用命令查看web连接过高的IP地址,但是需要人工智能去封,太麻烦了,直接写个脚本自动解决。web服务器是用nginx,python为2.6
首先在nignx的config中建立空文件deny.ip, 然后在nginx.conf 的http标签中添加“include deny.ip;”。在nginx下sbin的目录中放入自动脚本。脚本可以查到连接最大的IP,并插入屏蔽列表中,验证正确性后导入配置。全部完成或者出错后发送邮件。被封ip再次访问会报403错误,如果不希望报错可以跳转到其它页面。源码如下:
check_deny_up.py
#!/bin/python #-*- coding:utf-8 -*- # Filename: main.py # Revision: 1.0 # Date: 2012-06-20 # Author: simonzhang # web: www.simonzhang.net # Email: simon-zzm@163.com ### END INIT INFO import os from string import strip from email.mime.text import MIMEText import smtplib #### check_comm = "/bin/netstat -antp|grep :80|awk ' ''{print $5}'|awk -F: '{print $1}'|sort -r|uniq -c|sort -n -k1 -r" max_ip = 100 mail_host = ‘’; mail_user = ‘’; mail_pwd = ‘’; mail_to = ‘’; mail_cc = ‘’; def reboot_nginx_sendmail(ip_list): #### reboot nginx _get_check_confile = os.popen('./nginx -t').readlines() if str(_get_check_confile.find('ok')) != '-1': os.system('./nginx -s reload') _mail_content = ip_list else: _mail_content = 'Error' #### send mail msg = MIMEText(_mail_content) msg['From'] = mail_user msg['Subject'] = ' force ip.' msg['To'] = mail_to try: s = smtplib.SMTP() s.connect(mail_host) s.login(mail_user, mail_pwd) s.sendmail(mail_user, [mail_to, mail_cc], msg.as_string()) s.close() except Exception, e: print e #### force out IP def force_out(_deny_ip): _write_status = 0 _read_force_file = open('../conf/deny.ip', 'rb').read() if str(_read_force_file.find(_deny_ip)) == '-1': try: _get_force_file = open('../conf/deny.ip', 'ab') _get_force_file.write('deny %s ;\n' % _deny_ip) _get_force_file.close() _write_status = 1 return _write_status except: return _write_status reboot_nginx_sendmail("Error !") return _write_status def main(): get_high_ip = os.popen('%s' % check_comm).readlines() _count_force_ip = 0 _force_ip_list = '' for i in xrange(3): try: _get_count = strip(get_high_ip[i]).split(' ')[0] _get_ip = strip(strip(get_high_ip[i]).split(' ')[1]) except: _get_count = 0 _get_ip = '' # Maximum connection IP is Beyond the limit value if (int(_get_count) > max_ip) and (len(_get_ip) > 0): force_ip = _get_ip _get_status = force_out(force_ip) # check maximum is added in the deny.ip file if str(_get_status) == '1': _count_force_ip += 1 _force_ip_list += ' %s ' % force_ip # if _count_force_ip > 0: # reboot_nginx_sendmail(_force_ip_list) if __name__ == '__main__': main()
启动i脚本
check_deny_up.sh
#! /bin/bash # # make simon-zzm@163.com # # ### END INIT INFO # Source function library. . /etc/profile cd /Data/apps/nginx/sbin/ # See how we were called. case "$1" in start) /usr/local/bin/python check_ip_deny.py ;; *) echo $"Usage: $0 {start}" exit 1 esac exit
将启动脚本放在crontab中运行。
发表评论