Useful Shell Scripts Network Connections , Logins and
*Block hacking attempts*
[image: image.png]
#1. See how many remote IPs are connecting to the machine
See how many remote IPs are connecting to the local machine (whether
through ssh or web or ftp ) Use netstat — atn to view the status of all
connections on the machine, — a to view all, -T Display only tcp connection
information, ≤ n Display in numeric format Local Address (the fourth column
is the IP and port information of the machine) Foreign Address (the fifth
column is the IP and port information of the remote host) Use the awk
command to display only the data in column 5, and then display the
information of the IP address in column 1 Sort can be sorted by number
size, and finally use uniq to delete the redundant duplicates and count the
number of duplicates
netstat -atn | awk '{print $5}' | awk '{print $1}' | sort -nr |
uniq -c
#2. Detect file consistency in specified directories of two servers
Detect the consistency of files in specified directories on two servers, by
comparing the md5 values of files on two servers to detect consistency
#!/bin/bash
dir=/data/web
b_ip=xxx.xxx.xxx.xxx
#Iterate through all the files in the specified directory and use them
as arguments to the md5sum command to get the md5 values of all the
files and write them to the specified file
find $dir -type f|xargs md5sum > /tmp/md5_a.txt
ssh $b_ip "find $dir -type f|xargs md5sum > /tmp/md5_b.txt"
scp $b_ip:/tmp/md5_b.txt /tmp
#Compare file names as traversal objects one by one
for f in `awk '{print 2} /tmp/md5_a.txt'`
do
#The standard is machine a. When machine b does not exist to traverse
the files in the object directly output the non-existent results
if grep -qw "$f" /tmp/md5_b.txt
then
md5_a=`grep -w "$f" /tmp/md5_a.txt|awk '{print 1}'`
md5_b=`grep -w "$f" /tmp/md5_b.txt|awk '{print 1}'`
#Output the result of file changes if the md5 value is inconsistent
when the file exists
if [ $md5_a != $md5_b ]
then
echo "$f changed."
fi
else
echo "$f deleted."
fi
done
#3. Detect network interface card traffic and record it in the log
according to the specified format
Detect the network interface card traffic and record it in the log
according to the specified format, and record it once a minute. The log
format is as follows:
- 2019–08–12 20:40
- ens33 input: 1234bps
- ens33 output: 1235bps
#!/bin/bash
while :
do
LANG=en
logfile=/tmp/`date +%d`.log
#Redirect the output of the following command execution to the logfile log
exec >> $logfile
date +"%F %H:%M"
#The unit of traffic counted by the sar command is kb/s, and the log
format is bps, so it should be *1000*8
sar -n DEV 1 59|grep Average|grep ens33|awk '{print
$2,"\t","input:","\t",$5*1000*8,"bps","\n",$2,"\t","output:","\t",$6*1000*8,"bps"}'
echo "####################"
#Because it takes 59 seconds to execute the sar command, sleep is not required
done
#4. Iptables automatically blocks IPs that visit websites frequentlyBlock
more than 200 IP accesses per minute
- According to Nginx
#!/bin/bash
DATE=$(date +%d/%b/%Y:%H:%M)
ABNORMAL_IP=$(tail -n5000 access.log |grep $DATE |awk
'{a[$1]++}END{for(i in a)if(a[i]>100)print i}')
#First tail prevents the file from being too large and slow to read,
and the number can be adjusted for the maximum number of visits per
minute. awk cannot filter the log directly because it contains special
characters.
for IP in $ABNORMAL_IP; do
if [ $(iptables -vnL |grep -c "$IP") -eq 0 ]; then
iptables -I INPUT -s $IP -j DROP
fi
done
- Connection established over TCP
#!/bin/bash
ABNORMAL_IP=$(netstat -an |awk '$4~/:80$/ &&
$6~/ESTABLISHED/{gsub(/:[0-9]+/,"",$5);{a[$5]++}}END{for(i in
a)if(a[i]>100)print i}')
#gsub is to remove the colon and port from the fifth column (client IP)
for IP in $ABNORMAL_IP; do
if [ $(iptables -vnL |grep -c "$IP") -eq 0 ]; then
iptables -I INPUT -s $IP -j DROP
fi
done
Block IPs with more than 10 SSH attempts per minute
- Get login status via lastb
#!/bin/bash
DATE=$(date +"%a %b %e %H:%M") #Day of the week, month, and hour %e
displays 7 for single digits, while %d displays 07
ABNORMAL_IP=$(lastb |grep "$DATE" |awk '{a[$3]++}END{for(i in
a)if(a[i]>10)print i}')
for IP in $ABNORMAL_IP; do
if [ $(iptables -vnL |grep -c "$IP") -eq 0 ]; then
iptables -I INPUT -s $IP -j DROP
fi
done
- Get login status from logs
#!/bin/bash
DATE=$(date +"%b %d %H")
ABNORMAL_IP="$(tail -n10000 /var/log/auth.log |grep "$DATE" |awk
'/Failed/{a[$(NF-3)]++}END{for(i in a)if(a[i]>5)print i}')"
for IP in $ABNORMAL_IP; do
if [ $(iptables -vnL |grep -c "$IP") -eq 0 ]; then
iptables -A INPUT -s $IP -j DROP
echo "$(date +"%F %T") - iptables -A INPUT -s $IP -j DROP"
>~/ssh-login-limit.log
fi
done
Might come in handy...
--
End of line