排序日志中尝试爆破ssh密码的ip

/bin/awk '/Failed/{print $(NF-3)}' /var/log/secure | /bin/sort | /usr/bin/uniq -c  | sort -rn

统计允许登录的帐号ip(分析是否是自己的)

/bin/awk '/Accepted password for/{print $(NF-3)}' /var/log/secure | /bin/sort | /usr/bin/uniq -c | sort -rn

也可以使用shell处理

创建find_attack_ip.sh，内容如下

#!/bin/bash
max_allow_num=1500
/bin/awk -v allow=$max_allow_num -f /usr/local/bin/find_attack/find_web_attack.awk /var/log/nginx/access.log >> /etc/nginx/deny.conf

创建，内容如下

/[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+/ { ++S[$1]}
END {
    reloadServer = 0
    for (a in S) {
        if (S[a] > allow) {
            print "deny "a";"
            reloadServer = 1
        }
    }
    if (reloadServer > 0) {
        system("/usr/sbin/nginx -s reload")
    }
}