ソスソスソスOソスト趣ソスソスcソス[ソスソスソスソスソスソス(SWATCH)

ソスナ終ソスXソスVソスソスソスF 2019.09.24

ソスソスソスTソスv

ソスVソスXソスeソスソスソスフソスソスOソスtソス@ソスCソスソス(/var/log/messagesソスソスソスCソスモのソスソスOソスtソス@ソスCソスソス)ソスソスソスト趣ソスソスソスソスAソスソスソスソスフソスソスbソスZソス[ソスWソスソスソスソスソスmソスソスソストソスソスAソスソスソス^ソスCソスソスソスノ任ソスモのアソスNソスVソスソスソスソスソスソスソスソスソスsソスソスソス驍アソスニゑソスソスナゑソスソスソスSWATCHソス導難ソスソスソスソスト、ソスsソスソスソスAソスNソスZソスXソスソスソスソスソスソスフアソスNソスZソスXソス即ブソスソスソスbソスNソスソスソスソスB
ソスネゑソスソスAソスYソスソスIPソスAソスhソスソスソスXソスヘ難ソスソスIIPソスAソスhソスソスソスXソスフ場合ソスソスソスソスソスソスAソスYソスソスIPソスAソスhソスソスソスXソスソスソスソスソスソスソスネソスソス[ソスUソス[ソスノ奇ソスソスソスソストゑソス黷スソス鼾ソスノ撰ソスソスソスソスネソスソス[ソスUソス[ソスソスソスAソスNソスZソスXソスナゑソスソスネゑソスソスネゑソスソストゑソスソスワゑソスソスフで、24ソスソスソスヤ鯉ソスノアソスNソスZソスXソスソスソスソスソスソスソスソスソスソスソスIソスノ会ソスソスソスソスソスソスソス謔、ソスノゑソスソスソスB



ソスソスSWATCHソスCソスソスソスXソスgソス[ソスソス

EPELソスソスソス|ソスWソスgソスソスソスソスソスソス(EPEL)ソスソスソスQソスニゑソスソスソスEPELソスソスソス|ソスWソスgソスソスソス導難ソスソスソスソスソス

[root@centos ~]# yum -y install perl-File-Tailソス@ソスソスソス@SWATCHソスソスソスソスノ必ソスvソスソスPerlソスソスソスWソスソスソス[ソスソスソスCソスソスソスXソスgソス[ソスソス

[root@centos ~]# yum -y install swatchソス@ソスソスソス@SWATCHソスCソスソスソスXソスgソス[ソスソス

ソスソスSWATCHソスン抵ソス

ソスiソスPソスjSWATCHソスAソスNソスVソスソスソスソスソスXソスNソスソスソスvソスgソス成
SWATCHソスソスソスソスソスmソスソスソスソスIPソスAソスhソスソスソスXソスソスソスソスフ累積不ソスソスソスAソスNソスZソスXソスソスソスソス3ソスごとまゑソスソスヘ、ソスソスソスソスソスソスblockソスソスソスニ指ソス閧ウソス黷スソス鼾ソスAソスYソスソスIPソスAソスhソスソスソスXソスソスソスソスフアソスNソスZソスXソスソス24ソスソスソスヤ規ソスソスソスソスソスソスVソスFソスソスソスXソスNソスソスソスvソスgソスソスソス成ソスソスソスソス
ソスソスPing of DeathソスソスソスソスソスモのゑソスソスソスAソスNソスZソスXソス即規ソスソスソスソスソス驍スソス゚のオソスvソスVソスソスソスソス
[root@centos ~]# vi /usr/local/bin/swatch_action.shソス@ソスソスソス@SWATCHソスAソスNソスVソスソスソスソスソスXソスNソスソスソスvソスgソス成
#!/bin/bash

# SWATCHソスAソスNソスVソスソスソスソスソスXソスNソスソスソスvソスg
#
# ソスソスソスソス1:ソスソスソスOソスソスリり文ソスソスソスソスソスwソスソス
# ソスソスソスソス2:ソスソスソスOソスソスIPソスAソスhソスソスソスXソスハ置ソスソスソスwソスソス
# ソスソスソスソス3:ソスYソスソスIPソスAソスhソスソスソスXソスソスソスソスフアソスNソスZソスXソスソスソスKソスソスソスソスソスソス鼾blockソスソスソスwソスソス

