1, 编写脚本 selinux.sh, 实现开启或禁用 SELinux 功能
- [[email protected]_centos7 ~]# cat selinux.sh
- #!/bin/bash
- #
- #************************************************************************
- #Author: qiuhom
- #QQ: 467697313
- #mail: [email protected]
- #Date: 2019-12-11
- #FileName: selinux.sh
- #URL: https://www.cnblogs.com/qiuhom-1874/
- #Description:
- #Copyright (C): 2019 All rights reserved
- #************************************************************************
- [ -f /etc/init.d/functions ] && . /etc/init.d/functions
- [ $UID -ne 0 ] && echo "this script must root run it" && exit 1
- [ $# -ne 1 ] && echo "Usage:bash $0 <off|on>" && exit 2
- if [ "$1" = "on" ];then
- sed -i '[email protected]^SELINUX=.*@[email protected]' /etc/selinux/config
- [ $? -eq 0 ] && action "selinux config on" /bin/true
- /sbin/setenforce 1
- elif [ "$1" = "off" ];then
- sed -i '[email protected]^SELINUX=.*@[email protected]' /etc/selinux/config
- [ $? -eq 0 ] && action "selinux config off" /bin/true
- /sbin/setenforce 0
- else
- echo "argv error , please input <on|off>"
- exit 3
- fi
- [[email protected]_centos7 ~]#
验证
- [[email protected]_centos7 ~]# sh selinux.sh
- Usage:bash selinux.sh <off|on>
- [[email protected]_centos7 ~]# sh selinux.sh aa
- argv error , please input <on|off>
- [[email protected]_centos7 ~]# getenforce
- Permissive
- [[email protected]_centos7 ~]# cat /etc/selinux/config
- # This file controls the state of SELinux on the system.
- # SELINUX= can take one of these three values:
- # enforcing - SELinux security policy is enforced.
- # permissive - SELinux prints warnings instead of enforcing.
- # disabled - No SELinux policy is loaded.
- SELINUX=disabled
- # SELINUXTYPE= can take one of three two values:
- # targeted - Targeted processes are protected,
- # minimum - Modification of targeted policy. Only selected processes are protected.
- # mls - Multi Level Security protection.
- SELINUXTYPE=targeted
- [[email protected]_centos7 ~]# sh selinux.sh on
- selinux config on [ OK ]
- [[email protected]_centos7 ~]# getenforce
- Enforcing
- [[email protected]_centos7 ~]# cat /etc/selinux/config
- # This file controls the state of SELinux on the system.
- # SELINUX= can take one of these three values:
- # enforcing - SELinux security policy is enforced.
- # permissive - SELinux prints warnings instead of enforcing.
- # disabled - No SELinux policy is loaded.
- SELINUX=enforcing
- # SELINUXTYPE= can take one of three two values:
- # targeted - Targeted processes are protected,
- # minimum - Modification of targeted policy. Only selected processes are protected.
- # mls - Multi Level Security protection.
- SELINUXTYPE=targeted
- [[email protected]_centos7 ~]# sh selinux.sh off
- selinux config off [ OK ]
- [[email protected]_centos7 ~]# getenforce
- Permissive
- [[email protected]_centos7 ~]# cat /etc/selinux/config
- # This file controls the state of SELinux on the system.
- # SELINUX= can take one of these three values:
- # enforcing - SELinux security policy is enforced.
- # permissive - SELinux prints warnings instead of enforcing.
- # disabled - No SELinux policy is loaded.
- SELINUX=disabled
- # SELINUXTYPE= can take one of three two values:
- # targeted - Targeted processes are protected,
- # minimum - Modification of targeted policy. Only selected processes are protected.
- # mls - Multi Level Security protection.
- SELINUXTYPE=targeted
- [[email protected]_centos7 ~]#
说明: 要想永久关闭 selinux 需要重启服务器, 因为 selinux 是基于内核的一个模块, 只有重启才能重新读取配置文件, 临时关闭可以用 setenforce 0 来临时关闭, 其实这种方法准确的说不是关闭 selinux, 是将 selinux 的状态切换成 permissive 状态, 也就是说这种状态 selinux 只提供警告, 并不实质上的管控 Linux 上的资源.
