Linux defense Small Scale DDoS attack configuration method

Source: Internet
Author: User
Tags chmod time interval iptables

Defense principle
The principle of DDoS deflate is to use the netstat command to find a single IP that emits an excessive amount of connectivity and to reject the IP using the iptables firewall. Because the iptables firewall is far more efficient than the Apache-level connection, the iptables becomes the "filter" that runs on the Apache front end. Similarly, DDoS deflate can also be set up to use APF (advanced firewall) for IP blocking.

How do I determine a DDoS attack?

Perform:

Shell

Netstat-ntu | awk ' {print $} ' | Cut-d:-f1 | Sort | uniq-c | Sort-n


A few, more than 10, or dozens of connections per IP are fairly normal, and if hundreds of thousands of them seem to be out of the ordinary.

1. Install DDoS deflate

The code is as follows Copy Code

wget http://www.inetbase.com/scripts/ddos/install.sh//download DDoS deflate
Chmod 0700 install.sh//Add Permissions
./install.sh//Executive


2. Configure DDoS Deflate

The following is the default configuration of the DDoS deflate located in/usr/local/ddos/ddos.conf, which reads as follows:

The code is as follows Copy Code

##### Paths of the script and other files
Progdir= "/usr/local/ddos"
Prog= "/usr/local/ddos/ddos.sh"
Ignore_ip_list= "/usr/local/ddos/ignore.ip.list"//IP address white list
cron= "/etc/cron.d/ddos.cron"//Timed execution procedure
apf= "/etc/apf/apf"
ipt= "/sbin/iptables"

##### frequency in minutes for running the script
##### caution:every time This setting are changed, run the script with--cron
##### option so the new frequency takes effect
Freq=1//Check time interval, default 1 minutes

##### How many connections define a bad IP? indicate that below.
no_of_connections=150//Maximum number of connections, more than this number of IP will be blocked, the general default can be

##### apf_ban=1 (Make sure your APF version is atleast 0.96)
##### apf_ban=0 (Uses iptables for banning IPs instead of APF)
Apf_ban=1//using APF or iptables. It is recommended to use Iptables to change the value of Apf_ban to 0.

##### kill=0 (Bad IPs are ' NT banned, good for interactive execution of script)
##### kill=1 (recommended setting)
Kill=1//Whether shielding IP, the default can

##### an email was sent to the following address when a IP is banned.
##### Blank would suppress sending of mails
email_to= "root"///when IP is blocked to send mail to the specified mailbox, recommended to use, change your own mailbox can

##### number of seconds the banned IP should remain in blacklist.
ban_period=600//Disable IP time, default 600 seconds, can be adjusted according to the situation

The user can modify the configuration file according to the comment content that is added to the default profile.

Unloading

The code is as follows Copy Code

wget Http://www.inetbase.com/scripts/ddos/uninstall.ddos
Chmod 0700 Uninstall.ddos
./uninstall.ddos


/usr/local/ddos/ddos.sh-k 30 forcibly shielded IP with a connection number greater than 30

For more instructions, please direct more/usr/local/ddos/ddos.sh view

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.