PATH=/bin:/sbin:/usr/bin

# ソスKソスソスIPソスAソスhソスソスソスXソスソスメーソスソスソスハ知ソスソスン抵ソス
# ソスソスソスソスソス[ソスソスソスハ知ソスソスソスネゑソスソス鼾ソスヘ会ソスソスLソスソスソスRソスソスソスソスソスgソスAソスEソスg
mail=root

# ソスル擾ソスIソスソスソスソスソスソスソスヨ撰ソスソスソス`
error_exit () {
    (echo From: root@`hostname -d`
     echo "Subject: `basename ${0}` aborted."
     echo
     echo ${LOG}) | \
    `which sendmail` -t root
    exit 1
}

# ソスソスソスOソスソスWソスソスソスソスソスヘゑソスソスソス謫セ
read LOG

# ソスソスソスOソスソスソスソスIPソスAソスhソスソスソスXソス抽出
IPADDR=`echo $LOG|awk -F "$1" "{print $"$2"}"`

# IPソスAソスhソスソスソスXソスソスソスソスソス[ソスvソスoソスbソスNソスAソスhソスソスソスX(IPv6)ソスフ場合ソスヘ終ソスソス
[ "$IPADDR" = "::1" ] && exit

echo "$IPADDR"|grep "^[0-9]*\." > /dev/null 2>&1
if [ $? -eq 0 ]; then
    # IPソスAソスhソスソスソスXソスソスソスソスnソスワゑソス鼾
    IPADDR=`echo "$IPADDR"|sed -e 's/\([0-9]*\.[0-9]*\.[0-9]*\.[0-9]*\).*/\1/p' -e d`
else
    # IPソスAソスhソスソスソスXソスネ外ソスソスソスソスnソスワゑソス鼾
    IPADDR=`echo "$IPADDR"|sed -e 's/.*[^0-9]\([0-9]*\.[0-9]*\.[0-9]*\.[0-9]*\).*/\1/p' -e d`
fi

# IPソスAソスhソスソスソスXソスソスソスsソスソスソスIソスhソスナ包ソスソスソス
addr1=`echo $IPADDR|cut -d . -f 1`
addr2=`echo $IPADDR|cut -d . -f 2`
addr3=`echo $IPADDR|cut -d . -f 3`
addr4=`echo $IPADDR|cut -d . -f 4`

# IPソスAソスhソスソスソスXソス`ソスFソスbソスNソスソスソス謫セソスソスソスsソスソスソスソスrootソスソスソスノソスソス[ソスソスソスハ知ソスソスソスト終ソスソス
expr "${addr1}" + 1 > /dev/null 2>&1 ; [ $? -ge 2 ] && error_exit
expr "${addr2}" + 1 > /dev/null 2>&1 ; [ $? -ge 2 ] && error_exit
expr "${addr3}" + 1 > /dev/null 2>&1 ; [ $? -ge 2 ] && error_exit
expr "${addr4}" + 1 > /dev/null 2>&1 ; [ $? -ge 2 ] && error_exit

# IPソスAソスhソスソスソスXソスソスソスvソスソスソスCソスxソス[ソスgIPソスAソスhソスソスソスXソスフ場合ソスヘ終ソスソス
if [ "$IPADDR" = "127.0.0.1" ]; then
    exit
elif [ $addr1 -eq 10 ]; then
    exit
elif [ $addr1 -eq 172 ] && [ $addr2 -ge 16 ] && [ $addr2 -le 31 ]; then
    exit
elif [ $addr1 -eq 192 ] && [ $addr2 -eq 168 ]; then
    exit
fi

# ソスzソスXソスgソスソスソス謫セ
dig -x $IPADDR | grep "ANSWER SECTION:" > /dev/null 2>&1
if [ $? -eq 0 ]; then
    HOST=`dig -x $IPADDR | grep -A 1 "ANSWER SECTION:" | tail -n 1 | awk '{print $5}'`
else
    HOST="unknown"
fi

