IP Defense DDoS configuration method for Linux shielding enclosure

Introduction to DDoS Deflate

DDoS deflate is a free script for defending and mitigating DDoS attacks. It creates an IP address for a large number of network connections through Netstat monitoring trails that prohibit or block these IPs through APF or iptables when a node is detected that exceeds the preset limit.

DDoS Deflate official website: http://deflate.medialayer.com/

How do I verify that DDoS attacks are being exploited?

Perform:

The code is as follows	Copy Code
Netstat-ntu | awk ' {print $} ' | Cut-d:-f1 | Sort | uniq-c | Sort-n

After execution, the number of connections to each IP on the server is displayed.

Here are the results of my own VPS test:

The code is as follows	Copy Code
li88-99:~# Netstat-ntu | awk ' {print $} ' | Cut-d:-f1 | Sort | uniq-c | Sort-n

1 114.226.9.132
1 174.129.237.157
1 58.60.118.142
1 Address
1 servers)
2 118.26.131.78
3 123.125.1.202
3 220.248.43.119
4 117.36.231.253
4 119.162.46.124
6 219.140.232.128
8 220.181.61.31
2311 67.215.242.196 Each IP a few, more than 10 or dozens of connections are relatively normal, if it is like hundreds of thousands of sure it is not normal.

1. Install DDoS deflate

The code is as follows	Copy Code
wget http://www.inetbase.com/scripts/ddos/install.sh//download DDoS deflate Chmod 0700 install.sh//Add Permissions ./install.sh//Executive

2. Configure DDoS Deflate

The following is the default configuration of the DDoS deflate located in/usr/local/ddos/ddos.conf, which reads as follows:

The code is as follows

Copy Code

##### Paths of the script and other files Progdir= "/usr/local/ddos" Prog= "/usr/local/ddos/ddos.sh" Ignore_ip_list= "/usr/local/ddos/ignore.ip.list"//IP address white list cron= "/etc/cron.d/ddos.cron"//Timed execution procedure apf= "/etc/apf/apf" ipt= "/sbin/iptables" ##### frequency in minutes for running the script ##### caution:every time This setting is changed, run the script With–cron ##### option so the new frequency takes effect Freq=1//Check time interval, default 1 minutes ##### How many connections define a bad IP? indicate that below. no_of_connections=150//Maximum number of connections, more than this number of IP will be blocked, the general default can be ##### apf_ban=1 (Make sure your APF version is atleast 0.96) ##### apf_ban=0 (Uses iptables for banning IPs instead of APF) Apf_ban=1//using APF or iptables. It is recommended to use Iptables to change the value of Apf_ban to 0. ##### kill=0 (Bad IPs are ' NT banned, good for interactive execution of script) ##### kill=1 (recommended setting) Kill=1//Whether shielding IP, the default can ##### an email was sent to the following address when a IP is banned. ##### Blank would suppress sending of mails email_to= "root"///when IP is blocked to send mail to the specified mailbox, recommended to use, change your own mailbox can ##### number of seconds the banned IP should remain in blacklist. ban_period=600//Disable IP time, default 600 seconds, according to the situation can adjust the user according to the default profile added to the comment content, modify the configuration file.

View line 117th of the/usr/local/ddos/ddos.sh file

The code is as follows	Copy Code
Netstat-ntu | awk ' {print $} ' | Cut-d:-f1 | Sort | uniq-c | Sort-nr > $BAD _ip_list

Modify to the following code!

code is as follows	copy code
netstat- NTU | awk ' {print $} ' | Cut-d:-f1 | Sed-n '/[0-9]/p ' | Sort | uniq-c | Sort-nr > $BAD _ip_list   wget http://www.inetbase.com/scripts/ddos/uninstall.ddos chmod 0700 Uninstall.ddos ./uninstall.ddos