awk的用法4例

1、编写脚本selinux.sh，实现开启或禁用SELinux功能

-------------------------------------------------------------------------------
[root@localhost data]# sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config 
#思想：实现禁用selinux，只需要修改配置文件，SELINUX=disabled，重启即可。
------------------------------------------------------------------------------
#首先创建远程主机列表
vim hostlist.txt
192.168.44.10
192.168.44.129

#创建代码，expect实现登陆主机，修改配置文件退出
#!/bin/bash
#
while read ip;do
user=root
password=123456
#事先要确认所有主机密码一致
expect <<EOF
set timeout 20
spawn ssh $user@$ip
expect {
"yes/no" { send "yes\n";exp_continue }
"password" { send "$password\n" }
}
expect "]#" { send "sed -i 's/SELINUX=enforcing/SELIN
UX=disabled/' /etc/selinux/config\n" }
expect eof
EOF
done < hostlist.txt

#执行脚本测试
[root@localhost scripts]# bash selinux.sh  
spawn ssh root@192.168.44.129
root@192.168.44.129's password: 
Last login: Mon Mar 30 02:03:19 2020 from 192.168.44.10
[root@centos6 ~]# sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config
[root@centos6 ~]# spawn ssh root@192.168.44.10
The authenticity of host '192.168.44.10 (192.168.44.10)' can't be established.
ECDSA key fingerprint is SHA256:09hv5Rkix/WMuMfJA17altW1BT11IvVcKFiAifZGUFM.
ECDSA key fingerprint is MD5:c9:d4:55:65:5a:f0:49:53:4c:0f:a0:5d:3e:2c:32:d7.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.44.10' (ECDSA) to the list of known hosts.
root@192.168.44.10's password: 
Last login: Wed Apr 22 08:37:14 2020 from 192.168.44.1
[root@localhost ~]# sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config
[root@localhost ~]# spawn ssh root@
ssh: Could not resolve hostname : Name or service not known
expect: spawn id exp6 not open
    while executing
"expect "]#" { send "sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config\n" }"

#查看另一主机配置文件是否修改
[root@centos6 ~]# cat /etc/selinux/config 
#成功修改，即已经实现

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of these two values:
#     targeted - Targeted processes are protected,
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted 

2、统计/etc/fstab文件中每个文件系统类型出现的次数

[root@localhost scripts]# cat /etc/fstab -n
     1
     2  #
     3  # /etc/fstab
     4  # Created by anaconda on Tue Mar  3 08:08:26 2020
     5  #
     6  # Accessible filesystems, by reference, are maintained under '/dev/disk'
     7  # See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info
     8  #
     9  /dev/mapper/centos-root /                       xfs     defaults        0 0
    10  UUID=ca08ca12-f105-4b64-903c-8635d7700c83 /boot                   xfs     defaults        0 0
    11  /dev/mapper/centos-data /data                   xfs     defaults        0 0
    12  /dev/mapper/centos-swap swap                    swap    defaults        0 0
#方法1 第8行以后取出来，取第三个域，并统计    
[root@localhost scripts]# awk 'NR>8{print $3}' /etc/fstab |uniq -c                           
      3 xfs
      1 swap
#方法2 匹配/dev/开头和UUID开头的行，取第3列 
[root@localhost scripts]# awk '/^\/dev|^UUID/{print $3}' /etc/fstab |uniq -c
      3 xfs
      1 swap
#方法3 匹配不是以#开头的行，取第3列    
[root@localhost ~]# cat /etc/fstab |awk '/^[^#]/{print $3}'|uniq -c
      3 xfs
      1 swap
#方法4 awk关联数组的用法
[root@localhost ~]# awk '/^[^#]/{count[$3]++}END{for (i in count) print count[i],i}' /etc/fstab     
1 swap
3 xfs

3、提取出字符串Yd$C@M05MB%9&Bdh7dq+YVixp3vpw中的所有数字

#方法1
[root@localhost ~]# echo "Yd$C@M05MB%9&Bdh7dq+YVixp3vpw"|tr -dc [:digit:]
#除了数字其它字符删除
05973

#方法2 awk gsub函数
[root@localhost ~]# echo 'Yd$C@M05MB%9&Bdh7dq+YVixp3vpw'|awk 'gsub(/[^0-9]/,"",$0)'
#全局替换非数字字符为空
05973

4、解决DOS攻击生产案例:根据web日志或者或者网络连接数，监控当某个IP 并发连接数或者短时内PV达到100，即调用防火墙命令封掉对应的IP，监控频率每隔5分钟。防火墙命令为:iptables -A INPUT -s IP -j REJECT