# ソスsソスソスソスAソスNソスZソスXソスソスソスOソスソスソスbソスZソス[ソスWソスソスIPソスAソスhソスソスソスXソスハソスソスOソスtソス@ソスCソスソスソスノ記ソス^
echo $LOG >> /var/log/swatch/$IPADDR

# IPソスAソスhソスソスソスXソスハソスソスOソスtソス@ソスCソスソスソスソスソスソスン積不ソスソスソスAソスNソスZソスXソスソスソス謫セ
cnt=`cat /var/log/swatch/$IPADDR | wc -l`

# ソスYソスソスIPソスAソスhソスソスソスXソスソスソスソスフ累積不ソスソスソスAソスNソスZソスXソスソスソスソス3ソスごとまゑソスソスソス
# ソスソスソスソスソスソスblockソスニ指ソス閧ウソス黷スソス鼾ソスAソスNソスZソスXソスKソスソス
if [ $(( $cnt % 3 )) -eq 0 ] || [ $# -eq 3 -a  "$3" = "block" ]; then
    # ソスYソスソスIPソスAソスhソスソスソスXソスソスソスソスフアソスNソスZソスXソスソスソスソスソスロゑソスソス驛具ソス[ソスソスソスソス}ソスソス
    iptables -I INPUT -s $IPADDR -j DROP
    # https://centossrv.com/iptables.shtmlソスソスiptablesソスト起ソスソスソスホ会ソス
    [ -f /root/deny_ip ] && echo $IPADDR >> /root/deny_ip

    # ソスソスLソスソスソス[ソスソスソスソス24ソスソスソスヤ鯉ソスノ削除ソスソスソスソスXソスPソスWソスソスソス[ソスソスソスソスoソス^
    echo "iptables -D INPUT -s $IPADDR -j DROP > /dev/null 2>&1" | \
    at now+24hour > /dev/null 2>&1
    # https://centossrv.com/iptables.shtmlソスソスiptablesソスト起ソスソスソスホ会ソス
    [ -f /root/deny_ip ] && \
    echo "sed -i '/^$IPADDR$/d' /root/deny_ip > /dev/null 2>&1 ; \
    sed -i '/ $IPADDR /d' /etc/sysconfig/iptables > /dev/null 2>&1" | \
    at now+24hour > /dev/null 2>&1

    # ソスAソスNソスZソスXソスKソスソスIPソスAソスhソスソスソスXソスソスソスソスソスソスソス[ソスソスソスハ知
    [ "$mail" != "" ] && \
        (echo From: root@`hostname -d`
         echo "Subject: Blocked access from $IPADDR($HOST)"
         echo
         cat /var/log/swatch/$IPADDR
         echo
         whois $IPADDR) | \
        `which sendmail` -t $mail

    echo "`date` $IPADDR($HOST) $cnt Blocked!"
else
    echo "`date` $IPADDR($HOST) $cnt"
fi

[root@centos ~]# chmod 700 /usr/local/bin/swatch_action.shソス@ソスソスソス@SWATCHソスAソスNソスVソスソスソスソスソスXソスNソスソスソスvソスgソスヨ趣ソスソスsソスソスソスソスソスtソスソス

ソスiソスQソスjSWATCHソスン抵ソス
[root@centos ~]# mkdir /etc/swatchソス@ソスソスソス@SWATCHソスン抵ソスtソス@ソスCソスソスソスiソス[ソスfソスBソスソスソスNソスgソスソスソス成

[root@centos ~]# vi /etc/logrotate.d/swatchソス@ソスソスソス@SWATCHソスソスソスOソスリ替ゑソスソスン抵ソスtソス@ソスCソスソスソス成
/var/log/swatch/swatch.log {
    missingok
    notifempty
    sharedscripts
    postrotate
        /etc/rc.d/init.d/swatch restart > /dev/null || true
    endscript
}

ソスiソスRソスj/var/log/messagesソスト趣ソスソスン抵ソス
[root@centos ~]# vi /etc/swatch/messages.confソス@ソスソスソス@/var/log/messagesソスト趣ソスソスpソスン抵ソスtソス@ソスCソスソスソス成
# logfile /var/log/messages

