<div dir="ltr"><div>A little outdated in that many Linux distributions no longer come with 'netstat' by default - you now use the 'ss' command. You may be able to obtain netstat by installing some form of network-legacy package, of course.</div><div><br></div><div>As for blocking IPs that access you too frequently, there's 'fail2ban' which can do this more flexibly and configurably.</div><div><br></div><div>As for #3 I'm not sure, but I'd be surprised if there wasn't some tool for that as well.<br></div><div><br></div><div>/Niklas<br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">Den tors 11 maj 2023 kl 01:57 skrev KenUnix <<a href="mailto:ken.unix.guy@gmail.com">ken.unix.guy@gmail.com</a>>:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div class="gmail_quote"><div dir="ltr"><h1 id="m_-5138524523906084819m_-8779184063011437725gmail-39d1">Useful Shell Scripts Network Connections , Logins and<br></h1><div><font size="6"><b>Block hacking attempts</b></font><br></div><div><br></div><div><img src="cid:ii_lhichs680" alt="image.png" width="578" height="325"><br></div><div><br></div><div><div><div><div><div><div><div><div><h1 id="m_-5138524523906084819m_-8779184063011437725gmail-6d86">#1. See how many remote IPs are connecting to the machine<br></h1><p id="m_-5138524523906084819m_-8779184063011437725gmail-bc14">See
how many remote IPs are connecting to the local machine (whether
through ssh or web or ftp ) Use netstat — atn to view the status of all
connections on the machine, — a to view all, -T Display only tcp
connection information, ≤ n Display in numeric format Local Address (the
fourth column is the IP and port information of the machine) Foreign
Address (the fifth column is the IP and port information of the remote
host) Use the awk command to display only the data in column 5, and then
display the information of the IP address in column 1 Sort can be
sorted by number size, and finally use uniq to delete the redundant
duplicates and count the number of duplicates</p><pre><span id="m_-5138524523906084819m_-8779184063011437725gmail-4e6c"><br>netstat -atn | awk <span>'{print $5}'</span> | awk <span>'{print $1}'</span> | <span>sort</span> -nr | <span>uniq</span> -c</span></pre><h1 id="m_-5138524523906084819m_-8779184063011437725gmail-9c03">#2. Detect file consistency in specified directories of two servers</h1><p id="m_-5138524523906084819m_-8779184063011437725gmail-d6a7">Detect
the consistency of files in specified directories on two servers, by
comparing the md5 values of files on two servers to detect consistency</p><pre><span id="m_-5138524523906084819m_-8779184063011437725gmail-22ed"><span>#!/bin/bash</span><br><span>dir</span>=/data/web<br>b_ip=xxx.xxx.xxx.xxx<br><span>#Iterate through all the files in the specified directory and use them as arguments to the md5sum command to get the md5 values of all the files and write them to the specified file</span><br>find <span>$dir</span> -<span>type</span> f|xargs <span>md5sum</span> > /tmp/md5_a.txt<br>ssh <span>$b_ip</span> <span>"find <span>$dir</span> -type f|xargs md5sum > /tmp/md5_b.txt"</span><br>scp <span>$b_ip</span>:/tmp/md5_b.txt /tmp<br><span>#Compare file names as traversal objects one by one</span><br><span>for</span> f <span>in</span> `awk <span>'{print 2} /tmp/md5_a.txt'</span>`<br><span>do</span><br><span>#The standard is machine a. When machine b does not exist to traverse the files in the object directly output the non-existent results</span><br><span>if</span> grep -qw <span>"<span>$f</span>"</span> /tmp/md5_b.txt<br><span>then</span><br>md5_a=`grep -w <span>"<span>$f</span>"</span> /tmp/md5_a.txt|awk <span>'{print 1}'</span>`<br>md5_b=`grep -w <span>"<span>$f</span>"</span> /tmp/md5_b.txt|awk <span>'{print 1}'</span>`<br><span>#Output the result of file changes if the md5 value is inconsistent when the file exists</span><br><span>if</span> [ <span>$md5_a</span> != <span>$md5_b</span> ]<br><span>then</span><br><span>echo</span> <span>"<span>$f</span> changed."</span><br><span>fi</span><br><span>else</span><br><span>echo</span> <span>"<span>$f</span> deleted."</span><br><span>fi</span><br><span>done</span></span></pre><h1 id="m_-5138524523906084819m_-8779184063011437725gmail-1349">#3. Detect network interface card traffic and record it in the log according to the specified format</h1><p id="m_-5138524523906084819m_-8779184063011437725gmail-6b8a">Detect
the network interface card traffic and record it in the log according
to the specified format, and record it once a minute. The log format is
