<SPAN width=90% style="color:#ffffff;" 
  onDblClick="doCheck('2632','div_2632');">
<a href="javascript:;" onClick="$('#div_2632').hide();">關閉</a>
&nbsp;&nbsp;&nbsp;&nbsp;
標題：ban china          
<BR>
內容：<BR>
<pre style='margin:0px;'>

列近期來訪 ip
awk -v d=&quot;$(date -d &#039;5 minutes ago&#039; &#039;+%d/%b/%Y:%H:%M&#039;)&quot; &#039;$4 &gt; &quot;[&quot;d {print $1}&#039; /var/log/apache2/access.log | sort | uniq -c | sort -nr | head -20

列近期來訪 ip + 國家
 root@3wa:~/bin# cat apache2_now_country.sh
#!/bin/bash
awk -v d=&quot;$(date -d &#039;5 minutes ago&#039; &#039;+%d/%b/%Y:%H:%M&#039;)&quot; &#039;$4 &gt; &quot;[&quot;d {print $1}&#039; /var/log/apache2/access.log \
| sort | uniq -c | sort -nr | head -20 \
| while read count ip; do
    c=$(whois &quot;$ip&quot; | awk &#039;/country:/ {print $2; exit}&#039;)
    printf &quot;%5s %-15s %s\n&quot; &quot;$count&quot; &quot;$ip&quot; &quot;$c&quot;
done

(base) root@3wa:~/bin# apache2_now_country.sh
 1707 211.20.175.247  TW
  222 216.73.216.173
  202 127.0.0.1
   91 203.69.234.175  TW
   65 203.69.191.151  TW
   42 59.126.75.42    TW
   28 111.246.117.37  TW
   22 27.240.120.45   TW
   15 66.249.71.33
    9 66.249.66.12
    8 1.165.86.200    TW
    7 66.249.66.161
    7 42.77.138.100   TW
    6 66.249.66.35
    6 66.249.66.204
    5 66.249.71.35
    4 66.249.71.34
    4 66.249.69.138
    4 66.249.66.75
    4 122.117.191.203 TW



 root@3wa:~/bin# cat apache2_now_country_v2.sh
#!/bin/bash

awk -v d=&quot;$(date -d &#039;5 minutes ago&#039; &#039;+%d/%b/%Y:%H:%M&#039;)&quot; &#039;$4 &gt; &quot;[&quot;d {print $1}&#039; /var/log/apache2/access.log \
| sort | uniq -c | sort -nr | head -20 \
| while read count ip; do
    whois &quot;$ip&quot; | awk -v c=&quot;$count&quot; -v ip=&quot;$ip&quot; &#039;
        BEGIN{country=&quot;&quot;; org=&quot;&quot;}

        /country:/ {country=$2}
        /Country:/ {country=$2}
        /OrgName:/ || /org-name:/ || /descr:/ || /Organization:/ {
            if (org==&quot;&quot;) org=$0
        }

        END{
            if (country==&quot;&quot;) {
                if (org ~ /Google/) country=&quot;US&quot;
                else if (org ~ /Amazon/) country=&quot;US&quot;
                else if (org ~ /Cloudflare/) country=&quot;US&quot;
                else if (org ~ /Microsoft/) country=&quot;US&quot;
                else if (org ~ /Alibaba/) country=&quot;CN&quot;
                else if (org ~ /Tencent/) country=&quot;CN&quot;
                else country=&quot;??&quot;
            }
            printf &quot;%5s %-15s %-3s %s\n&quot;, c, ip, country, org
        }
    &#039;
done


