# 公司服务器,经常被别人攻击,要写个监控nginx日志的脚本,每分钟运行一次,如果这一分钟内同一个ip请求次数超过200次,加入黑名单,nginx日志每一行的格式如下:
# 46.161.9.44 - - [23/Jun/2017:03:17:37 +0800] "GET /bbs/forum.php?mod=forumdisplay&fid=2 HTTP/1.0" 200 48260 "http://aaaa.bbbbb.com/bbs/forum.php?mod=forumdisplay&fid=2" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36" "-"
# 46.161.9.44 - - [23/Jun/2017:03:17:39 +0800] "GET /bbs/forum.php?mod=forumdisplay&fid=2 HTTP/1.0" 200 46200 "http://aaaa.bbbbb.com/bbs/forum.php?mod=forumdisplay&fid=2" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36" "-"

def log_monitor():
import time
pin = 0
while True:
ips = []
fr = open('aa.log')
fr.seek(pin)
for line in fr:
ip = line.split()[0]
ips.append(ip)
new_ips = set(ips) #因为字典去重
for new_ip in new_ips:
if ips.count(new_ip) > 200:
print('加入黑名单:%s'%new_ip)
pin = fr.tell() #记录读完的指针位置
time.sleep(60)

SRE实战 互联网时代守护先锋,助力企业售后服务体系运筹帷幄!一键直达领取阿里云限量特价优惠。

log_monitor()
# a = ['2','2','3']
# b = set(a)
# print(b)

扫码关注我们
微信号:SRE实战
拒绝背锅 运筹帷幄