阿里云负载均衡访问控制(黑名单)自动添加IP的方法(续)
https://www.willnet.net/index.php/archives/105/
上文使用了阿里云日志服务的告警,由于告警有一些局限,比如最长只能统计60分钟的日志,最短查询间隔5分钟等,现在使用阿里云日志服务的cli替代告警。
首先需要安装日志服务cli
pip install -U aliyun-log-cli
然后编写脚本
autoaddblacklist.sh
#! /bin/bash
PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:~/bin
export PATH
ALIYUN_LOG_CLI_ACCESSID=
ALIYUN_LOG_CLI_ACCESSKEY=
ALIYUN_LOG_CLI_ENDPOINT=cn-beijing.log.aliyuncs.com
export ALIYUN_LOG_CLI_ACCESSID ALIYUN_LOG_CLI_ACCESSKEY ALIYUN_LOG_CLI_ENDPOINT
function autoaddblacklist(){
nowtime=$(date "+%Y-%m-%d %H:%M:%S %Z")
last5minutestime=$(date -d '5 minutes ago' "+%Y-%m-%d %H:%M:%S %Z")
searchresult=$(aliyun log get_log_all --project="www" --logstore="www-nginx-access" --query="* | select remote_addr,count(*) as count group by remote_addr order by count desc limit 1" --from_time="$last5minutestime" --to_time="$nowtime" --jmes-filter="join('\n', map(&to_string(@), @))")
lastip=$(cat /root/aliyun/tmp/lastip.txt)
currentip=$(echo $searchresult | awk -F "[\"]" '{print $16}')
count=$(echo $searchresult | awk -F "[\"]" '{print $4}')
if [ "$count" -gt 1000 ] && [ "$currentip"x != "$lastip"x ] ;then
echo $currentip >/root/aliyun/tmp/lastip.txt
echo $currentip|xargs python /root/aliyun/scripts/addaclentry.py >> /var/log/aliyun-log-alarm/www/autoaddblacklist.log 2>&1
curl -H "Content-type: application/json" -X POST -d '{"text": "found ip:'"${currentip}"' request: '"${count}"' over 1000 in 5min,added to the www blacklist."}' https://example.com/incoming/xxxxx-xxxx-xxxx
else
date "+%Y-%m-%d %H:%M:%S" >> /var/log/aliyun-log-alarm/www/autoaddblacklist.log && echo "nothing to do" >> /var/log/aliyun-log-alarm/www/autoaddblacklist.log
fi
}
autoaddblacklist
按需求定时执行上面的脚本就行了