网站被攻击时的应急响应脚本

#!/bin/bash
# 应急响应脚本

echo "=== 安全事件分析 ==="

# 查找异常IP
echo "可疑IP (请求量 > 1000):"
awk '{print $1}' /var/log/nginx/access.log | \
sort | uniq -c | \
awk '$1 > 1000 {print $2, $1}' | \
sort -k2 -nr

# 查找SQL注入尝试
echo "SQL注入尝试:"
grep -i "union\|select\|drop\|insert" /var/log/nginx/access.log | \
awk '{print $1, $7}' | \
sort | uniq -c | \
sort -nr

# 查找文件包含攻击
echo "文件包含攻击:"
grep -E "\.\./|etc/passwd|proc/self" /var/log/nginx/access.log | \
awk '{print $1, $7}' | head -20