Recently, the server has been frequently attacked by DDoS, so it can only be solved temporarily by IP source. IP is not the source of changeable, light by hand to add is simply a nightmare, think of a method, with the shell to do.
Relatively simple, but very useful:) The following content according to the author's original text to make appropriate changes:)
1. Scripting
mkdir/root/binvi/root/bin/dropip.sh #!/bin/bash/bin/netstat-nagrep established awk ' {print} ' awk-f: ' {print} ' Sortuni Q-csort-rnhead-10grep-v-E ' 192.168 127.0′awk ' {if (!=null && >4) {print}} ' >/tmp/dropip for I in $ (cat /TMP/DROPIP) do/sbin/iptables-a input-s $i-j DROP echo "$i kill at ' date '" >>/var/log/ddos done
2. Increase execution Privileges
chmod +x/root/bin/dropip.sh
3. Add to Scheduled Tasks, execute once per minute
Crontab-e
*/1 * * * */root/bin/dropip.sh
Description
The above script is relatively simple, but very practical, the most important is the second row, get the top 10 established connections and write to the temporary file/tmp/dropip, excluding the internal IP segment 192.168- 127.0 starts with a for loop, the IP inside the DROPIP is dropped by Iptables and then written to the log file/var/log/ddos
Anti-DDoS attack shell script