#1. 查看web日志有ip 统计ip和ip连接的次数
[root@localhost scripts]# less access_log 
172.18.118.91 - - [20/May/2018:08:09:59 +0800] "GET / HTTP/1.1" 200 912 "-" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 5.1; Trident/5.0)"
172.18.118.91 - - [20/May/2018:08:09:59 +0800] "POST /webnoauth/model.cgi HTTP/1.1" 404 293 "http://172.18.0.1/webnoauth/model.cgi" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 5.1; Trident/5.0)"
172.18.118.91 - - [20/May/2018:08:09:59 +0800] "GET /router/get_rand_key.cgi HTTP/1.1" 404 297 "http://172.18.0.1/router/get_rand_key.cgi" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 5.1; Trident/5.0)"
172.18.118.91 - - [20/May/2018:08:09:59 +0800] "GET /router/get_rand_key.cgi HTTP/1.1" 404 297 "http://172.18.0.1/router/get_rand_key.cgi" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 5.1; Trident/5.0)"
172.18.118.91 - - [20/May/2018:08:09:59 +0800] "GET /router/get_rand_key.cgi HTTP/1.1" 404 297 "http://172.18.0.1/router/get_rand_key.cgi" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 5.1; Trident/5.0)"
172.18.118.91 - - [20/May/2018:08:09:59 +0800] "GET /router/get_rand_key.cgi HTTP/1.1" 404 297 "http://172.18.0.1/router/get_rand_key.cgi" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 5.1; Trident/5.0)"
172.18.118.110 - - [20/May/2018:08:15:46 +0800] "GET / HTTP/1.1" 200 912 "-" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 5.1; Trident/5.0)"
172.18.118.110 - - [20/May/2018:08:15:46 +0800] "POST /webnoauth/model.cgi HTTP/1.1" 404 293 "http://172.18.0.1/webnoauth/model.cgi" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 5.1; Trident/5.0)"
172.18.118.110 - - [20/May/2018:08:15:46 +0800] "GET /router/get_rand_key.cgi HTTP/1.1" 404 297 "http://172.18.0.1/router/get_rand_key.cgi" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 5.1; Trident/5.0)"
172.18.118.110 - - [20/May/2018:08:15:46 +0800] "GET /router/get_rand_key.cgi HTTP/1.1" 404 297 "http://172.18.0.1/router/get_rand_key.cgi" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 5.1; Trident/5.0)"
172.18.118.110 - - [20/May/2018:08:15:46 +0800] "GET /router/get_rand_key.cgi HTTP/1.1" 404 297 "http://172.18.0.1/router/get_rand_key.cgi" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 5.1; Trident/5.0)"
#2. 使用awk进行统计并存入iplist.txt文本中
[root@localhost scripts]# awk '{ip[$1]++}END{for(i in ip){print i,ip[i]}}' access_log >iplist.txt
[root@localhost scripts]# awk '{ip[$1]++}END{for(i in ip){print i,ip[i]}}' access_log >iplist.txt
[root@localhost scripts]# less iplist.txt 
172.20.0.200 1482
172.20.21.121 2
172.20.30.91 29
172.16.102.29 864
172.20.0.76 1565
172.20.9.9 15
172.20.1.125 463
172.20.61.11 2
172.20.73.73 198
172.20.107.222 3
172.20.0.222 2834
172.20.111.240 4
172.16.102.48 166
172.20.110.245 23
172.20.22.141 9
172.20.109.144 21
172.20.111.243 795
172.20.0.227 2267
172.20.99.66 30
172.20.116.174 641
172.20.109.148 25
172.20.111.248 23
172.18.118.91 92
172.20.116.176 3
172.20.100.201 45
172.16.101.150 90
172.16.101.138 10
172.20.116.178 3
172.20.116.191 800
172.16.101.139 48
172.20.116.179 2262
172.20.116.192 3
172.18.118.95 5
172.16.101.153 34
172.20.65.65 2259
172.18.118.96 66
172.20.116.194 468
172.20.101.140 14
172.20.19.88 30
#3. ip次数判断是否大于100次，大于100次就设置拒绝
[root@localhost scripts]# vim iptest.sh 
  
#!/bin/bash
#
while read ip number;do
if [ $number -gt 100 ];then
        iptables -A INPUT -s $ip -j REJECT
         echo from $ip rejected|tee -a /tmp/reject.txt
fi
done <iplist.txt
[root@localhost scripts]# bash iptest.sh 
from 172.20.0.200 rejected
from 172.16.102.29 rejected
。。。。。
[root@localhost scripts]# cat /tmp/reject.txt 
from 172.20.0.200 rejected
from 172.16.102.29 rejected
。。。。。
[root@localhost scripts]# iptables -nL|grep 172
#验证，规则是否生效
REJECT     all  --  172.20.118.110       0.0.0.0/0            reject-with icmp-port-unreachable
。。。。。

#合并脚本
#!/bin/bash
#
#脚本中引入文件注意最好绝对路径
awk '{ip[$1]++}END{num=0;for(i in ip){print i,ip[i]}}' /data/scripts/access_log >/tmp/iplist.txt
#生产iplist.txt后延迟1s再分析
sleep 1s
while read ip number;do
if [ $number -gt 100 ];then
        iptables -A INPUT -s $ip -j REJECT
         #echo from $ip rejected|tee -a /tmp/reject.txt 
         #注释掉就不显示，也不需要提示静默执行就好
fi
done </tmp/iplist.txt

#测试时将其注释打开
[root@localhost scripts]# bash iptest1.sh 
from 172.20.0.200 rejected
from 172.16.102.29 rejected
from 172.20.0.76 rejected
from 172.20.1.125 rejected
from 172.20.73.73 rejected
from 172.20.0.222 rejected
from 172.16.102.48 rejected
from 172.20.111.243 rejected
from 172.20.0.227 rejected
from 172.20.116.174 rejected
from 172.20.116.191 rejected
from 172.20.116.179 rejected
from 172.20.65.65 rejected
from 172.20.116.194 rejected
from 172.20.116.195 rejected
from 172.20.116.215 rejected
from 172.18.118.102 rejected
from 172.20.116.230 rejected
from 172.18.118.104 rejected
from 172.18.118.120 rejected
from 172.20.101.149 rejected
from 172.18.118.123 rejected

#编写crontab每5分钟执行此脚本
[root@localhost scripts]# crontab -l
*/5 * * * * /data/scripts/iptest1.sh