# BINDソスフバソス[ソスWソスソスソスソスソスニ会ソスソスソスソスソスmソスソスソスソスソスソスYソスソスソスzソスXソスgソスソスソスソスフアソスNソスZソスXソスソス24ソスソスソスヤ規ソスソス
# (Sep 23 14:16:13 centos named[1935]: client @0x7fb85067e5c0 XXX.XXX.XXX.XXX#38019 (VERSION.BIND): query 'VERSION.BIND/TXT/CH' denied)
# ソスソスDNSソスTソス[ソスoソス[(BIND)ソス\ソスzソスマでゑソスソス驍アソスソス
watchfor /query \'VERSION\.BIND\/TXT\/CH\' denied/i
    pipe "/usr/local/bin/swatch_action.sh ' ' 8 block"
    threshold track_by=/query \'VERSION\.BIND\/TXT\/CH\' denied/i,type=limit,count=1,seconds=10


ソスiソスSソスj/var/log/secureソスト趣ソスソスン抵ソス
[root@centos ~]# vi /etc/swatch/secure.confソス@ソスソスソス@/var/log/secureソスト趣ソスソスpソスン抵ソスtソス@ソスCソスソスソス成
# logfile /var/log/secure

# ソスAソスNソスZソスXソスソスソスソスソスツホソスXソスgソスソスソスソスソスSSHソスソスソスOソスCソスソスソスソスソスsソスソスソスソスソスmソスソスソスソスソスソスYソスソスソスzソスXソスgソスソスソスソスフアソスNソスZソスXソスソス24ソスソスソスヤ規ソスソス
# (Jan 23 19:50:37 centos sshd[15862]: refused connect from xxxxxxxxx (XXX.XXX.XXX.XXX))
# ソスソス/etc/hosts.denyソスA/etc/hosts.allowソスナアソスNソスZソスXソスソスソスツホソスXソスgソス制鯉ソスソスソスソストゑソスソス驍アソスニゑソスソスOソスソス
watchfor /sshd.*refused/
    pipe "/usr/local/bin/swatch_action.sh '\\\\(|\\\\)' 2 block"
    threshold track_by=/sshd.*refused/,type=limit,count=1,seconds=10

# ソスAソスNソスZソスXソスソスソスツホソスXソスgソスソスソスソスフソスソス[ソスUソス[ソスソスソスソスソスノゑソスソスSSHソスソスソスOソスCソスソスソスソスソスsソスソス3ソス検知ソスソスソス驍イソスニに該ソスソスソスzソスXソスgソスソスソスソスフアソスNソスZソスXソスソス24ソスソスソスヤ規ソスソス
# (Feb 2 17:51:26 centos sshd[6982]: Failed password for invalid user xxxxxxxx from XXX.XXX.XXX.XXX port 34464 ssh2)
watchfor /sshd.*Failed password for invalid user/
    pipe "/usr/local/bin/swatch_action.sh ' ' 13"
    threshold track_by=/sshd.*Failed password for invalid user/,type=limit,count=3,seconds=10

# ソスAソスNソスZソスXソスソスソスツホソスXソスgソスソスソスソスフパソスXソスソスソス[ソスhソスソスソスノゑソスソスSSHソスソスソスOソスCソスソスソスソスソスsソスソス3ソス検知ソスソスソス驍イソスニに該ソスソスソスzソスXソスgソスソスソスソスフアソスNソスZソスXソスソス24ソスソスソスヤ規ソスソス
# (Jan 28 04:56:56 centos sshd[1849]: Failed password for root from XXX.XXX.XXX.XXX port 56558 ssh2)
watchfor /sshd.*Failed password for/
    pipe "/usr/local/bin/swatch_action.sh ' ' 11"
    threshold track_by=/sshd.*Failed password for/,type=limit,count=3,seconds=10

