Hello everyone
I am anzai.
QQ8497054
Some time ago, my server has been under DDOS attacks. Currently, only IP address sources can be blocked for the time being. It is a nightmare to manually add IP addresses without changing the source. I thought of a way to use SHELL.
It's easy to use. At least I think it's good.
1. write scripts
Mkdir/root/bin
Vi/root/bin/dropip. sh
#! /Bin/bash
/Bin/netstat-na | grep ESTABLISHED | awk '{print $5}' | awk-F: '{print $1}' | sort | uniq-c | sort-rn | head-10 | grep-v-E '192. 168 | 127.0 '| awk' {if ($2! = Null & $1> 4) {print $2} '>/tmp/dropip
For I in $ (cat/tmp/dropip)
Do
/Sbin/iptables-a input-s $ I-j DROP
Echo "$ I kill at 'date'">/var/log/ddos
Done
2. Add execution permission
Chmod + x/root/bin/dropip. sh
3. Added to the scheduled task and executed every minute
Crontab-e
*/1 */root/bin/dropip. sh
Note:
The most important is that in the second row, the first 10 ip addresses with the maximum number of ESTABLISHED connections are obtained and written to the temporary file/tmp/dropip, excluding the internal ip segment starting with 192.168 | 127.0. use the for loop to drop all the ip addresses in the dropip through iptables, and then write them to the log file/var/log/ddos.
Cool and cool