get last field using cut

echo 'www.google.com' | rev | cut -d'.' -f1 | rev
Advertisements

test exit output command shell script

basic test variables

&& AND Logical
|| OR Logical
$? exit status of last command executed. if true return 0 else retun > than 0
-eq equal
-ne not equal

test using logical operators && ||

echo 'abc' | grep -q a && echo true || echo false

test using test command

echo 'abc' | grep a; test $? -eq 0 && echo true || echo false

test using if

echo 'abc' | grep a; if [ $? -eq 0 ]; then echo true; else echo false; fi

analyzes apache log and blocking url access 3 times in X minutes

block multiple URLs

#!/bin/bash
# analyzes apache log and blocking ip than access url 3 times in 2 minutes
# block only access to url not to all urls

# you can use | to separate multiple strings to block
URL_STRING_TO_BLOCK="insertPartOfUrl1Here|insertPartOfUrl2Here"

RANGE_TIME=$( date '+%H:%M' )

# make array with 2 past minutes using | separator. used as a separator field in the egrep regex 
for i in {1..2};do
  RANGE_TIME=${RANGE_TIME}\|$(date -d "-$i min" '+%H:%M:')
done

# list of ips with hits to the same url
IPs_LIST=$( egrep "$(date '+%d\/%b\/%Y:')($RANGE_TIME).*($URL_STRING_TO_BLOCK)" /var/log/httpd/access.log )

# group ips by number of hits to the same url
GROUP_BY_IPs=$( echo "$IPs_LIST" | cut -d' ' -f1 | sort | uniq -c )

# create iptables rule to block each ip that access url 3 times in N minutes than not starts with 192.168.0 range
for i in $( echo "$GROUP_BY_IPs" | awk '$1 >= 3 && $2 !~ "^192.168.0" {print $2}' );do
  /sbin/iptables -nvL | awk '{print $8}' | grep "^$i$" > /dev/null
  if [ $? -ne 0 ]; then
    for j in $( echo $URL_STRING_TO_BLOCK | sed 's/|/\n/g' ); do
      echo $( date '+%d/%m/%Y %R' ) "blocking ip: $i than access part of URL: $j" | tee -a /var/log/$( basename $0 ).log
      /sbin/iptables -A INPUT -s $i -p tcp -m tcp --dport 80 -m string --string "$j" --algo bm --to 65535 -m comment --comment "block IP than access this URL many times" -j DROP
    done
  fi
done

one liner code to blocking url access 3 times in 1 minute. (block only 1 url)

URL='insertUrlHere'; RANGE_TIME=$(date '+%H:%M'); for i in {1..1};do RANGE_TIME=${RANGE_TIME}\|$(date -d "-$i min" '+%H:%M:'); done; egrep "$(date '+%d\/%b\/%Y:')($RANGE_TIME).*$URL" /var/log/httpd/access.log | cut -d' ' -f1 | sort | uniq -c | awk '$1 >= 3 && $2 !~ "^192.168" {print $2}' | xargs -I% iptables -A INPUT -s % -p tcp -m tcp --dport 80 -m string --string "$URL" --algo bm --to 65535 -j DROP

concatenate value to variable inside loop in shell script

Append/Add value to variable inside loop in shell script, make variable containing range numbers

RANGE_NUM=0; for i in {1..5};do RANGE_NUM=${RANGE_NUM},$i; echo $RANGE_NUM; done; echo final value: $RANGE_NUM

variable containing range with the last 10 minutes

LAST10MIN=$(date '+%H:%M'); for i in {1..10};do LAST10MIN=${LAST10MIN}\|$(date -d "-$i min" '+%H:%M'); echo $LAST10MIN; done; echo final value: $LAST10MIN