rb:tophitsonwebsite
Check for top ipaddresses hitting website
Nagios check for too many requests from one ip address. This may give a false positive if users are behind a proxy server with one internet facing ipaddress for many users. Note the excluded list of ipaddresses. This should probably not be embedded in the code. v2 will sort this. Sometime….
#!/bin/bash #Written A, 01/08/2014 onwards #Check for excessive hits on website STATE_OK=0 STATE_WARNING=1 STATE_CRITICAL=2 #SSHID is the -i cert file to use for passwordess login SSHID='/home/nagios/.ssh/nagios_dsa' SERVER='app.company.int' SEGMENT='/home/nagios/ssl-segment.log' #This is for YOUR site ipaddresses or other whitelisted addresses, pipe seperated list EXCLUDEIP='22.129.88.5|22.45.119.102' #Excude some addresses which correspond to whitelist site addresses. IPADDRESS=`ssh -q -i ${SSHID} ${SERVER} cat ${SEGMENT} | cut -d ' ' -f 1 |sort |uniq -c|sort -n | egrep -v "${EXCLUDEIP}" | tail -1 ` HITS=$(echo ${IPADDRESS}|awk '{ print $1 }') SOURCE=$(echo ${IPADDRESS}|awk '{ print $2 }') if [[ $HITS -ge 1800 ]] then echo "Ip address $SOURCE has hit the webserver ${1} ${HITS} times during the last ten minutes, Is it a DOS attack? | HITS=${HITS};1200;1800" exit ${STATE_CRITICAL} fi if [[ $HITS -ge 1200 ]] then echo "Ip address $SOURCE has hit the webserver ${1} ${HITS} times during the last ten minutes, Is it a DOS attack? | HITS=${HITS};1200;1800" exit ${STATE_WARNING} fi echo "Insufficent hits from a single IP to trigger alert. | HITS=${HITS};1200;1800" exit ${STATE_OK}
rb/tophitsonwebsite.txt · Last modified: by andrew