-
-
Save elitak/8beb9467645334a592e1 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # in one window, get the offenders (change ack filter to whatever's most accurate) | |
| sudo tail -f /var/log/nginx/access.log | ack 'GET / ' | awk '{print $1}' | teesample | |
| # in the other, have a look at the worst with this: | |
| sort sample | uniq -c | sort -n | tail -n 50 | |
| # and then ban them | |
| sort sample | uniq -c | sort -n | awk '{print }' | tail -n 50 | xargs -i echo {} tcp http | sudo tee -a /etc/shorewall/blacklist | |
| # restart shorewall, then nginx to clear up latent connections | |
| # Then, restart the sampler to get a new batch. | |
| # to unban those that stop spamming (i.e., probably true users) | |
| sudo shorewall show | sed -nr 's/^ *0 +0 +DROP +tcp[^0-9]+([0-9.]+) +0.0.0.0\/0 +tcp dpt:80/\0/p' # lists the full lines | |
| sudo shorewall show | sed -nr 's/^ *0 +0 +DROP +tcp[^0-9]+([0-9.]+) +0.0.0.0\/0 +tcp dpt:80/\1/p' # just the ips to run sed on blacklist with | |
| sudo shorewall show | sed -nr 's/^ *0 +0 +DROP +tcp[^0-9]+([0-9.]+) +0.0.0.0\/0 +tcp dpt:80/\1/p' | sudo xargs -i sed -i /^{}/d /etc/shorewall/blacklist # remove them from blacklist |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment