Linux defense Small Scale DDoS attack configuration method

Defense principle
The principle of DDoS deflate is to use the netstat command to find a single IP that emits an excessive amount of connectivity and to reject the IP using the iptables firewall. Because the iptables firewall is far more efficient than the Apache-level connection, the iptables becomes the "filter" that runs on the Apache front end. Similarly, DDoS deflate can also be set up to use APF (advanced firewall) for IP blocking.

How do I determine a DDoS attack?

Perform:

Shell

Netstat-ntu | awk ' {print $} ' | Cut-d:-f1 | Sort | uniq-c | Sort-n

A few, more than 10, or dozens of connections per IP are fairly normal, and if hundreds of thousands of them seem to be out of the ordinary.

1. Install DDoS deflate

The code is as follows	Copy Code
wget http://www.inetbase.com/scripts/ddos/install.sh//download DDoS deflate Chmod 0700 install.sh//Add Permissions ./install.sh//Executive

2. Configure DDoS Deflate

The following is the default configuration of the DDoS deflate located in/usr/local/ddos/ddos.conf, which reads as follows:

The code is as follows

Copy Code

##### Paths of the script and other files Progdir= "/usr/local/ddos" Prog= "/usr/local/ddos/ddos.sh" Ignore_ip_list= "/usr/local/ddos/ignore.ip.list"//IP address white list cron= "/etc/cron.d/ddos.cron"//Timed execution procedure apf= "/etc/apf/apf" ipt= "/sbin/iptables" ##### frequency in minutes for running the script ##### caution:every time This setting are changed, run the script with--cron ##### option so the new frequency takes effect Freq=1//Check time interval, default 1 minutes ##### How many connections define a bad IP? indicate that below. no_of_connections=150//Maximum number of connections, more than this number of IP will be blocked, the general default can be ##### apf_ban=1 (Make sure your APF version is atleast 0.96) ##### apf_ban=0 (Uses iptables for banning IPs instead of APF) Apf_ban=1//using APF or iptables. It is recommended to use Iptables to change the value of Apf_ban to 0. ##### kill=0 (Bad IPs are ' NT banned, good for interactive execution of script) ##### kill=1 (recommended setting) Kill=1//Whether shielding IP, the default can ##### an email was sent to the following address when a IP is banned. ##### Blank would suppress sending of mails email_to= "root"///when IP is blocked to send mail to the specified mailbox, recommended to use, change your own mailbox can ##### number of seconds the banned IP should remain in blacklist. ban_period=600//Disable IP time, default 600 seconds, can be adjusted according to the situation

The user can modify the configuration file according to the comment content that is added to the default profile.

Unloading

The code is as follows	Copy Code
wget Http://www.inetbase.com/scripts/ddos/uninstall.ddos Chmod 0700 Uninstall.ddos ./uninstall.ddos /usr/local/ddos/ddos.sh-k 30 forcibly shielded IP with a connection number greater than 30

For more instructions, please direct more/usr/local/ddos/ddos.sh view