1斤蔓、編寫腳本selinux.sh瑞佩，實現(xiàn)開啟或禁用SELinux功能

-------------------------------------------------------------------------------
[root@localhost data]# sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config 
#思想：實現(xiàn)禁用selinux懂版，只需要修改配置文件兜叨，SELINUX=disabled潭千，重啟即可衅码。
------------------------------------------------------------------------------
#首先創(chuàng)建遠程主機列表
vim hostlist.txt
192.168.44.10
192.168.44.129

#創(chuàng)建代碼，expect實現(xiàn)登陸主機脊岳，修改配置文件退出
#!/bin/bash
#
while read ip;do
user=root
password=123456
#事先要確認所有主機密碼一致
expect <<EOF
set timeout 20
spawn ssh $user@$ip
expect {
"yes/no" { send "yes\n";exp_continue }
"password" { send "$password\n" }
}
expect "]#" { send "sed -i 's/SELINUX=enforcing/SELIN
UX=disabled/' /etc/selinux/config\n" }
expect eof
EOF
done < hostlist.txt

#執(zhí)行腳本測試
[root@localhost scripts]# bash selinux.sh  
spawn ssh root@192.168.44.129
root@192.168.44.129's password: 
Last login: Mon Mar 30 02:03:19 2020 from 192.168.44.10
[root@centos6 ~]# sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config
[root@centos6 ~]# spawn ssh root@192.168.44.10
The authenticity of host '192.168.44.10 (192.168.44.10)' can't be established.
ECDSA key fingerprint is SHA256:09hv5Rkix/WMuMfJA17altW1BT11IvVcKFiAifZGUFM.
ECDSA key fingerprint is MD5:c9:d4:55:65:5a:f0:49:53:4c:0f:a0:5d:3e:2c:32:d7.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.44.10' (ECDSA) to the list of known hosts.
root@192.168.44.10's password: 
Last login: Wed Apr 22 08:37:14 2020 from 192.168.44.1
[root@localhost ~]# sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config
[root@localhost ~]# spawn ssh root@
ssh: Could not resolve hostname : Name or service not known
expect: spawn id exp6 not open
    while executing
"expect "]#" { send "sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config\n" }"

#查看另一主機配置文件是否修改
[root@centos6 ~]# cat /etc/selinux/config 
#成功修改逝段，即已經實現(xiàn)

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of these two values:
#     targeted - Targeted processes are protected,
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted 

2、統(tǒng)計/etc/fstab文件中每個文件系統(tǒng)類型出現(xiàn)的次數(shù)

[root@localhost scripts]# cat /etc/fstab -n
     1
     2  #
     3  # /etc/fstab
     4  # Created by anaconda on Tue Mar  3 08:08:26 2020
     5  #
     6  # Accessible filesystems, by reference, are maintained under '/dev/disk'
     7  # See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info
     8  #
     9  /dev/mapper/centos-root /                       xfs     defaults        0 0
    10  UUID=ca08ca12-f105-4b64-903c-8635d7700c83 /boot                   xfs     defaults        0 0
    11  /dev/mapper/centos-data /data                   xfs     defaults        0 0
    12  /dev/mapper/centos-swap swap                    swap    defaults        0 0
#方法1 第8行以后取出來割捅，取第三個域奶躯，并統(tǒng)計    
[root@localhost scripts]# awk 'NR>8{print $3}' /etc/fstab |uniq -c                           
      3 xfs
      1 swap
#方法2 匹配/dev/開頭和UUID開頭的行，取第3列 
[root@localhost scripts]# awk '/^\/dev|^UUID/{print $3}' /etc/fstab |uniq -c
      3 xfs
      1 swap
#方法3 匹配不是以#開頭的行亿驾，取第3列    
[root@localhost ~]# cat /etc/fstab |awk '/^[^#]/{print $3}'|uniq -c
      3 xfs
      1 swap
#方法4 awk關聯(lián)數(shù)組的用法
[root@localhost ~]# awk '/^[^#]/{count[$3]++}END{for (i in count) print count[i],i}' /etc/fstab     
1 swap
3 xfs

