A little outdated in that many Linux distributions no longer come with 'netstat' by default - you now use the 'ss' command. You may be able to obtain netstat by installing some form of network-legacy package, of course. As for blocking IPs that access you too frequently, there's 'fail2ban' which can do this more flexibly and configurably. As for #3 I'm not sure, but I'd be surprised if there wasn't some tool for that as well. /Niklas Den tors 11 maj 2023 kl 01:57 skrev KenUnix : > Useful Shell Scripts Network Connections , Logins and > *Block hacking attempts* > > [image: image.png] > > #1. See how many remote IPs are connecting to the machine > > See how many remote IPs are connecting to the local machine (whether > through ssh or web or ftp ) Use netstat — atn to view the status of all > connections on the machine, — a to view all, -T Display only tcp connection > information, ≤ n Display in numeric format Local Address (the fourth column > is the IP and port information of the machine) Foreign Address (the fifth > column is the IP and port information of the remote host) Use the awk > command to display only the data in column 5, and then display the > information of the IP address in column 1 Sort can be sorted by number > size, and finally use uniq to delete the redundant duplicates and count the > number of duplicates > > > netstat -atn | awk '{print $5}' | awk '{print $1}' | sort -nr | uniq -c > > #2. Detect file consistency in specified directories of two servers > > Detect the consistency of files in specified directories on two servers, > by comparing the md5 values of files on two servers to detect consistency > > #!/bin/bash > dir=/data/web > b_ip=xxx.xxx.xxx.xxx > #Iterate through all the files in the specified directory and use them as arguments to the md5sum command to get the md5 values of all the files and write them to the specified file > find $dir -type f|xargs md5sum > /tmp/md5_a.txt > ssh $b_ip "find $dir -type f|xargs md5sum > /tmp/md5_b.txt" > scp $b_ip:/tmp/md5_b.txt /tmp > #Compare file names as traversal objects one by one > for f in `awk '{print 2} /tmp/md5_a.txt'` > do > #The standard is machine a. When machine b does not exist to traverse the files in the object directly output the non-existent results > if grep -qw "$f" /tmp/md5_b.txt > then > md5_a=`grep -w "$f" /tmp/md5_a.txt|awk '{print 1}'` > md5_b=`grep -w "$f" /tmp/md5_b.txt|awk '{print 1}'` > #Output the result of file changes if the md5 value is inconsistent when the file exists > if [ $md5_a != $md5_b ] > then > echo "$f changed." > fi > else > echo "$f deleted." > fi > done > > #3. Detect network interface card traffic and record it in the log > according to the specified format > > Detect the network interface card traffic and record it in the log > according to the specified format, and record it once a minute. The log > format is as follows: > > - 2019–08–12 20:40 > - ens33 input: 1234bps > - ens33 output: 1235bps > > #!/bin/bash > while : > do > LANG=en > logfile=/tmp/`date +%d`.log > #Redirect the output of the following command execution to the logfile log > exec >> $logfile > date +"%F %H:%M" > #The unit of traffic counted by the sar command is kb/s, and the log format is bps, so it should be *1000*8 > sar -n DEV 1 59|grep Average|grep ens33|awk '{print $2,"\t","input:","\t",$5*1000*8,"bps","\n",$2,"\t","output:","\t",$6*1000*8,"bps"}' > echo "####################" > #Because it takes 59 seconds to execute the sar command, sleep is not required > done > > #4. Iptables automatically blocks IPs that visit websites frequentlyBlock > more than 200 IP accesses per minute > > - According to Nginx > > #!/bin/bash > DATE=$(date +%d/%b/%Y:%H:%M) > ABNORMAL_IP=$(tail -n5000 access.log |grep $DATE |awk '{a[$1]++}END{for(i in a)if(a[i]>100)print i}') > #First tail prevents the file from being too large and slow to read, and the number can be adjusted for the maximum number of visits per minute. awk cannot filter the log directly because it contains special characters. > for IP in $ABNORMAL_IP; do > if [ $(iptables -vnL |grep -c "$IP") -eq 0 ]; then > iptables -I INPUT -s $IP -j DROP > fi > done > > > - Connection established over TCP > > > #!/bin/bash > ABNORMAL_IP=$(netstat -an |awk '$4~/:80$/ && $6~/ESTABLISHED/{gsub(/:[0-9]+/,"",$5);{a[$5]++}}END{for(i in a)if(a[i]>100)print i}') > #gsub is to remove the colon and port from the fifth column (client IP) > for IP in $ABNORMAL_IP; do > if [ $(iptables -vnL |grep -c "$IP") -eq 0 ]; then > iptables -I INPUT -s $IP -j DROP > fi > done > > Block IPs with more than 10 SSH attempts per minute > > - Get login status via lastb > > #!/bin/bash > DATE=$(date +"%a %b %e %H:%M") #Day of the week, month, and hour %e displays 7 for single digits, while %d displays 07 > ABNORMAL_IP=$(lastb |grep "$DATE" |awk '{a[$3]++}END{for(i in a)if(a[i]>10)print i}') > for IP in $ABNORMAL_IP; do > if [ $(iptables -vnL |grep -c "$IP") -eq 0 ]; then > iptables -I INPUT -s $IP -j DROP > fi > done > > > - Get login status from logs > > #!/bin/bash > DATE=$(date +"%b %d %H") > ABNORMAL_IP="$(tail -n10000 /var/log/auth.log |grep "$DATE" |awk '/Failed/{a[$(NF-3)]++}END{for(i in a)if(a[i]>5)print i}')" > for IP in $ABNORMAL_IP; do > if [ $(iptables -vnL |grep -c "$IP") -eq 0 ]; then > iptables -A INPUT -s $IP -j DROP > echo "$(date +"%F %T") - iptables -A INPUT -s $IP -j DROP" >>~/ssh-login-limit.log > fi > done > > Might come in handy... > > -- > End of line > >