不管肉鸡,还是代理,CC识别就封杀!
2023-09-14 08:59:36 时间
#!/usr/bin/env python # -*- coding: utf-8 -*- import os,sys,time import commands,logging #以下为手工命令时的动作 #time format 17/Oct/2014:10:00:00 #time format Sat Oct 18 12:35:43 2014 #awk $4 "[17/Oct/2014:14:00:00" $4 "[17/Oct/2014:14:02:00" xxx.log|awk {a[$7]++}END{for(i in a)print a[i],i}|sort -n|tail -n 10|column -t | 500 #awk $4 "[17/Oct/2014:14:00:00" $4 "[17/Oct/2014:14:02:00" xxx.log|grep uc_server/images/noavatar_small.gif|awk {a[$1]++}END{for(i in a)print a[i],i}|sort -n|tail -n 10|column -t | 100 #定义预警触发时的CC访问数及IP访问CC网址的次数 urlAlert = 500 ipAlert = 50 print urlAler is:,urlAlert, , ipAlert is:, ipAlert #定义LOG文件地址 logPath = "xxx.log" #120秒的处理间隔 endtime = time.time() strEndTime = time.ctime(endtime).split() strBeginTime = time.ctime(endtime-120).split() #规整格式,使PYTHON时间格式对应NGINX的日志时间格式 endTime = "%s/%s/%s:%s"%(strEndTime[2],strEndTime[1],strEndTime[4],strEndTime[3]) beginTime = "%s/%s/%s:%s"%(strBeginTime[2],strBeginTime[1],strBeginTime[4],strBeginTime[3]) #LOGGIN记录功能 logging.basicConfig(level=logging.INFO, format=%(asctime)s %(filename)s[line:%(lineno)d] %(levelname)s %(message)s, datefmt=%a, %d %b %Y %H:%M:%S, filename=XXX.log, filemode=a) #通用的命令处理函数 def exec_Cmd(Cmd): (status,output) = commands.getstatusoutput(Cmd) try: if int(status) == 0: print Cmd + " is OK!" logging.info(Cmd + " ---is OK!") return output else: logging.info(Cmd + " cantt finish...") print Cmd + " cant finish...." sys.exit(1) except: logging.info(Cmd + " is Wrong") print Cmd + " is Wrong!" sys.exit(1) #获取最可能的CC的URL列表 def CCDef_url(): global urlAlert, logPath, beginTime, endTime #封装BASH SHELL命令,搜索日志为当前时间前两分钟内,也可以用TAIL -F,省时间,AWK语法我有些搞不懂,运维兄弟提供 urlCmd = "awk $4 \"[" + beginTime + "\" $4 \"[" + endTime + "\" " + logPath + "|awk {a[$7]++}END{for(i in a)print a[i],i}|sort -n|tail -n 10|column -t" urlOutput = exec_Cmd(urlCmd) urlList = [] #规范输出格式并获取大于预警的URL地址列表 for line in (urlOutput.split(\n)): urlCountList = line.split() if int(urlCountList[0]) urlAlert: urlList.append(urlCountList[1]) #logging.info("ccs url is:", urlCountList[1]) return urlList #获取访问过这些URL的IP地址列表 def CCDef_ip(urlList): global ipAlert, logPath, beginTime, endTime ipList = [] for url in urlList: #更改一下AWK,获取 ipCmd = "awk $4 \"[" + beginTime + "\" $4 \"[" + endTime + "\" " + logPath + "|grep " + url + "|awk {a[$1]++}END{for(i in a)print a[i],i}|sort -n|tail -n 10|column -t" ipOutput = exec_Cmd(ipCmd) #规范输出格式并获取大于预警的IP地址列表 for line in (ipOutput.split(\n)): ipCountList = line.split() if int(ipCountList[0]) ipAlert: ipList.append(ipCountList[1]) #logging.info("ccs url is:", urlCountList[1]) return ipList #将最可以疑的攻击IP加入防火墙 def dropIptables(ipList): drop_ip_list = [] #先列出已有的IPTABLES的IP,达到过滤,去重的目的 iptablesOutput = exec_Cmd(iptables -vnL) for line in iptablesOutput.split(\n): line = line.split() if not line[0].isdigit(): continue drop_ip_list.append(line[7]) for ip in ipList: if ip in drop_ip_list: continue dropCmd = "iptables -I INPUT -s " + ip + " -j DROP" print dropCmd #干之!!! exec_Cmd(dropCmd) def main(): urlList = CCDef_url() ipList = CCDef_ip(urlList) print ipList dropIptables(ipList) pass if __name__=="__main__": main()
BASH SHELL版,运维兄弟写的,真的省好多行。要好好攻一下SHELL脚本了。
#!/bin/bash #while true tail -f XXX.log url.txt echo "wait 120s" sleep 120s kill -9 `ps -ef | grep "tail -f" | grep -v grep | awk {print $2} | xargs` /dev/null sleep 1 one=`head -1 url.txt | awk {print $4}` two=`tail -1 url.txt | awk {print $4}` #awk -v one=$one -v two=$two $4 one $4 two url.txt|awk {a[$7]++}END{for(i in a)print a[i],i}|sort -n|tail -n 10|column -t url_max=`awk -v one=$one -v two=$two $4 one $4 two url.txt|awk {a[$7]++}END{for(i in a)print a[i],i}|sort -n|tail -n 10|column -t | awk {if ($1 500) print $2} | xargs` echo $url_max url.log for i in $url_max ipaddress=`awk -v one=$one -v two=$two $4 one $4 two url.txt|grep "$i"|awk {a[$1]++}END{for(i in a)print a[i],i}|sort -n|tail -n 10|column -t | awk {if ($1 100) print $2}|xargs` for ip in $ipaddress iptables -L -n | grep "$ip" if [ $? != 0 ] then echo $ip url.log iptables -I INPUT -s $ip -j DROP done done #done
警惕主动外联!云防火墙检测拦截勒索、Muhstik僵尸网络等 Log4j2漏洞利用 近期,阿里云安全观测到,在 Apache Log4j2 漏洞攻击全程中,无论是在漏洞利用阶段,还是后续要进行验证和进一步的控制利用,大多涉及多次受害服务器的主动外联,云防火墙已陆续发现并拦截60余万次涉及勒索、挖矿家族的漏洞利用行为。
对付CC攻击不必动用防火墙 被CC攻击的时候服务器出现的症状 一般服务器被CC*时,传奇服务器会出现7000端口对外是关闭的现象, 因为这个断口已经被堵塞了,通过命令netstat -an可以看到和如下显示雷同的记录: 7000 219.
调查 | 用户无法识别网络钓鱼攻击 本文讲的是调查 | 用户无法识别网络钓鱼攻击,研究人员发现,电脑用户对于识别恶意软件还算可以,但对于识别网络钓鱼就无能为力了。