Differences

This shows you the differences between two versions of the page.

Link to this comparison view

rb:tophitsonwebsite [18/02/2020 10:37] (current)
andrew created
Line 1: Line 1:
 +===== Check for top ipaddresses hitting Expose =====
 +
 +<code bash>
 +#!/bin/bash
 +#Written Andrew Stringer, 01/08/2014 onwards
 +#Check for excessive hits on Expose website
 +
 +STATE_OK=0
 +STATE_WARNING=1
 +STATE_CRITICAL=2
 +
 +#SSHID is the -i cert file to use for passwordess login
 +SSHID='/​home/​nagios/​.ssh/​nagios_dsa'​
 +SERVER='​app.company.int'​
 +SEGMENT='/​home/​nagios/​ssl-segment.log'​
 +
 +#This is for YOUR site ipaddresses or other whitelisted addresses, pipe seperated list
 +EXCLUDEIP='​22.129.88.5|22.45.119.102'​
 +
 +#Excude some addresses which correspond to whitelist site addresses.
 +IPADDRESS=`ssh -q  -i ${SSHID} ${SERVER} cat ${SEGMENT} | cut -d ' ' -f 1 |sort |uniq -c|sort -n | egrep -v "​${EXCLUDEIP}"​ | tail -1 `
 +
 +
 +HITS=`echo ${IPADDRESS}|awk '{ print $1 }'`
 +SOURCE=`echo ${IPADDRESS}|awk '{ print $2 }'`
 +if [[ $HITS -ge 1800 ]]
 +then
 +echo "Ip address $SOURCE has hit the webserver ${1} ${HITS} times during the last ten minutes, Is it a DOS attack? | HITS=${HITS};​1200;​1800"​
 +exit ${STATE_CRITICAL}
 +fi
 +if [[ $HITS -ge 1200 ]]
 +then
 +echo "Ip address $SOURCE has hit the webserver ${1} ${HITS} times during the last ten minutes, Is it a DOS attack? | HITS=${HITS};​1200;​1800"​
 +exit ${STATE_WARNING}
 +fi
 +echo "​Insufficent hits from a single IP to trigger alert. | HITS=${HITS};​1200;​1800"​
 +exit ${STATE_OK}
 +</​code>​
 +
  

rb/tophitsonwebsite.txt ยท Last modified: 18/02/2020 10:37 by andrew