# ソスAソスNソスZソスXソスソスソスツホソスXソスgソスソスソスソスソスDovecotソスソスソスOソスCソスソスソスソスソスsソスソス3ソス検知ソスソスソス驍イソスニに該ソスソスソスzソスXソスgソスソスソスソスフアソスNソスZソスXソスソス24ソスソスソスヤ規ソスソス
# (Jan 28 05:16:20 centos auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=xxxxxxxx rhost=XXX.XXX.XXX.XXX)
# ソスソスソスソスソス[ソスソスソスTソス[ソスoソス[ソス\ソスzソスマでゑソスソス驍アソスソス
watchfor /auth: pam_unix\(dovecot:auth\): authentication failure/
    pipe "/usr/local/bin/swatch_action.sh '=' 7"
    threshold track_by=/auth: pam_unix\(dovecot:auth\): authentication failure/,type=limit,count=3,seconds=10

ソスiソスTソスj/var/log/maillogソスト趣ソスソスン抵ソス
[root@centos ~]# vi /etc/swatch/maillog.confソス@ソスソスソス@/var/log/maillogソスト趣ソスソスpソスン抵ソスtソス@ソスCソスソスソス成
# logfile /var/log/maillog

# ソスソスソス[ソスソスソスTソス[ソスoソス[ソスヨの不ソスソスソスソスソスpソスAソスNソスZソスXソスソスソスソスソスmソスソスソスソスソスソスYソスソスソスzソスXソスgソスソスソスソスフアソスNソスZソスXソスソス24ソスソスソスヤ規ソスソス
# (Jan 23 06:27:02 centos postfix/smtpd[16659]: NOQUEUE: reject: RCPT from unknown[XXX.XXX.XXX.XXX]: 454 4.7.1 <xxxxxxxx@xxxxxxxx>: Relay access denied; from=<xxxxxxxx@xxxxxxxx> to=<xxxxxxxx@xxxxxxxx> proto=ESMTP helo=<xxxxxxxx>)
# ソスソスソスソスソス[ソスソスソスTソス[ソスoソス[ソス\ソスzソスマでゑソスソス驍アソスソス
watchfor /postfix\/smtpd.*Relay access denied;/
    pipe "/usr/local/bin/swatch_action.sh '\\\\[|\\\\]' 4 block"
    threshold track_by=/postfix\/smtpd.*Relay access denied;/,type=limit,count=1,seconds=10

# ソスソスソス[ソスソスソスTソス[ソスoソス[ソスソスSASLソスFソスリ趣ソスソスsソスソス3ソス検知ソスソスソス驍イソスニに該ソスソスソスzソスXソスgソスソスソスソスフアソスNソスZソスXソスソス24ソスソスソスヤ規ソスソス
# (Jan 23 08:52:55 centos postfix/smtpd[19694]: warning: xxxxxxxx[XXX.XXX.XXX.XXX]: SASL LOGIN authentication failed: authentication failure)
# ソスソスソスソスソス[ソスソスソスTソス[ソスoソス[ソス\ソスzソスマでゑソスソス驍アソスソス
watchfor /postfix\/smtpd.*SASL .* authentication failed:/
    pipe "/usr/local/bin/swatch_action.sh '\\\\[|\\\\]' 4"
    threshold track_by=/postfix\/smtpd.*SASL .* authentication failed:/,type=limit,count=3,seconds=10

ソスソスSWATCHソスNソスソス

[root@centos ~]# vi /etc/rc.d/init.d/swatchソス@ソスソスソス@SWATCHソスNソスソスソスXソスNソスソスソスvソスgソス成
#!/bin/bash
#
# swatch
#
# chkconfig: 2345 90 35
# description: swatch start/stop script

# Source function library.
. /etc/rc.d/init.d/functions

PATH=/sbin:/usr/local/bin:/bin:/usr/bin

mkdir -p /var/log/swatch

start() {
    # Start daemons.
    ls /var/run/swatch_*.pid > /dev/null 2>&1
    if [ $? -ne 0 ]; then
        echo -n "Starting swatch"
        pno=0
        for conf in /etc/swatch/*.conf
        do
            pno=`expr $pno + 1`
            WATCHLOG=`grep "^# logfile" $conf | awk '{ print $3 }'`
            swatch --config-file $conf --tail-file $WATCHLOG \
            --script-dir=/tmp --awk-field-syntax --use-cpan-file-tail --daemon \
            --pid-file /var/run/swatch_$pno.pid \
            >> /var/log/swatch/swatch.log 2>&1
            RETVAL=$?
            [ $RETVAL != 0 ] && return $RETVAL
        done
        echo
        [ $RETVAL = 0 ] && touch /var/lock/subsys/swatch
        return $RETVAL
    else
        echo "swatch is already started"
    fi
}

