Ddos-deflate Installation and Configuration
1, installation
The code is as follows |
Copy Code |
wget http://www.inetbase.com/scripts/ddos/install.sh Chmod 0700 install.sh ./install.sh
|
2, configuration
The configuration file is/usr/local/ddos/ddos.conf and is configured as follows by default
The code is as follows |
Copy Code |
Freq=1 no_of_connections=150 Apf_ban=0 Kill=1 Email_to= "Test@qq.com" ban_period=600
|
Explanation of configuration parameters:
Freq=1 detection interval, default is one minute, if you modify this to reset the cron Job
no_of_connections=150 Maximum number of connections, exceeding this will prohibit IP
Apf_ban=1, using APF set to 1, using iptables set to 0
kill=1, whether IP is prohibited
email_to= "root"; mail notification, write a mailbox to receive mail
ban_period=600 prohibit IP length, default is 600 seconds
IP address white list:/usr/local/ddos/ignore.ip.list
Unloading
The code is as follows |
Copy Code |
wget Http://www.inetbase.com/scripts/ddos/uninstall.ddos Chmod 0700 Uninstall.ddos ./uninstall.ddos
|
View IP
The code is as follows |
Copy Code |
Netstat-ntu | awk ' {print $} ' | Cut-d:-f1 | Sort | uniq-c | Sort-n |
To do a test to see if you can seal off the IP.
The code is as follows |
Copy Code |
Iptables-l-N
|
As shown below, the 192.168.1.200 is sealed off:
Add: Protect against DDoS attack scripts
code is as follows |
copy code |
#防止SYN攻击 Lightweight prevention Iptables-n Syn-flood iptables-a input-p TCP--sy N-j syn-flood iptables-i syn-flood-p tcp-m limit--limit 3/s--limit-burst 6-j return Iptables-a Syn-flood -j REJECT #防止DOS太多连接进来, you can allow the extranet network card to be up to 15 initial connections per IP, over discard iptables-a input-i eth0-p tcp--syn-m connlimit--connlim It-above 15-j DROP iptables-a input-p tcp-m State--state established,related-j ACCEPT #用Iptables抵御DDOS ( parameter is the same as above) Iptables-a input -P tcp--syn-m limit--limit 12/s--limit-burst 24-j ACCEPT iptables-a FORWARD -p TCP--syn-m limit--limit 1/s-j ACCEPT ########################################################## |
Iptables anti-DDoS attack script
The code is as follows |
Copy Code |
#!/bin/sh # # define some VARs max_total_syn_recv= "1000" max_per_ip_syn_recv= "20" mark= "Syn_recv" port= "80" logfile= "/var/log/netstat_$mark-$PORT" logfile_ip= "/var/log/netstat_connect_ip.log" Drop_ip_log= "/var/log/netstat_syn_drop_ip.log" # # Iptables default rules:accept normailly packages and drop baleful syn* Iptables-f-T Filter Iptables-a input-p TCP! --syn-m State--state New-j DROP Iptables-a input-p all-m State--state invalid-j DROP Iptables-a input-p all-m State--state established,related-j ACCEPT # # Initialize If [-Z $MARK];then mark= "LISTEN" Fi If [-Z $PORT];then sport= "TCP" Else Sport= ": $PORT" Fi ######################## End # # Save the results of command netstat to Specifal file Netstat-atun|grep $MARK |grep $SPORT 2>/dev/null > $LOGFILE repeat_connect_ip= ' less $LOGFILE |awk ' {print $} ' |cut-f1-d ': ' |sort|uniq-d |tee > $LOGFILE _ip ' If [f $DROP _ip_log];then For i in ' less $DROP _ip_log ';d o Iptables-a input-p all-s $i-j DROP Done Fi For i in ' less $LOGFILE _ip ';d o Repeat_connect_num= ' grep $i $LOGFILE |wc-l ' # # Count Repeat connections, if the accout is large than default Number,then drop packages If [$REPEAT _connect_num-gt $MAX _per_ip_syn_recv];then echo "$i $REPEAT _connect_num" >> $DROP _ip_log Iptables-a input-p all-s $i-j DROP Fi Done all_connect= ' uniq-u $LOGFILE |wc-l ' #echo $ALL _connect # # Count Repeat connections, if the accout is large than default Number,then drop packages If [$ALL _connect-gt $MAX _total_syn_recv];then #echo $ALL _connect Exit Fi |