Computer Old Farts Forum
 help / color / mirror / Atom feed
From: KenUnix <>
To: COFF <>
Subject: [COFF] Fwd: Useful Shell Scripts Network Connections , Logins and Block hacking attempts
Date: Wed, 10 May 2023 19:56:42 -0400	[thread overview]
Message-ID: <> (raw)
In-Reply-To: <>

[-- Attachment #1.1: Type: text/plain, Size: 4998 bytes --]

Useful Shell Scripts Network Connections , Logins and
*Block hacking attempts*

[image: image.png]

#1. See how many remote IPs are connecting to the machine

See how many remote IPs are connecting to the local machine (whether
through ssh or web or ftp ) Use netstat — atn to view the status of all
connections on the machine, — a to view all, -T Display only tcp connection
information, ≤ n Display in numeric format Local Address (the fourth column
is the IP and port information of the machine) Foreign Address (the fifth
column is the IP and port information of the remote host) Use the awk
command to display only the data in column 5, and then display the
information of the IP address in column 1 Sort can be sorted by number
size, and finally use uniq to delete the redundant duplicates and count the
number of duplicates

netstat -atn  |  awk  '{print $5}'  | awk  '{print $1}' | sort -nr  |  uniq -c

#2. Detect file consistency in specified directories of two servers

Detect the consistency of files in specified directories on two servers, by
comparing the md5 values of files on two servers to detect consistency

#Iterate through all the files in the specified directory and use them
as arguments to the md5sum command to get the md5 values of all the
files and write them to the specified file
find $dir -type f|xargs md5sum > /tmp/md5_a.txt
ssh $b_ip "find $dir -type f|xargs md5sum > /tmp/md5_b.txt"
scp $b_ip:/tmp/md5_b.txt /tmp
#Compare file names as traversal objects one by one
for f in `awk '{print 2} /tmp/md5_a.txt'`
#The standard is machine a. When machine b does not exist to traverse
the files in the object directly output the non-existent results
if grep -qw "$f" /tmp/md5_b.txt
md5_a=`grep -w "$f" /tmp/md5_a.txt|awk '{print 1}'`
md5_b=`grep -w "$f" /tmp/md5_b.txt|awk '{print 1}'`
#Output the result of file changes if the md5 value is inconsistent
when the file exists
if [ $md5_a != $md5_b ]
echo "$f changed."
echo "$f deleted."

#3. Detect network interface card traffic and record it in the log
according to the specified format

Detect the network interface card traffic and record it in the log
according to the specified format, and record it once a minute. The log
format is as follows:

   - 2019–08–12 20:40
   - ens33 input: 1234bps
   - ens33 output: 1235bps

while :
logfile=/tmp/`date +%d`.log
#Redirect the output of the following command execution to the logfile log
exec >> $logfile
date +"%F %H:%M"
#The unit of traffic counted by the sar command is kb/s, and the log
format is bps, so it should be *1000*8
sar -n DEV 1 59|grep Average|grep ens33|awk '{print
echo "####################"
#Because it takes 59 seconds to execute the sar command, sleep is not required

#4. Iptables automatically blocks IPs that visit websites frequentlyBlock
more than 200 IP accesses per minute

   - According to Nginx

DATE=$(date +%d/%b/%Y:%H:%M)
ABNORMAL_IP=$(tail -n5000 access.log |grep $DATE |awk
'{a[$1]++}END{for(i in a)if(a[i]>100)print i}')
#First tail prevents the file from being too large and slow to read,
and the number can be adjusted for the maximum number of visits per
minute. awk cannot filter the log directly because it contains special
for IP in $ABNORMAL_IP; do
    if [ $(iptables -vnL |grep -c "$IP") -eq 0 ]; then
        iptables -I INPUT -s $IP -j DROP

   - Connection established over TCP

ABNORMAL_IP=$(netstat -an |awk '$4~/:80$/ &&
$6~/ESTABLISHED/{gsub(/:[0-9]+/,"",$5);{a[$5]++}}END{for(i in
a)if(a[i]>100)print i}')
#gsub is to remove the colon and port from the fifth column (client IP)
for IP in $ABNORMAL_IP; do
    if [ $(iptables -vnL |grep -c "$IP") -eq 0 ]; then
        iptables -I INPUT -s $IP -j DROP

Block IPs with more than 10 SSH attempts per minute

   - Get login status via lastb

DATE=$(date +"%a %b %e %H:%M") #Day of the week, month, and hour %e
displays 7 for single digits, while %d displays 07
ABNORMAL_IP=$(lastb |grep "$DATE" |awk '{a[$3]++}END{for(i in
a)if(a[i]>10)print i}')
for IP in $ABNORMAL_IP; do
    if [ $(iptables -vnL |grep -c "$IP") -eq 0 ]; then
        iptables -I INPUT -s $IP -j DROP

   - Get login status from logs

DATE=$(date +"%b %d %H")
ABNORMAL_IP="$(tail -n10000 /var/log/auth.log |grep "$DATE" |awk
'/Failed/{a[$(NF-3)]++}END{for(i in a)if(a[i]>5)print i}')"
for IP in $ABNORMAL_IP; do
    if [ $(iptables -vnL |grep -c "$IP") -eq 0 ]; then
        iptables -A INPUT -s $IP -j DROP
        echo "$(date +"%F %T") - iptables -A INPUT -s $IP -j DROP"

Might come in handy...

End of line

[-- Attachment #1.2: Type: text/html, Size: 8910 bytes --]

[-- Attachment #2: image.png --]
[-- Type: image/png, Size: 58299 bytes --]

       reply	other threads:[~2023-05-10 23:57 UTC|newest]

Thread overview: 17+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <>
2023-05-10 23:56 ` KenUnix [this message]
2023-05-11  0:12   ` [COFF] " Niklas Karlsson
2023-05-11  5:58   ` steve jenkin
2023-05-11  9:18   ` [COFF] " Ralph Corderoy
2023-05-11 22:06     ` Dave Horsfall
2023-05-11 22:35       ` segaloco via COFF
2023-05-12  2:13         ` Greg 'groggy' Lehey
2023-05-12  2:19           ` Adam Thornton
2023-05-12  2:34             ` Larry McVoy
2023-05-12  4:30               ` Tomasz Rola
2023-05-12  8:34               ` Ralph Corderoy
2023-05-12 13:58                 ` Larry McVoy
2023-05-12  4:24           ` Tomasz Rola
2023-05-12  5:02             ` segaloco via COFF
2023-05-12  8:14           ` Robert Stanford via COFF
2023-05-12 16:40             ` Adam Thornton
2023-05-12 11:42         ` Ralph Corderoy

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='' \ \ \

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).