as follows:</p><ul><li id="m_-5138524523906084819m_-8779184063011437725gmail-7c28">2019–08–12 20:40</li><li id="m_-5138524523906084819m_-8779184063011437725gmail-8ce8">ens33 input: 1234bps</li><li id="m_-5138524523906084819m_-8779184063011437725gmail-7e70">ens33 output: 1235bps</li></ul><pre><span id="m_-5138524523906084819m_-8779184063011437725gmail-05d5"><span>#!/bin/bash</span><br><span>while</span> :<br><span>do</span><br>LANG=en<br>logfile=/tmp/`<span>date</span> +%d`.<span>log</span><br><span>#Redirect the output of the following command execution to the logfile log</span><br><span>exec</span> >> <span>$logfile</span><br><span>date</span> +<span>"%F %H:%M"</span><br><span>#The unit of traffic counted by the sar command is kb/s, and the log format is bps, so it should be *1000*8</span><br>sar -n DEV 1 59|grep Average|grep ens33|awk <span>'{print $2,"\t","input:","\t",$5*1000*8,"bps","\n",$2,"\t","output:","\t",$6*1000*8,"bps"}'</span><br><span>echo</span> <span>"####################"</span><br><span>#Because it takes 59 seconds to execute the sar command, sleep is not required</span><br><span>done</span></span></pre><h1 id="m_-5138524523906084819m_-8779184063011437725gmail-a73c">#4. Iptables automatically blocks IPs that visit websites frequently</h1><h2 id="m_-5138524523906084819m_-8779184063011437725gmail-573a">Block more than 200 IP accesses per minute</h2><ul><li id="m_-5138524523906084819m_-8779184063011437725gmail-6005">According to Nginx</li></ul><pre><span id="m_-5138524523906084819m_-8779184063011437725e784"><span>#!/bin/bash</span><br>DATE=$(<span>date</span> +%d/%b/%Y:%H:%M)<br>ABNORMAL_IP=$(<span>tail</span> -n5000 access.log |grep <span>$DATE</span> |awk <span>'{a[$1]++}END{for(i in a)if(a[i]>100)print i}'</span>)<br><span>#First tail prevents the file from being too large and slow to read, and the number can be adjusted for the maximum number of visits per minute. awk cannot filter the log directly because it contains special characters.</span><br><span>for</span> IP <span>in</span> <span>$ABNORMAL_IP</span>; <span>do</span><br> <span>if</span> [ $(iptables -vnL |grep -c <span>"<span>$IP</span>"</span>) -eq 0 ]; <span>then</span><br> iptables -I INPUT -s <span>$IP</span> -j DROP<br> <span>fi</span><br><span>done</span></span></pre><ul><li id="m_-5138524523906084819m_-8779184063011437725gmail-166c">Connection established over TCP</li></ul><pre><span id="m_-5138524523906084819m_-8779184063011437725gmail-7200"><br><span>#!/bin/bash</span><br>ABNORMAL_IP=$(netstat -an |awk <span>'$4~/:80$/ && $6~/ESTABLISHED/{gsub(/:[0-9]+/,"",$5);{a[$5]++}}END{for(i in a)if(a[i]>100)print i}'</span>)<br><span>#gsub is to remove the colon and port from the fifth column (client IP)</span><br><span>for</span> IP <span>in</span> <span>$ABNORMAL_IP</span>; <span>do</span><br> <span>if</span> [ $(iptables -vnL |grep -c <span>"<span>$IP</span>"</span>) -eq 0 ]; <span>then</span><br> iptables -I INPUT -s <span>$IP</span> -j DROP<br> <span>fi</span><br><span>done</span></span></pre><h2 id="m_-5138524523906084819m_-8779184063011437725gmail-6f1b">Block IPs with more than 10 SSH attempts per minute<br></h2><ul><li id="m_-5138524523906084819m_-8779184063011437725gmail-1341">Get login status via lastb</li></ul><pre><span id="m_-5138524523906084819m_-8779184063011437725gmail-38ba"><span>#!/bin/bash</span><br>DATE=$(<span>date</span> +<span>"%a %b %e %H:%M"</span>) <span>#Day of the week, month, and hour %e displays 7 for single digits, while %d displays 07</span><br>ABNORMAL_IP=$(lastb |grep <span>"<span>$DATE</span>"</span> |awk <span>'{a[$3]++}END{for(i in a)if(a[i]>10)print i}'</span>)<br><span>for</span> IP <span>in</span> <span>$ABNORMAL_IP</span>; <span>do</span><br> <span>if</span> [ $(iptables -vnL |grep -c <span>"<span>$IP</span>"</span>) -eq 0 ]; <span>then</span><br> iptables -I INPUT -s <span>$IP</span> -j DROP<br> <span>fi</span><br><span>done</span></span></pre><ul><li id="m_-5138524523906084819m_-8779184063011437725gmail-5cc9">Get login status from logs</li></ul><pre><span id="m_-5138524523906084819m_-8779184063011437725gmail-1cc5"><span>#!/bin/bash</span><br>DATE=$(<span>date</span> +<span>"%b %d %H"</span>)<br>ABNORMAL_IP=<span>"<span>$(tail -n10000 /var/log/auth.log |grep <span>"<span>$DATE</span>"</span> |awk '/Failed/{a[$(NF-3)</span>]++}END{for(i in a)if(a[i]>5)print i}')"</span><br><span>for</span> IP <span>in</span> <span>$ABNORMAL_IP</span>; <span>do</span><br> <span>if</span> [ $(iptables -vnL |grep -c <span>"<span>$IP</span>"</span>) -eq 0 ]; <span>then</span><br> iptables -A INPUT -s <span>$IP</span> -j DROP<br> <span>echo</span> <span>"<span>$(date +<span>"%F %T"</span>)</span> - iptables -A INPUT -s <span>$IP</span> -j DROP"</span> >>~/ssh-login-limit.log<br> <span>fi</span><br><span>done</span></span></pre></div></div></div></div></div></div></div></div></div><div>Might come in handy...<br></div></div><br><span>-- </span><br><div dir="ltr"><div dir="ltr"><div>End of line</div><div></div><div><br></div></div></div></div>
</blockquote></div>