stop() {
    # Stop daemons.
    ls /var/run/swatch_*.pid > /dev/null 2>&1
    if [ $? -eq 0 ]; then
        echo -n "Shutting down swatch"
        for pid in /var/run/swatch_*.pid
        do
           kill $(cat $pid)
           rm -f $pid
        done
        echo
        rm -f /var/lock/subsys/swatch /tmp/.swatch_script.*
    else
        echo "swatch is not running"
    fi
}

status() {
    ls /var/run/swatch_*.pid > /dev/null 2>&1
    if [ $? -eq 0 ]; then
        echo -n "swatch (pid"
        for pid in /var/run/swatch_*.pid
        do
           echo -n " `cat $pid`"
        done
        echo ") is running..."
    else
        echo "swatch is stopped"
    fi
}

case "$1" in
  start)
        start
        ;;
  stop)
        stop
        ;;
  restart)
        stop
        start
        ;;
  status)
        status
        ;;
   *)
        echo "Usage: swatch {start|stop|restart|status}"
        exit 1
esac

exit $RETVAL

[root@centos ~]# chmod +x /etc/rc.d/init.d/swatchソス@ソスソスソス@SWATCHソスNソスソスソスXソスNソスソスソスvソスgソスヨ趣ソスソスsソスソスソスソスソスtソスソス

[root@centos ~]# /etc/rc.d/init.d/swatch startソス@ソスソスソス@SWATCHソスNソスソス
Starting swatch

[root@centos ~]# chkconfig --add swatchソス@ソスソスソス@SWATCHソスNソスソスソスXソスNソスソスソスvソスgソスソスcheconfigソスヨ登ソス^

[root@centos ~]# chkconfig swatch onソス@ソスソスソス@SWATCHソスソスソスソスソスNソスソスソスン抵ソス

[root@centos ~]# chkconfig --list swatchソス@ソスソスソス@SWATCHソスソスソスソスソスNソスソスソスン抵ソスmソスF
swatch          0:off   1:off   2:on    3:on    4:on    5:on    6:offソス@ソスソスソス@ソスソスソスソスソスソスソスxソスソス2ソス`5ソスソスonソスソスソスmソスF

ソスソスSWATCHソス^ソスp

ソスン抵ソスノ従ソスソスソスト各ソスロソスOソスtソス@ソスCソスソスソスソスソスト趣ソスソスソスソスAソスsソスソスソスAソスNソスZソスXソスソスソスソスソスmソスソスソスト該ソスソスソスzソスXソスgソスソスソスソスフアソスNソスZソスXソスソス24ソスソスソスヤ規ソスソスソスソスソスソスソス鼾ソスAソスYソスソスIPソスAソスhソスソスソスXソスソスwhoisソスソスがソスソス[ソスソスソスハ知ソスソスソスソストゑソスソスソスB
ソスソスSWATCHソスAソスNソスVソスソスソスソスソスXソスNソスソスソスvソスg(swatch_action.sh)ソスナ規ソスソスIPソスAソスhソスソスソスXソスソスソスハ知ソス諠ソス[ソスソスソスAソスhソスソスソスXソスソスソスwソス閧オソスソスソス鼾
ソスソスソスソスIPソスAソスhソスソスソスXソスソスソスソスフ不ソスソスソスAソスNソスZソスXソスソスソスJソスソスヤゑソスソスソスソス鼾ソスAソスYソスソスIPソスAソスhソスソスソスXソスソスソスソスフアソスNソスZソスXソスKソスソスソスソスソスソスソス\ソスソスソスソス除ソスソスソスト、ソスYソスソスIPソスAソスhソスソスソスXソスソスソスソスフアソスNソスZソスXソスソスソスiソスvソスノ規ソスソスソスソスソスソス謔、ソスノゑソスソスソスB
[root@centos ~]# vi swatchatrmソス@ソスソスソス@ソスAソスNソスZソスXソスKソスソスソスソスソスソスソス\ソスソス除ソスソスソスソスソスXソスNソスソスソスvソスgソス成
#!/bin/bash

