python通过日志分析加入黑名单
监控nginx日志,若有人攻击,则加入黑名单,操作步骤如下:
1.读取日志文件
2.分隔文件,取出ip
3.将取出的ip放入list,然后判读ip的次数
4.若超过设定的次数,则加入黑名单
日志信息如下:
178.210.90.90?-?-?[04/Jun/2017:03:44:13?+0800]?"GET?/wp-includes/logo_img.php?HTTP/1.0"?302?161?" http://nnzhp.cn/wp-includes/logo_img.php"?"Mozilla/5.0?(Windows;?U;?Windows?NT?5.1;?en-US)?AppleWebKit/533.4? (KHTML,?like?Gecko)?Chrome/5.0.375.99?Safari/533.4"?"10.3.152.221" 178.210.90.90?-?-?[04/Jun/2017:03:44:13?+0800]?"GET?/blog?HTTP/1.0"?301?233?"? logo_img.php"?"Mozilla/5.0?(Windows;?U;?Windows?NT?5.1;?en-US)?AppleWebKit/533.4?(KHTML,?like?Gecko)? Chrome/5.0.375.99?Safari/533.4"?"10.3.152.221" 178.210.90.90?-?-?[04/Jun/2017:03:44:15?+0800]?"GET?/blog/?HTTP/1.0"?200?38278?"? logo_img.php"?"Mozilla/5.0?(Windows;?U;?Windows?NT?5.1;?en-US)?AppleWebKit/533.4?(KHTML,?like?Gecko)?Chrome/ 5.0.375.99?Safari/533.4"?"10.3.152.221" 66.249.75.29?-?-?[04/Jun/2017:03:45:55?+0800]?"GET?/bbs/forum.php?mod=forumdisplay&fid=574&filter=hot?HTTP/1.1"? 200?17482?"-"?"Mozilla/5.0?(compatible;?Googlebot/2.1;?+http://www.google.com/bot.html)"?"-" 37.9.169.20?-?-?[04/Jun/2017:03:47:59?+0800]?"GET?/wp-admin/security.php?HTTP/1.1"?302?161?"? /security.php"?"Mozilla/5.0?(Windows;?U;?Windows?NT?5.1;?en-US)?AppleWebKit/533.4?(KHTML,?like?Gecko)?Chrome /5.0.375.99?Safari/533.4"?"-" 37.9.169.20?-?-?[04/Jun/2017:03:48:01?+0800]?"GET?/blog?HTTP/1.1"?301?233?"? security.php"?"Mozilla/5.0?(Windows;?U;?Windows?NT?5.1;?en-US)?AppleWebKit/533.4?(KHTML,?like?Gecko)? Chrome/5.0.375.99?Safari/533.4"?"-" 37.9.169.20?-?-?[04/Jun/2017:03:48:02?+0800]?"GET?/blog/?HTTP/1.1"?200?38330?"? security.php"?"Mozilla/5.0?(Windows;?U;?Windows?NT?5.1;?en-US)?AppleWebKit/533.4?(KHTML,?like?Gecko) ?Chrome/5.0.375.99?Safari/533.4"?"-" 37.9.169.20?-?-?[04/Jun/2017:03:48:21?+0800]?"GET?/wp-admin/security.php?HTTP/1.1"?302?161?"? wp-admin/security.php"?"Mozilla/5.0?(Windows;?U;?Windows?NT?5.1;?en-US)?AppleWebKit/533.4?(KHTML,?like?Gecko)? Chrome/5.0.375.99?Safari/533.4"?"-" 37.9.169.20?-?-?[04/Jun/2017:03:48:21?+0800]?"GET?/blog?HTTP/1.1"?301?233?"? ?"Mozilla/5.0?(Windows;?U;?Windows?NT?5.1;?en-US)?AppleWebKit/533.4?(KHTML,?like?Gecko)?Chrome/5.0.375.99? ?Safari/533.4"?"-" 37.9.169.20?-?-?[04/Jun/2017:03:48:23?+0800]?"GET?/blog/?HTTP/1.1"?200?38330?"http://nnzhp.cn/wp-admin/security.php"? "Mozilla/5.0?(Windows;?U;?Windows?NT?5.1;?en-US)?AppleWebKit/533.4?(KHTML,?like?Gecko)?Chrome/5.0.375.99? Safari/533.4"?"-"
代码如下:
import?os import?time #os.system('ipconfig')??#用来操作系统命令 while?True: ????list_ip?=?[] ????with?open('access.log')?as?fp: ????????for?line?in?fp: ????????????ip?=?line.split()[0]???#获取ip ????????????list_ip.append(ip) ????os.system('>access.log')???#清空文件内容 ????set_ips?=?set(list_ip)?????#去除重复的ip值 ????for?ip?in?set_ips: ????????if?list_ip.count(ip)?>200:??#若list_ip内重复出现的ip次数大于200,则加入黑名单 ????????????os.system('iptables?-I?INPUT?1?-p?tcp?-s?%s??-j?DROP'?%?ip) ????time.sleep(60)