3嘹黔、提取出字符串Yd$C@M05MB%9&Bdh7dq+YVixp3vpw中的所有數(shù)字

#方法1
[root@localhost ~]# echo "Yd$C@M05MB%9&Bdh7dq+YVixp3vpw"|tr -dc [:digit:]
#除了數(shù)字其它字符刪除
05973

#方法2 awk gsub函數(shù)
[root@localhost ~]# echo 'Yd$C@M05MB%9&Bdh7dq+YVixp3vpw'|awk 'gsub(/[^0-9]/,"",$0)'
#全局替換非數(shù)字字符為空
05973

4、解決DOS攻擊生產案例:根據(jù)web日志或者或者網絡連接數(shù)莫瞬，監(jiān)控當某個IP 并發(fā)連接數(shù)或者短時內PV達到100儡蔓，即調用防火墻命令封掉對應的IP，監(jiān)控頻率每隔5分鐘疼邀。防火墻命令為:iptables -A INPUT -s IP -j REJECT

#1. 查看web日志有ip 統(tǒng)計ip和ip連接的次數(shù)
[root@localhost scripts]# less access_log 
172.18.118.91 - - [20/May/2018:08:09:59 +0800] "GET / HTTP/1.1" 200 912 "-" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 5.1; Trident/5.0)"
172.18.118.91 - - [20/May/2018:08:09:59 +0800] "POST /webnoauth/model.cgi HTTP/1.1" 404 293 "http://172.18.0.1/webnoauth/model.cgi" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 5.1; Trident/5.0)"
172.18.118.91 - - [20/May/2018:08:09:59 +0800] "GET /router/get_rand_key.cgi HTTP/1.1" 404 297 "http://172.18.0.1/router/get_rand_key.cgi" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 5.1; Trident/5.0)"
172.18.118.91 - - [20/May/2018:08:09:59 +0800] "GET /router/get_rand_key.cgi HTTP/1.1" 404 297 "http://172.18.0.1/router/get_rand_key.cgi" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 5.1; Trident/5.0)"
172.18.118.91 - - [20/May/2018:08:09:59 +0800] "GET /router/get_rand_key.cgi HTTP/1.1" 404 297 "http://172.18.0.1/router/get_rand_key.cgi" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 5.1; Trident/5.0)"
172.18.118.91 - - [20/May/2018:08:09:59 +0800] "GET /router/get_rand_key.cgi HTTP/1.1" 404 297 "http://172.18.0.1/router/get_rand_key.cgi" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 5.1; Trident/5.0)"
172.18.118.110 - - [20/May/2018:08:15:46 +0800] "GET / HTTP/1.1" 200 912 "-" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 5.1; Trident/5.0)"
172.18.118.110 - - [20/May/2018:08:15:46 +0800] "POST /webnoauth/model.cgi HTTP/1.1" 404 293 "http://172.18.0.1/webnoauth/model.cgi" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 5.1; Trident/5.0)"
172.18.118.110 - - [20/May/2018:08:15:46 +0800] "GET /router/get_rand_key.cgi HTTP/1.1" 404 297 "http://172.18.0.1/router/get_rand_key.cgi" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 5.1; Trident/5.0)"
172.18.118.110 - - [20/May/2018:08:15:46 +0800] "GET /router/get_rand_key.cgi HTTP/1.1" 404 297 "http://172.18.0.1/router/get_rand_key.cgi" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 5.1; Trident/5.0)"
172.18.118.110 - - [20/May/2018:08:15:46 +0800] "GET /router/get_rand_key.cgi HTTP/1.1" 404 297 "http://172.18.0.1/router/get_rand_key.cgi" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 5.1; Trident/5.0)"
#2. 使用awk進行統(tǒng)計并存入iplist.txt文本中
[root@localhost scripts]# awk '{ip[$1]++}END{for(i in ip){print i,ip[i]}}' access_log >iplist.txt
[root@localhost scripts]# awk '{ip[$1]++}END{for(i in ip){print i,ip[i]}}' access_log >iplist.txt
[root@localhost scripts]# less iplist.txt 
172.20.0.200 1482
172.20.21.121 2
172.20.30.91 29
172.16.102.29 864
172.20.0.76 1565
172.20.9.9 15
172.20.1.125 463
172.20.61.11 2
172.20.73.73 198
172.20.107.222 3
172.20.0.222 2834
172.20.111.240 4
172.16.102.48 166
172.20.110.245 23
172.20.22.141 9
172.20.109.144 21
172.20.111.243 795
172.20.0.227 2267
172.20.99.66 30
172.20.116.174 641
172.20.109.148 25
172.20.111.248 23
172.18.118.91 92
172.20.116.176 3
172.20.100.201 45
172.16.101.150 90
172.16.101.138 10
172.20.116.178 3
172.20.116.191 800
172.16.101.139 48
172.20.116.179 2262
172.20.116.192 3
172.18.118.95 5
172.16.101.153 34
172.20.65.65 2259
172.18.118.96 66
172.20.116.194 468
172.20.101.140 14
172.20.19.88 30
#3. ip次數(shù)判斷是否大于100次喂江，大于100次就設置拒絕
[root@localhost scripts]# vim iptest.sh 
  
