发布时间:2017-12-09 12:23:52编辑:admin阅读(3848)
先看一段nginx日志
可以看到,左边第一个,就是真实IP地址
先来获取真实IP地址
tail -10 /usr/local/nginx/logs/access.log | awk '{print $1}'
结果如下:
58.39.50.112
58.39.50.112
58.39.50.112
58.39.50.112
58.39.50.112
58.39.50.112
203.208.60.161
58.39.50.112
58.39.50.112
58.39.50.112
ip地址进行排序,sort默认是升序
tail -10 /usr/local/nginx/logs/access.log | awk '{print $1}' | sort
结果如下:
203.208.60.161
203.208.60.162
58.39.50.112
58.39.50.112
58.39.50.112
58.39.50.112
58.39.50.112
58.39.50.112
58.39.50.112
58.39.50.112
去除重复,使用uniq -c
-c 显示重复的次数
tail -10 /usr/local/nginx/logs/access.log | awk '{print $1}' | sort |uniq -c
结果如下:
1 203.208.60.161
1 203.208.60.162
8 58.39.50.112
根据重复次数进行排序,使用命令sort -k1 -nr
-k 指定列数,1表示第一列
-n 以数值来排序
-r 降序排序,因为sort默认是按照升序来排序的,需要指定参数,才能降序。
tail -10 /usr/local/nginx/logs/access.log | awk '{print $1}' | sort |uniq -c|sort -k1 -nr
结果如下:
8 58.39.50.112
1 203.208.60.162
1 203.208.60.161
提取前10名IP地址,这里我取最后1000行,不如结果没有10个,很尴尬
head -10 表示取前10行
tail -1000 /usr/local/nginx/logs/access.log | awk '{print $1}' | sort |uniq -c|sort -k1 -nr | head -10
354 58.39.50.112
75 123.180.242.149
50 140.205.201.43
46 101.226.33.221
25 101.226.33.237
24 171.88.42.11
24 14.24.109.56
23 106.17.23.222
19 122.192.13.121
17 220.181.132.197
如果发现Nginx有攻击行为,可以查看一下IP统计
查看排名前10的IP,这里取1万行
tail -10000 /usr/local/nginx/logs/access.log | awk '{print $1}' | sort |uniq -c|sort -k1 -nr | head -10
结果如下:
508 58.39.50.112
75 123.180.242.149
50 140.205.201.43
46 101.226.33.221
43 101.226.33.237
24 171.88.42.11
24 14.24.109.56
24 101.226.66.191
23 106.17.23.222
22 113.46.191.175
47303
45507
36587
34101
28810
25424
24274
19469
18914
17483
5304°
5904°
5403°
5488°
6375°
5220°
5219°
5731°
5687°
6996°