# ソスAソスNソスZソスXソスKソスソスソスソスソスソスソス\ソスソス除ソスソスソスソス
#
# ソスソスソスソスソスナ指ソス閧オソスソスソス数以擾ソスフ不ソスソスソスAソスNソスZソスXソスソスソスLソス^ソスソスソスソスIPソスAソスhソスソスソスXソスフアソスNソスZソスXソスKソスソスソスソスソスソスソス\ソスソスソスソス除ソスソスソスソス
# ソスYソスソスIPソスAソスhソスソスソスXソスソスソスソスフアソスNソスZソスXソスソスソスiソスvソスノ規ソスソスソスソスソスソス
# ソスソスソスソスソスソス0ソスソスソスwソス閧オソスソスソス鼾ソスヘ不ソスソスソスAソスNソスZソスXソスLソス^ソス数のみ表ソスソスソスソスソスト規ソスソスソスソスソスソスソス\ソスソスフ削除ソスヘ行ソスソスネゑソス

[ $# -ne 1 ] && echo "usage is ${0} cnt" && exit 1
for atq in `atq|awk '{print $1}'`
do
    at -c ${atq}|grep "iptables -D INPUT -s " > /dev/null 2>&1 || continue
    ip=`at -c ${atq}|grep "iptables -D INPUT -s "|sed -e 's/.*iptables -D INPUT -s \([^ ]*\) -j DROP.*/\1/p' -e d`
    if [ ${1} -eq 0 ];then
        echo -e "${ip}\t`cat /var/log/swatch/${ip}|wc -l`"
    else
        cnt=`cat /var/log/swatch/${ip}|wc -l`
        [ ${cnt} -ge ${1} ] && \
        atrm ${atq} && echo -e "${ip}\\t`cat /var/log/swatch/${ip}|wc -l`"
    fi
done

[root@centos ~]# sh swatchatrm 0|sort -n -k 2 -rソス@ソスソスソス@ ソスsソスソスソスAソスNソスZソスXソスLソス^ソス数の托ソスソスソスソスソスソスノアソスNソスZソスXソスKソスソスソスソスソスソスソスメゑソスIPソスAソスhソスソスソスXソスソス\ソスソス
YYY.YYY.YYY.YYY 18
XXX.XXX.XXX.XXX 12
ZZZ.ZZZ.ZZZ.ZZZ 5

[root@centos ~]# sh swatchatrm 10ソス@ソスソスソス@ ソスソスニゑソスソスソス10ソスソスネ擾ソスフ不ソスソスソスAソスNソスZソスXソスソスソスLソス^ソスソスソスソスIPソスAソスhソスソスソスXソスソスソスソスフアソスNソスZソスXソスKソスソスソスソスソスソスソス\ソスソスソスソス除ソスソスソスiソスvソスノ規ソスソス
XXX.XXX.XXX.XXX 12
YYY.YYY.YYY.YYY 18

[root@centos ~]# sh swatchatrm 0|sort -n -k 2 -rソス@ソスソスソス@ ソスsソスソスソスAソスNソスZソスXソスLソス^ソス数の托ソスソスソスソスソスソスノアソスNソスZソスXソスKソスソスソスソスソスソスソスメゑソスIPソスAソスhソスソスソスXソスソス\ソスソス
ZZZ.ZZZ.ZZZ.ZZZ 5


ソスソスソスヨ連ソスRソスソスソスeソスソスソスc

<!ソス\ソスeソスLソスXソスgソスフみゑソス4ソスsソス\ソスソスソスノ追会ソスソスソスCソスソスソスソスソスソス\>



ソスソスソスソスソスフペソス[ソスWソスフトソスbソスvソスヨ戻ゑソス

ソスvソスソスソスCソスoソスVソス[ソス|ソスソスソスVソス[
centossrv.com