#!/bin/bash
#
while read ip number;do
if [ $number -gt 100 ];then
        iptables -A INPUT -s $ip -j REJECT
         echo from $ip rejected|tee -a /tmp/reject.txt
fi
done <iplist.txt
[root@localhost scripts]# bash iptest.sh 
from 172.20.0.200 rejected
from 172.16.102.29 rejected
。旁振。获询。。拐袜。
[root@localhost scripts]# cat /tmp/reject.txt 
from 172.20.0.200 rejected
from 172.16.102.29 rejected
吉嚣。。蹬铺。尝哆。。
[root@localhost scripts]# iptables -nL|grep 172
#驗證甜攀，規(guī)則是否生效
REJECT     all  --  172.20.118.110       0.0.0.0/0            reject-with icmp-port-unreachable
秋泄。。赴邻。印衔。啡捶。

#合并腳本
#!/bin/bash
#
#腳本中引入文件注意最好絕對路徑
awk '{ip[$1]++}END{num=0;for(i in ip){print i,ip[i]}}' /data/scripts/access_log >/tmp/iplist.txt
#生產iplist.txt后延遲1s再分析
sleep 1s
while read ip number;do
if [ $number -gt 100 ];then
        iptables -A INPUT -s $ip -j REJECT
         #echo from $ip rejected|tee -a /tmp/reject.txt 
         #注釋掉就不顯示姥敛，也不需要提示靜默執(zhí)行就好
fi
done </tmp/iplist.txt

#測試時將其注釋打開
[root@localhost scripts]# bash iptest1.sh 
from 172.20.0.200 rejected
from 172.16.102.29 rejected
from 172.20.0.76 rejected
from 172.20.1.125 rejected
from 172.20.73.73 rejected
from 172.20.0.222 rejected
from 172.16.102.48 rejected
from 172.20.111.243 rejected
from 172.20.0.227 rejected
from 172.20.116.174 rejected
from 172.20.116.191 rejected
from 172.20.116.179 rejected
from 172.20.65.65 rejected
from 172.20.116.194 rejected
from 172.20.116.195 rejected
from 172.20.116.215 rejected
from 172.18.118.102 rejected
from 172.20.116.230 rejected
from 172.18.118.104 rejected
from 172.18.118.120 rejected
from 172.20.101.149 rejected
from 172.18.118.123 rejected

#編寫crontab每5分鐘執(zhí)行此腳本
[root@localhost scripts]# crontab -l
*/5 * * * * /data/scripts/iptest1.sh