Use Iptables to set the maximum number of connection requests within a specified time for a single client, exceeding the restricted direct drop
The code is as follows |
Copy Code |
Iptables-a input-p tcp–dport 80-m state–state new-m recent–set–name WEB Iptables-a input-p tcp–dport 80-m state–state new-m recent–update–seconds 30–hitcount 20–rttl–name web-j DROP |
The above example?? 20 times in 0 seconds.
Configure the appropriate iptables script
The code is as follows |
Copy Code |
#!/bin/sh # # define some VARs max_total_syn_recv= ' 1000 ' max_per_ip_syn_recv= ' mark= ' syn_recv ' port= logfile=/var/log/netstat_$mark-$PORT " logfile_ip="/var/log/netstat_connect_ Ip.log " drop_ip_log="/var/log/netstat_syn_drop_ip.log # # iptables default rules:accept normailly packages and Drop baleful syn* Packages Iptables-f-t filter Iptables-a input-p TCP!--syn-m State--state New-j > iptables-a input-p all-m State--state invalid-j DROP iptables-a input-p all-m State--state Established,rela Ted-j ACCEPT # Initialize If [-Z $MARK];then mark= "LISTEN" fi If [z $PORT];then sport= "TCP" Else sport=: $PORT fi ######################## End # Save the results of command netstat to Specifa L file Netstat-atun|grep $MARK |grep $SPORT 2>/dev/null > $LOGFILE repeat_connect_ip= ' less $LOGFILE |awk ' {print $} ' |cut-f1-d ': ' |sort|uniq-d |tee > $LOGFILE _ip ' If [f $DROP _ip_log];then For i in ' less $DROP _ip_log ';d o Iptables-a input-p all-s $i-j DROP Done Fi For i in ' less $LOGFILE _ip ';d o Repeat_connect_num= ' grep $i $LOGFILE |wc-l ' # # Count Repeat connections, if the accout is large than default Number,then drop packages If [$REPEAT _connect_num-gt $MAX _per_ip_syn_recv];then echo "$i $REPEAT _connect_num" >> $DROP _ip_log Iptables-a input-p all-s $i-j DROP Fi Done all_connect= ' uniq-u $LOGFILE |wc-l ' #echo $ALL _connect # # Count Repeat connections, if the accout is large than default Number,then drop packages If [$ALL _connect-gt $MAX _total_syn_recv];then #echo $ALL _connect Exit Fi |
3. Using shell scripts
1. Shell Script
The code is as follows |
Copy Code |
#!/bin/bash /bin/netstat-na |grep established |awk ' {print $} ' |awk-f: ' {print $} ' | Sed '/^$/d ' |sort|uniq-c|sort-rn|head-n 10|grep-v-e ' 192.168|127.0′|sed '/^$/d ' |awk ' {if ($2!=null && $1> ; 10); {print $}} ' >/tmp/dropip For I in $ (CAT/TMP/DROPIP) Todo /sbin/iptables-a input-s $i-j DROP echo "$i kill at ' Date '" >>/var/log/ddos Done |
2. Increased executive authority
The code is as follows |
Copy Code |
chmod +x/root/bin/dropip.sh |
3. Add to scheduled task, execute once per minute
The code is as follows |
Copy Code |
Crontab-e */1 * * * */root/bin/dropip.sh |
Description:
The above script is simpler, but practical, and most importantly, the second line, obtaining the top 10 IP established connections and writing to the temporary file/tmp/dropip, excluding the internal IP segment 192.168| 127.0. Through the For loop, the IP inside the DROPIP is dropped all through the iptables and then written to the log file/var/log/ddos