There are many awk attacks to my server. I have tried to block them , but too much of them .
is there a way to block them one time?
I use this command :
netstat -an|awk -F: '{print $2}'|sort|uniq -c|sort -nr|head
show the result
[root#local ~]# netstat -an|awk -F: '{print $2}'|sort|uniq -c|sort -nr|head
1080 80 107.189.8.33
864 80 185.129.61.5
485 80 23.154.177.11
386 80 183.245.24.27
318 80 185.243.218.32
309 80 185.220.101.2
276 80 61.153.251.150
259 80 59.148.106.164
235 80 185.175.119.113
And after list a ip , I will find the connection ips to 80 port more than 100 ones . and block them .
firewall-cmd --permanent --add-rich-rule='rule family=ipv4 source address="107.189.8.0/24" drop'
Anyway to make a .sh file , to find out the awk ips which more than 200 connections , and add them to the droplist of the firewall?
in this case , need to exclude 127.0.0.1 and our own ips .
hope anyone can help thanks.
I have tried to output the ips with problem using this code .
netstat -an|awk -F: '{print $2}'|sort|uniq -c|sort -nr|head > ccips.txt
after this , I use :
awk '{sub("IP:", "", $3); print $3}' /root/ccips.txt | xargs -n1 -I{} firewall-cmd --permanent --add-rich-rule='rule family=ipv4 source address={} drop'
this can block all the ips with attack .
I just don't know how to import this to a .sh , which can be do this in one command .
I THINK what you're trying to do is create a file like this of IPs you don't want to block:
$ cat allowedIPs
127.0.0.1
whatever...
and then have a script like this to block all IPs not in that file connecting to port 80 (untested and guessing at what the netstat -an output looks like by reading your code):
$ cat blockIPs
#!/usr/bin/env bash
netstat -an |
awk -F: '
NR == FNR {
allowedIPs[$1]
next
}
{
split($2,portIP," ")
port = portIP[1]
ip = portIP[2]
}
(port == 80) && !(ip in allowedIPs) && !seen[ip]++ {
print ip
}
' allowedIPs - |
xargs -n1 -I{} firewall-cmd --permanent --add-rich-rule='rule family=ipv4 source address={} drop'
Related
I'm not interested in all the information of ifconfig output, I just want to know the network interface with its respective ip address.
I can get the network interface from ifconfig using the command:
ifconfig |grep " L" | awk '{ print $1}'
eth0
lo
tun0
and the ip address of each interface with the command
ifconfig |grep "inet:" | cut -d: -f2 | awk '{ print $1}'
192.168.0.10
127.0.0.1
10.5.0.13
How can display both data together, network interface and ip addres with just one command or script?
eth0 - 192.168.0.10
lo - 127.0.0.1
tun0 - 10.5.0.13
You can use ip route show instead to get the information you want. Filter with this command for example:
ip r show|grep " src "|cut -d " " -f 3,12
outputs something like:
eth0 192.168.1.114
I'm trying to write a script that gathers network information with awk command.
ifconfig enp0s3| grep "inet " | awk '{gsub("addr:","",$2); print $2 }'
this is the command that I ended up getting to get my IP address, yet I have not figured out how can I write it in a script where I can get an output like this:
IP Address : 10.0.2.15
I tried
echo" IP Address:"$ ifconfig enp0s3| grep "inet " | awk '{gsub("addr:","",$2); print $2 }'
but I keep getting errors.
You can use the following awk command to get the IP Address and the MAC Address in a single run. However, the default gateway isn't available via ifconfig:
ifconfig eth0 \
| awk -F'( *|:)' '{printf "IP Address: %s\nMAC Address: %s\n",$16,$7":"$8":"$9":"$10":"$11":"$12}' RS='\n\n'
Output:
IP Address: 10.0.2.15
MAC Address: 00:23:12:f2:56:6d
I need load ip list from file, scan it, and create output format such as ip:port. I tried this:
nmap -iL mylistwithip.txt -p 80,21 -oG -PS 80,21 | awk '/open/{print $2}' >` output.txt
but it gives me only "open" and that's all.
While I need only opened ports from list of IP addresses, for example:
192.168.2.1
192.168.2.2
192.168.2.3
after scan ports, sample output.txt:
192.168.2.1:80
192.168.2.1:21
192.168.2.3:80
(only scanned ip addresses with opened ports)
Try this awk oneliner:
nmap -Pn -oG - 192.168.1.1 | awk '/open/{ s = $2; for (i = 5; i <= NF-4; i++) s = substr($i,1,length($i)-4) "\n"; split(s, a, "/"); print $2 ":" a[1]}'
try one more solution with single awk only.
nmap -vv -iL file | awk -F'[ /]' '/Discovered open port/{print $NF":"$4}'
Quick and ugly hack to achieve that:
nmap -vv -iL mylistwithip.txt | grep "Discovered open port" | awk {'print $6":"$4'} | awk -F/ {'print $1'} > output.txt
With -vv output includes lines like
Discovered open port 22/tcp on 192.168.2.1
Discovered open port 80/tcp on 192.168.2.1
Discovered open port 22/tcp on 192.168.2.107
Discovered open port 80/tcp on 192.168.2.107
First awk selects "ip address" and "port number/protocol" fields, and second cuts off "/protocol".
This will probably break in some future update of nmap. Using -sG (greppable output) would be a better idea.
I have an Apache server log and am trying to determine what IP address has generated the most traffic. I've already managed to get it formatted so its just the IPs and their traffic in bytes:
xxx.xxx.xxx.xxx 915925
yyy.yyy.yyy.yyy 1193
zzz.zzz.zzz.zzz 2356
So now I'm looking for a method to combine and add the bytes of identical IPs and then just find the top value.
Any ideas?
If you have the ip and traffic bytes in a file use the following to get the work done.
cat file | perl -ane '$h{ $F[0] } += $F[1]; END { for ( sort keys %h ) { printf qq[%s %d\n], $_, $h{ $_ } } }' | sort -k2 -n -r
awk '{A[$1]+=$2;next}END{for(i in A){print i,A[i]}}' file | sort -k2 -n -r
I am attempting to create a proof of concept bash script to scan the network using ngrep, find appropriate cookies and then place them into a variable.
cook=`ngrep -s 1000 -l -q -d eth1 "Cookie:" tcp and port 80 |
grep -m 1 -Po '(?<=user=)[^;]+'`
cook2=`ngrep -s 1000 -l -q -d eth1 "Cookie:" tcp and port 80 |
grep -m 1 -Po '(?<=ab=)[^;]+'`
How can I store cookie & cookie2 from the ONE packet instead of having to ngrep twice?
Assuming the string is in this form
Cookie: foo=111; bar=222; baz=333
you can source the string, as it is valid Bash code. Example
ngrep -s 1000 -l -q -d eth1 'Cookie:' tcp and port 80 | cut -d: -f2- > v.sh
. v.sh
rm v.sh
cook="$user"
cook2="$ab"