#!/bin/bash
DATE=`date +%d/%b/%Y:%H:%M`
LOG_FILE=/var/log/httpd/access_log
ABNORMAL_IP=`tail -n 1000 $LOG_FILE |grep $DATE |awk '{a[$1]++}END{for(i in a) if(a[i]>10) print i}'`
for IP in $ABNORMAL_IP
do
if [ $(firewall-cmd --list-all |grep -c "$IP") -eq 0 ]
then
firewall-cmd --add-rich-rule="rule family=ipv4 source address='$IP' drop"
echo "$(date +'%F %T') $IP" >> /tmp/drop_ip.log
fi
done
