Useful Shell Scripts Network Connections , Logins and
#1. See how many remote IPs are connecting to the machine
See how many remote IPs are connecting to the local machine (whether through ssh or web or ftp ) Use netstat — atn to view the status of all connections on the machine, — a to view all, -T Display only tcp connection information, ≤ n Display in numeric format Local Address (the fourth column is the IP and port information of the machine) Foreign Address (the fifth column is the IP and port information of the remote host) Use the awk command to display only the data in column 5, and then display the information of the IP address in column 1 Sort can be sorted by number size, and finally use uniq to delete the redundant duplicates and count the number of duplicates
netstat -atn | awk '{print $5}' | awk '{print $1}' | sort -nr | uniq -c#2. Detect file consistency in specified directories of two servers
Detect the consistency of files in specified directories on two servers, by comparing the md5 values of files on two servers to detect consistency
#!/bin/bash
dir=/data/web
b_ip=xxx.xxx.xxx.xxx
#Iterate through all the files in the specified directory and use them as arguments to the md5sum command to get the md5 values of all the files and write them to the specified file
find $dir -type f|xargs md5sum > /tmp/md5_a.txt
ssh $b_ip "find $dir -type f|xargs md5sum > /tmp/md5_b.txt"
scp $b_ip:/tmp/md5_b.txt /tmp
#Compare file names as traversal objects one by one
for f in `awk '{print 2} /tmp/md5_a.txt'`
do
#The standard is machine a. When machine b does not exist to traverse the files in the object directly output the non-existent results
if grep -qw "$f" /tmp/md5_b.txt
then
md5_a=`grep -w "$f" /tmp/md5_a.txt|awk '{print 1}'`
md5_b=`grep -w "$f" /tmp/md5_b.txt|awk '{print 1}'`
#Output the result of file changes if the md5 value is inconsistent when the file exists
if [ $md5_a != $md5_b ]
then
echo "$f changed."
fi
else
echo "$f deleted."
fi
done#3. Detect network interface card traffic and record it in the log according to the specified format
Detect the network interface card traffic and record it in the log according to the specified format, and record it once a minute. The log format is as follows:
- 2019–08–12 20:40
- ens33 input: 1234bps
- ens33 output: 1235bps
#!/bin/bash
while :
do
LANG=en
logfile=/tmp/`date +%d`.log
#Redirect the output of the following command execution to the logfile log
exec >> $logfile
date +"%F %H:%M"
#The unit of traffic counted by the sar command is kb/s, and the log format is bps, so it should be *1000*8
sar -n DEV 1 59|grep Average|grep ens33|awk '{print $2,"\t","input:","\t",$5*1000*8,"bps","\n",$2,"\t","output:","\t",$6*1000*8,"bps"}'
echo "####################"
#Because it takes 59 seconds to execute the sar command, sleep is not required
done#4. Iptables automatically blocks IPs that visit websites frequently
Block more than 200 IP accesses per minute
- According to Nginx
#!/bin/bash
DATE=$(date +%d/%b/%Y:%H:%M)
ABNORMAL_IP=$(tail -n5000 access.log |grep $DATE |awk '{a[$1]++}END{for(i in a)if(a[i]>100)print i}')
#First tail prevents the file from being too large and slow to read, and the number can be adjusted for the maximum number of visits per minute. awk cannot filter the log directly because it contains special characters.
for IP in $ABNORMAL_IP; do
if [ $(iptables -vnL |grep -c "$IP") -eq 0 ]; then
iptables -I INPUT -s $IP -j DROP
fi
done- Connection established over TCP
#!/bin/bash
ABNORMAL_IP=$(netstat -an |awk '$4~/:80$/ && $6~/ESTABLISHED/{gsub(/:[0-9]+/,"",$5);{a[$5]++}}END{for(i in a)if(a[i]>100)print i}')
#gsub is to remove the colon and port from the fifth column (client IP)
for IP in $ABNORMAL_IP; do
if [ $(iptables -vnL |grep -c "$IP") -eq 0 ]; then
iptables -I INPUT -s $IP -j DROP
fi
doneBlock IPs with more than 10 SSH attempts per minute
- Get login status via lastb
#!/bin/bash
DATE=$(date +"%a %b %e %H:%M") #Day of the week, month, and hour %e displays 7 for single digits, while %d displays 07
ABNORMAL_IP=$(lastb |grep "$DATE" |awk '{a[$3]++}END{for(i in a)if(a[i]>10)print i}')
for IP in $ABNORMAL_IP; do
if [ $(iptables -vnL |grep -c "$IP") -eq 0 ]; then
iptables -I INPUT -s $IP -j DROP
fi
done- Get login status from logs
#!/bin/bash
DATE=$(date +"%b %d %H")
ABNORMAL_IP="$(tail -n10000 /var/log/auth.log |grep "$DATE" |awk '/Failed/{a[$(NF-3)]++}END{for(i in a)if(a[i]>5)print i}')"
for IP in $ABNORMAL_IP; do
if [ $(iptables -vnL |grep -c "$IP") -eq 0 ]; then
iptables -A INPUT -s $IP -j DROP
echo "$(date +"%F %T") - iptables -A INPUT -s $IP -j DROP" >>~/ssh-login-limit.log
fi
done