Script for find out abusive user in server
~~~~~~~~~~~
OUT=$(/usr/local/cpanel/bin/dcpumonview | grep -v Top | sed -e 's#<[^>]*># #g' | while read i ; do NF=`echo $i | awk {'print NF'}` ; if [[ "$NF" == "5" ]] ; then USER=`echo $i | awk {'print $1'}`; OWNER=`grep -e "^OWNER=" /var/cpanel/users/$USER | cut -d= -f2` ; echo "$OWNER $i"; fi ; done) ; (echo "USER CPU" ; echo "$OUT" | sort -nrk4 | awk '{printf "%s %s%\n",$2,$4}' | head -5) | column -t ;echo;(echo -e "USER MEMORY" ; echo "$OUT" | sort -nrk5 | awk '{printf "%s %s%\n",$2,$5}' | head -5) | column -t ;echo;(echo -e "USER MYSQL" ; echo "$OUT" | sort -nrk6 |
awk '{printf "%s %s%\n",$2,$6}' | head -5) | column -t ;
~~~~~~~~~~~
OUT=$(/usr/local/cpanel/bin/dcpumonview | grep -v Top | sed -e 's#<[^>]*># #g' | while read i ; do NF=`echo $i | awk {'print NF'}` ; if [[ "$NF" == "5" ]] ; then USER=`echo $i | awk {'print $1'}`; OWNER=`grep -e "^OWNER=" /var/cpanel/users/$USER | cut -d= -f2` ; echo "$OWNER $i"; fi ; done) ; (echo "USER CPU" ; echo "$OUT" | sort -nrk4 | awk '{printf "%s %s%\n",$2,$4}' | head -5) | column -t ;echo;(echo -e "USER MEMORY" ; echo "$OUT" | sort -nrk5 | awk '{printf "%s %s%\n",$2,$5}' | head -5) | column -t ;echo;(echo -e "USER MYSQL" ; echo "$OUT" | sort -nrk6 |
awk '{printf "%s %s%\n",$2,$6}' | head -5) | column -t ;
~~~~~~~~~~~
Finging connections to server
netstat -pltuna | awk '$6=="LISTEN"{sub(/^.*:+/,"",$4);sub(/^[[:digit:]]+\//,"",$7);idx=sprintf("%s:%05d",$1,$4);ary[idx]=$7;} $6~"^(ESTABLISHED|SYN_RECV|FIN_WAIT2|UNKNOWN)$"{sub(/^.*:(:ffff:)?/,"",$4);sub(/:[[:digit:]]+$/,"",$5);sub(/^::ffff:/,"",$5);idx=sprintf("%s:%05d@%s",$1,$4,$5);cons[idx]++;}END{LIMITS["def"]=30;LIMITS[21]=8;LIMITS[25]=5;LIMITS[26]=5;LIMITS[465]=5;LIMITS[587]=5;CL_NML="\033[0m";CL_WTE="\033[1;37m";CL_GRN="\033[0;32m";CL_YLW="\033[1;36m";CL_RED="\033[1;5;31;22;47m";n=asorti(ary,src);for(i=1;i<=n;i++){split(src[i],meh,/:/);sub(/^0*/,"",meh[2]);print CL_WTE ary[src[i]] CL_NML " " CL_GRN "(" meh[1] ":" meh[2] ")" CL_NML ":";delete nastyhack;for (q in cons){split(q,splt,/@/);if(match(splt[1],src[i])){fmtstr=sprintf("%010d %s",cons[q],splt[2]);nastyhack[fmtstr]=fmtstr;}}r=asort(nastyhack);zerocount=match(nastyhack[r],/[^0]/);for (m=1;m<=r;m++){nastyhack[m]=substr(nastyhack[m],zerocount);split(nastyhack[m],brg,/ /);printf CL_YLW brg[1] CL_NML " ";port=meh[2];if(!(port in LIMITS)) port="def";if (brg[1]>LIMITS[port]) printf CL_RED;print brg[2] CL_NML;}}}'
Blocking Ips DDOS
~~~~~~~~~~~~
grep "Port Flood" /var/log/messages | grep "Jul 17" | awk '{ print $12 }' | cut -d = -f2 | sort | uniq -c | sort -n > /root/testflood
cat /root/testflood
while read line; do number=$(echo $line | awk {'print $1'}); ip=$(echo $line | awk {'print $2'}); if [ $number -gt 500 ]; then csf -d $ip "Wp attack"; fi; done < /root/testflood
~~~~~~~~~~~~
~~~~~~~~~~~~
grep "Port Flood" /var/log/messages | grep "Jul 17" | awk '{ print $12 }' | cut -d = -f2 | sort | uniq -c | sort -n > /root/testflood
cat /root/testflood
while read line; do number=$(echo $line | awk {'print $1'}); ip=$(echo $line | awk {'print $2'}); if [ $number -gt 500 ]; then csf -d $ip "Wp attack"; fi; done < /root/testflood
~~~~~~~~~~~~
No comments:
Post a Comment