        if ($badip =~ /^192.168.1./ ) {                next;        }        if (! $BADLIST{$badip} )        {                $BADLIST{$badip} = 1;        }        else        {                $BADLIST{$badip} = $BADLIST{$badip}+1;        }        if ( $BADLIST{$badip} > 50 )        {                if (! $DENIEDLIST{$badip} )                {                        $DENIEDLIST{$badip} = 1;                        $date = `date`;                        chomp $date;                        #封禁记录                        printf OUT "%s  %-15sn",$date,$badip;                        printf OUT2 "%sn",$badip;                        #或者 system 调用                        system ( "printf "%s   %-15sn" "$date" "$badip" >>/opt/old_access/squid.deny.log" );                        system ( "printf "%sn" "$badip" >>/opt/old_access/squid.deny" );                        system("/sbin/iptables -A squid -p tcp --dport 3815 -j DROP -s $badip");                }        }}   More...

Posted by windtear at 4:26 PM

www 的自动封禁 80autodeny.pl 我爱网络

原理都一样 盯着log看 看着不顺眼就封正好刚回了一封信 就顺便blog一下好了#!/usr/bin/perl## http log 自动封禁# 用法：#       tail -f /var/log/httpd/ipcn.org.txt | /usr/local/bin/80autodeny.pl## Zhang Xiuling (windtear@ipcn.org)#use strict;my ($badip, $date);open(OUT,">>/var/log/httpd/deny.log") || die("cannot open deny.log");open(OUT2,">>/var/log/httpd/deny") || die("cannot open deny");while (<STDIN>){        chomp $_;        $badip="";        if ( /(\d+\.\d+\.\d+\.\d+)(.*)GET\ \/default.ida\?XXXXXXXXXXXXXXXXXX/ ) {                $badip=$1;        }        elsif ( /(\d+\.\d+\.\d+\.\d+)(.*)GET\ \/scripts\//i ) {                $badip=$1;        }        elsif ( /(\d+\.\d+\.\d+\.\d+)(.*)GET\ \/msadc\//i ) {                $badip=$1;        }        elsif ( /(\d+\.\d+\.\d+\.\d+)(.*)GET.*\.\./ ) {                $badip=$1;        }        elsif ( /(\d+\.\d+\.\d+\.\d+)(.*)GET\ \/_vti_bin\// ) {                $badip=$1;        }        if (! $badip ) {                next;        }        if ($badip =~ /^166.111.154/ ) {                next;        }        $date = `date`;        chomp $date;        printf OUT "%s  %-15sn",$date,$badip;        printf OUT2 "%sn",$badip;        system("/sbin/iptables -A www -p tcp --dport 80 -j DROP -s $badip");}close(OUT);close(OUT2);   More...

Posted by windtear at 4:07 PM