1、编写脚本selinux.sh,实现开启或禁用SELinux功能
#*******************************************************************
read -p "是否关闭selinux:yes or no:" useread
if [ $useread == 'yes' ];then
sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config
echo "请重启设备方可生效"
echo "现在的状态为:"
getenforc
echo "如果状态为enforcing,请重启以关闭selinux"
elif [ $useread == 'no' ];then
sed -i 's/SELINUX=disabled/SELINUX=enforcing/' /etc/selinux/config
echo "现在的状态为:"
getenforce
echo "如果状态为disabled,请重启以启动selinux"
else
echo "请输入yes或no"
fi
2、统计/etc/fstab文件中每个文件系统类型出现的次数
[root@centos7 ~]#awk '/^UUID/||/^\/dev/{print $3}' /etc/fstab|sort |uniq -c
1 swap
3 xfs
3、提取出字符串Yd$C@M05MB%9&Bdh7dq+YVixp3vpw中的所有数字
[root@centos7 ~]#echo 'Yd$C@M05MB%9&Bdh7dq+YVixp3vpw'|awk 'gsub(/[^0-9]/,"",$0)'
05973
4、解决DOS攻击生产案例:根据web日志或者或者网络连接数,监控当某个IP 并发连接数或者短时内PV达到100,即调用防火墙命令封掉对应的IP,监控频 率每隔5分钟。防火墙命令为:iptables -A INPUT -s IP -j REJECT
[root@centos7 data]# systemctl status firewalld 查看防火墙状态
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
Active: inactive (dead) 表示系统自带的防火墙关闭
Docs: man:firewalld(1)
[root@centos7 ~]# yum install iptables 下载iptables防火墙
Loaded plugins: fastestmirror, langpacks
Determining fastest mirrors
base | 3.6 kB 00:00:00
epel | 4.7 kB 00:00:00
(1/3): epel/7/x86_64/group_gz | 95 kB 00:00:00
(2/3): epel/7/x86_64/primary_db | 6.8 MB 00:00:06
(3/3): epel/7/x86_64/updateinfo | 1.0 MB 00:00:10
Package iptables-1.4.21-28.el7.x86_64 already installed and latest version
Nothing to do
[root@centos7 ~]# yum install iptables-services
Loaded plugins: fastestmirror, langpacks
Loading mirror speeds from cached hostfile
Resolving Dependencies
--> Running transaction check
---> Package iptables-services.x86_64 0:1.4.21-28.el7 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
===========================================================================================================================================
Package Arch Version Repository Size
===========================================================================================================================================
Installing:
iptables-services x86_64 1.4.21-28.el7 base 52 k
Transaction Summary
===========================================================================================================================================
Install 1 Package
Total download size: 52 k
Installed size: 26 k
Is this ok [y/d/N]: y
Downloading packages:
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : iptables-services-1.4.21-28.el7.x86_64 1/1
Verifying : iptables-services-1.4.21-28.el7.x86_64 1/1
Installed:
iptables-services.x86_64 0:1.4.21-28.el7
Complete!
[root@centos7 ~]# systemctl status iptables 查看开启状态
● iptables.service - IPv4 firewall with iptables
Loaded: loaded (/usr/lib/systemd/system/iptables.service; disabled; vendor preset: disabled)
Active: inactive (dead) 表示关闭
[root@centos7 ~]# systemctl start iptables 开启防火墙
[root@centos7 ~]# systemctl status iptables
● iptables.service - IPv4 firewall with iptables
Loaded: loaded (/usr/lib/systemd/system/iptables.service; disabled; vendor preset: disabled)
Active: active (exited) since Thu 2020-06-18 18:04:29 CST; 5s ago 表示已开启
Process: 17964 ExecStart=/usr/libexec/iptables/iptables.init start (code=exited, status=0/SUCCESS)
Main PID: 17964 (code=exited, status=0/SUCCESS)
Jun 18 18:04:29 centos7.6 systemd[1]: Starting IPv4 firewall with iptables...
Jun 18 18:04:29 centos7.6 iptables.init[17964]: iptables: Applying firewall rules: [ OK ]
Jun 18 18:04:29 centos7.6 systemd[1]: Started IPv4 firewall with iptables.
[root@centos7 ~]# iptables -L -n #目前防火墙规则为默认
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@centos7 ~]# vim[root@erp2 ~]# ssh 172.16.100.43 先测下 测试ip为172.16.100.61
root@172.16.100.43's password: 可访问
ipdos.sh #创建规则脚本
#!/bin/bash
awk '{ip[$1]++}END{for(i in ip){if(ip[i]>1000) print i }}' access_log >>ip.txt 将次数大于1000的IP过滤出来并放入文本中
cat ip.txt |while read line 将ip从文本中读入循环做变量
do
iptables -A INPUT -s $line -j REJECT
echo $line
done
[root@centos7 data]# chmod +x ipdos.sh 赋予执行权限
[root@centos7 data]# crontab -e 设置定时任务
*/5 * * * * /bin/bash /data/ipdos.sh
crontab: installing new crontab
[root@centos7 data]# iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
REJECT all -- 172.20.0.200 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 172.20.0.76 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 172.20.0.222 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 172.20.0.227 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 172.20.116.179 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 172.20.65.65 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 172.20.112.14 0.0.0.0/0 reject-with icmp-port-unreachable
[root@erp2 ~]# ssh 172.16.100.43 已无法访问
ssh: connect to host 172.16.100.43 port 22: Connection refused