2, 统计 / etc/fstab 文件中每个文件系统类型出现的次数
- [[email protected] ~]$ cat -A /etc/fstab|awk '!/^\$|#/{fstype[$3]++}END{print"fstype count";for(i in fstype){print i,fstype[i]}}'
- fstype count
- devpts 1
- swap 1
- sysfs 1
- proc 1
- tmpfs 1
- iso9660 2
- ext4 2
- [[email protected] ~]$
说明: 以上命令核心思想就是利用 awk 数组来记录文件系统出现的次数, 每出现相同的文件系统类型就将其计数加 1, 最后把统计的结果循环打印出来
3, 提取出字符串 [email protected]%9&Bdh7dq+YVixp3vpw 中的所有数字
方法一: 利用 grep 过滤
- [[email protected]_centos7 ~]# echo '[email protected]%9&Bdh7dq+YVixp3vpw'|grep -o '[0-9]'
- 0
- 5
- 9
- 7
- 3
- [[email protected]_centos7 ~]#
方法二: 利用 awk 过滤
- [[email protected]_centos7 ~]# echo '[email protected]%9&Bdh7dq+YVixp3vpw'|awk -F ""'{for(i=1;i<=NF;i++){if($i ~ /[0-9]/){print $i}}}'
- 0
- 5
- 9
- 7
- 3
- [[email protected]_centos7 ~]#
说明: 以上命令核心思想是循环字符串中的每一个字符, 然后判断每个字符是否是数字, 如果是数字就打印出来. 其中 - F 是指定字段分割符,-F "" 表示字段分割符为空, 即每一个字符都为一个字段
4, 解决 DOS 攻击生产案例: 根据 web 日志或者或者网络连接数, 监控当某个 IP 并发连接数或者短时内 PV 达到 100, 即调用防火墙命令封掉对应的 IP, 监控频 率每隔 5 分钟. 防火墙命令为: iptables -A INPUT -s IP -j REJECT
第一步: 写脚本过滤 Web 访问日志, 将访问日志中的 ip 统计出来, 然后判断是否段时间连接达到 100
- [[email protected] ~]#cat dos.sh
- #!/bin/bash
- #
- #************************************************************************
- #Author: qiuhom
- #QQ: 467697313
- #mail: qiuhom46769[email protected]
- #Date: 2019-12-12
- #FileName: dos.sh
- #URL: https://www.cnblogs.com/qiuhom-1874/
- #Description:
- #Copyright (C): 2019 All rights reserved
- #************************************************************************
- ip=`cat /var/log/nginx/access.log|awk '{
- cip[$1]++
- }
- END{
- for(i in cip)
- {
- if(cip[i] == 3){
- print i
- }
- }
- }'`
- iplist=`echo $ip |tr -s ""","`
- iptables -A INPUT -s $iplist -j REJECT
- [ ! -e /log/bak ] && mkdir -p /log/bak
- cat /var/log/nginx/access.log>> /log/bak/nginx_access.log.bak
- > /var/log/nginx/access.log
- [[email protected] ~]#
说明: 以上脚本的意思是去 nginx 的访问日志中统计客户端 ip 出现的次数, 如果客户端的 ip 出现次数大于等于 100 , 就将此 ip 记录到 ip 这个变量里, 然后将变量 ip 用 tr 命令将空格替换成逗号, 然后传给一个叫 iplist 的变量, 然后把满足要求的 ip 统一添加到防火墙规则里进行禁用 ip 的访问.
第二步: 制定计划任务每 5 分钟执行一次我们上面写的脚本
- [[email protected] ~]#crontab -l
- */5 * * * * bash /root/dos.sh &> /dev/null
来源: http://www.bubuko.com/infodetail-3327550.html