(base) root@3wa:~/bin# apache2_now_country_v2.sh
  182 216.73.216.173  US  Organization:   Amazon.com, Inc. (AMAZO-4)
  181 127.0.0.1       US  Organization:   Internet Assigned Numbers Authority (IANA)
  134 203.69.234.175  TW  descr:          Data Communication Business Group,
   35 111.243.76.122  TW  descr:          Data Communication Business Group,
   18 111.246.117.37  TW  descr:          Data Communication Business Group,
   12 66.249.71.33    US  Organization:   Google LLC (GOGL)
   12 59.126.75.42    TW  descr:          Data Communication Business Group,
   10 211.20.175.247  TW  descr:          Data Communication Business Group,
    7 66.249.71.173   US  Organization:   Google LLC (GOGL)
    7 40.77.178.50    US  Organization:   Microsoft Corporation (MSFT)
    6 66.249.66.204   US  Organization:   Google LLC (GOGL)
    6 66.249.66.12    US  Organization:   Google LLC (GOGL)
    6 114.119.158.74  SG  descr:          Huawei-Cloud-SG
    5 66.249.71.162   US  Organization:   Google LLC (GOGL)
    5 66.249.66.3     US  Organization:   Google LLC (GOGL)
    5 66.249.66.167   US  Organization:   Google LLC (GOGL)
    5 114.119.138.36  SG  descr:          Huawei-Cloud-SG
    4 66.249.71.35    US  Organization:   Google LLC (GOGL)
    4 66.249.66.161   US  Organization:   Google LLC (GOGL)
    3 66.249.71.7     US  Organization:   Google LLC (GOGL)



$banChina = [
      &#039;59.35.&#039;,
      &#039;59.39.&#039;,
      &#039;59.33.&#039;,
      &#039;59.32.&#039;,
      &#039;59.126&#039;,
      &#039;121.13.&#039;,
      &#039;121.12.&#039;,
      &#039;121.11.&#039;,
      &#039;121.10.&#039;,
      &#039;61.146.&#039;,   // 61.146.3.105 / 61.146.24.152
      &#039;61.145.&#039;,
      &#039;61.144.&#039;,
      &#039;61.143.&#039;,
      &#039;61.142.&#039;,
      &#039;61.141.&#039;,
      &#039;219.136.&#039;,
      &#039;219.135.&#039;,
      &#039;219.134.&#039;,
      &#039;219.133.&#039;,
      &#039;219.132.&#039;,
      &#039;219.131.&#039;,
      &#039;219.130.&#039;, 
      &#039;219.129.&#039;,
      &#039;219.128.&#039;,
      &#039;8.217.&#039;, // 香港           
      &#039;218.&#039;,
      &#039;74.7.&#039;,
      &#039;121.9.&#039;,
      &#039;121.11&#039;,
      &#039;14.&#039;,
      &#039;116.&#039;,   // 116.16.154.134 來源網段      
      &#039;59.34.&#039;,    // 59.34.190.88 / 59.34.159.210 / 59.34.158.159
      &#039;59.38.&#039;,
      &#039;58.63.&#039;,
      &#039;183.0.&#039;,    // 183.0.* 出現攻擊來源
      &#039;183.1.&#039;,    // 可視最近 log 補充
      &#039;119.&#039;,
      &#039;113.82.&#039;,
      &#039;113.100.&#039;,
      &#039;183.&#039;,
      &#039;113.&#039;,
      &#039;125.&#039;
    ];


fail2ban 也一起使用

# apt install fail2ban
# systemctl enable fail2ban
# systemctl start fail2ban

# vim /etc/fail2ban/filter.d/apache-abuse.conf
[Definition]

# 這裡抓所有 HTTP 請求行為，主要用來計數 flood / scan
# &lt;HOST&gt; 會被 fail2ban 替換成 IP
failregex = ^&lt;HOST&gt; .* &quot;(GET|POST|HEAD|PUT|DELETE|OPTIONS|TRACE)&quot;

# 如果有想排除的 IP 或 pattern 可以寫在這
ignoreregex =

# vim /etc/fail2ban/jail.d/apache-abuse.conf
[apache-abuse]
enabled  = true
port     = http,https
filter   = apache-abuse
logpath  = /var/log/apache2/access.log
maxretry = 300
findtime = 60
bantime  = 3600
action   = iptables[name=apache-abuse, port=&quot;http,https&quot;, protocol=tcp]
ignoreip = 127.0.0.1/8 ::1 192.168.0.0/16 211.20.175.0/24


# 載入設定
# fail2ban-client reload

# 查看狀況
# fail2ban-client status apache-abuse</pre></SPAN>        
<!--/DIV-->  
<BR>