用命令查看web连接过高的IP地址,但是需要人工智能去封,太麻烦了,直接写个脚本自动解决。web服务器是用nginx,python为2.6
首先在nignx的config中建立空文件deny.ip, 然后在nginx.conf 的http标签中添加“include deny.ip;”。在nginx下sbin的目录中放入自动脚本。脚本可以查到连接最大的IP,并插入屏蔽列表中,验证正确性后导入配置。全部完成或者出错后发送邮件。被封ip再次访问会报403错误,如果不希望报错可以跳转到其它页面。源码如下:
check_deny_up.py
#!/bin/python
#-*- coding:utf-8 -*-
# Filename: main.py
# Revision: 1.0
# Date: 2012-06-20
# Author: simonzhang
# web: www.simonzhang.net
# Email: simon-zzm@163.com
### END INIT INFO
import os
from string import strip
from email.mime.text import MIMEText
import smtplib
####
check_comm = "/bin/netstat -antp|grep :80|awk ' ''{print $5}'|awk -F: '{print $1}'|sort -r|uniq -c|sort -n -k1 -r"
max_ip = 100
mail_host = ‘’;
mail_user = ‘’;
mail_pwd = ‘’;
mail_to = ‘’;
mail_cc = ‘’;
def reboot_nginx_sendmail(ip_list):
#### reboot nginx
_get_check_confile = os.popen('./nginx -t').readlines()
if str(_get_check_confile.find('ok')) != '-1':
os.system('./nginx -s reload')
_mail_content = ip_list
else:
_mail_content = 'Error'
#### send mail
msg = MIMEText(_mail_content)
msg['From'] = mail_user
msg['Subject'] = ' force ip.'
msg['To'] = mail_to
try:
s = smtplib.SMTP()
s.connect(mail_host)
s.login(mail_user, mail_pwd)
s.sendmail(mail_user, [mail_to, mail_cc], msg.as_string())
s.close()
except Exception, e:
print e
#### force out IP
def force_out(_deny_ip):
_write_status = 0
_read_force_file = open('../conf/deny.ip', 'rb').read()
if str(_read_force_file.find(_deny_ip)) == '-1':
try:
_get_force_file = open('../conf/deny.ip', 'ab')
_get_force_file.write('deny %s ;\n' % _deny_ip)
_get_force_file.close()
_write_status = 1
return _write_status
except:
return _write_status
reboot_nginx_sendmail("Error !")
return _write_status
def main():
get_high_ip = os.popen('%s' % check_comm).readlines()
_count_force_ip = 0
_force_ip_list = ''
for i in xrange(3):
try:
_get_count = strip(get_high_ip[i]).split(' ')[0]
_get_ip = strip(strip(get_high_ip[i]).split(' ')[1])
except:
_get_count = 0
_get_ip = ''
# Maximum connection IP is Beyond the limit value
if (int(_get_count) > max_ip) and (len(_get_ip) > 0):
force_ip = _get_ip
_get_status = force_out(force_ip)
# check maximum is added in the deny.ip file
if str(_get_status) == '1':
_count_force_ip += 1
_force_ip_list += ' %s ' % force_ip
# if _count_force_ip > 0:
# reboot_nginx_sendmail(_force_ip_list)
if __name__ == '__main__':
main()
启动i脚本
check_deny_up.sh
#! /bin/bash
#
# make simon-zzm@163.com
#
#
### END INIT INFO
# Source function library.
. /etc/profile
cd /Data/apps/nginx/sbin/
# See how we were called.
case "$1" in
start)
/usr/local/bin/python check_ip_deny.py
;;
*)
echo $"Usage: $0 {start}"
exit 1
esac
exit
将启动脚本放在crontab中运行。