DoSDeflateIptables
DoS Deflate 是一个轻量级阻止拒绝服务***的bash shell脚本。我们可以根据自己需要修改特定参数,来达到目的!
安装/卸载都很简单,分别执行下面三步就可以了:
目前创新互联公司已为近1000家的企业提供了网站建设、域名、虚拟主机、网站托管、服务器租用、企业网站设计、京口网站维护等服务,公司将坚持客户导向、应用为本的策略,正道将秉承"和谐、参与、激情"的文化,与客户和合作伙伴齐心协力一起成长,共同发展。
- wget http://www.inetbase.com/scripts/ddos/install.sh
- chmod 0700 install.sh
- ./install.sh
- wget http://www.inetbase.com/scripts/ddos/uninstall.ddos
- chmod 0700 uninstall.ddos
- ./uninstall.ddos
- [root@localhost src]#less install.sh
- #!/bin/sh
- if [ -d '/usr/local/ddos' ]; then
- echo; echo; echo "Please un-install the previous version first"
- exit 0
- else
- mkdir /usr/local/ddos
- fi
- clear
- echo; echo 'Installing DOS-Deflate 0.6'; echo
- echo; echo -n 'Downloading source files...'
- wget -q -O /usr/local/ddos/ddos.conf http://www.inetbase.com/scripts/ddos/ddos.conf
- echo -n '.'
- wget -q -O /usr/local/ddos/LICENSE http://www.inetbase.com/scripts/ddos/LICENSE
- echo -n '.'
- wget -q -O /usr/local/ddos/ignore.ip.list http://www.inetbase.com/scripts/ddos/ignore.ip.list
- echo -n '.'
- wget -q -O /usr/local/ddos/ddos.sh http://www.inetbase.com/scripts/ddos/ddos.sh
- chmod 0755 /usr/local/ddos/ddos.sh
- cp -s /usr/local/ddos/ddos.sh /usr/local/sbin/ddos
- echo '...done'
- echo; echo -n 'Creating cron to run script every minute.....(Default setting)'
- /usr/local/ddos/ddos.sh --cron > /dev/null 2>&1
- echo '.....done'
- echo; echo 'Installation has completed.'
- echo 'Config file is at /usr/local/ddos/ddos.conf'
- echo 'Please send in your comments and/or suggestions to zaf@vsnl.com'
- echo
- cat /usr/local/ddos/LICENSE | less
从install.sh可以看出DoS Deflate安装过程主要是下载四个文件(
ddos.conf DoS Deflate配置文件
LICENSE 说明文件
ignore.ip.list 白名单文件
ddos.sh 核心安装脚本
)和执行/usr/local/ddos/ddos.sh --cron 这个脚本。
- [root@localhost src]# cat /usr/local/ddos/ddos.sh
- #!/bin/sh
- ##############################################################################
- # DDoS-Deflate version 0.6 Author: Zaf
# - ##############################################################################
- # This program is distributed under the "Artistic License" Agreement #
- # #
- # The LICENSE file is located in the same directory as this program. Please #
- # read the LICENSE file before you make copies or distribute this program #
- ##############################################################################
- load_conf()
- {
- CONF="/usr/local/ddos/ddos.conf"
- if [ -f "$CONF" ] && [ ! "$CONF" == "" ]; then
- source $CONF
- else
- head
- echo "\$CONF not found."
- exit 1
- fi
- }
- ##加载配置文件/usr/local/ddos/ddos.conf
- head()
- {
- echo "DDoS-Deflate version 0.6"
- echo "Copyright (C) 2005, Zaf
" - echo
- }
- ##显示版本,作者信息
- showhelp()
- {
- head
- echo 'Usage: ddos.sh [OPTIONS] [N]'
- echo 'N : number of tcp/udp connections (default 150)'
- echo 'OPTIONS:'
- echo '-h | --help: Show this help screen'
- echo '-c | --cron: Create cron job to run this script regularly (default 1 mins)'
- echo '-k | --kill: Block the offending ip making more than N connections'
- }
- ##显示使用方式
- unbanip()
- {
- UNBAN_SCRIPT=`mktemp /tmp/unban.XXXXXXXX`
- TMP_FILE=`mktemp /tmp/unban.XXXXXXXX`
- UNBAN_IP_LIST=`mktemp /tmp/unban.XXXXXXXX`
- echo '#!/bin/sh' > $UNBAN_SCRIPT
- echo "sleep $BAN_PERIOD" >> $UNBAN_SCRIPT
- if [ $APF_BAN -eq 1 ]; then
- while read line; do
- echo "$APF -u $line" >> $UNBAN_SCRIPT
- echo $line >> $UNBAN_IP_LIST
- done < $BANNED_IP_LIST
- else
- while read line; do
- echo "$IPT -D INPUT -s $line -j DROP" >> $UNBAN_SCRIPT
- echo $line >> $UNBAN_IP_LIST
- done < $BANNED_IP_LIST
- fi
- echo "grep -v --file=$UNBAN_IP_LIST $IGNORE_IP_LIST > $TMP_FILE" >> $UNBAN_SCRIPT
- echo "mv $TMP_FILE $IGNORE_IP_LIST" >> $UNBAN_SCRIPT
- echo "rm -f $UNBAN_SCRIPT" >> $UNBAN_SCRIPT
- echo "rm -f $UNBAN_IP_LIST" >> $UNBAN_SCRIPT
- echo "rm -f $TMP_FILE" >> $UNBAN_SCRIPT
- . $UNBAN_SCRIPT &
- }
- ##用于取消已经被禁止访问的ip
- add_to_cron()
- {
- rm -f $CRON
- sleep 1
- service crond restart
- sleep 1
- echo "SHELL=/bin/sh" > $CRON
- if [ $FREQ -le 2 ]; then
- echo "0-59/$FREQ * * * * root /usr/local/ddos/ddos.sh >/dev/null 2>&1" >> $CRON
- else
- let "START_MINUTE = $RANDOM % ($FREQ - 1)"
- let "START_MINUTE = $START_MINUTE + 1"
- let "END_MINUTE = 60 - $FREQ + $START_MINUTE"
- echo "$START_MINUTE-$END_MINUTE/$FREQ * * * * root /usr/local/ddos/ddos.sh >/dev/null 2>&1" >> $CRON
- fi
- service crond restart
- }
- ##执行主程序,生成crontab,在安装的时候执行一次
- load_conf
- while [ $1 ]; do
- case $1 in
- '-h' | '--help' | '?' )
- showhelp
- exit
- ;;
- '--cron' | '-c' )
- add_to_cron
- exit
- ;;
- '--kill' | '-k' )
- KILL=1
- ;;
- *[0-9]* )
- NO_OF_CONNECTIONS=$1
- ;;
- * )
- showhelp
- exit
- ;;
- esac
- shift
- done
- TMP_PREFIX='/tmp/ddos'
- TMP_FILE="mktemp $TMP_PREFIX.XXXXXXXX"
- BANNED_IP_MAIL=`$TMP_FILE`
- BANNED_IP_LIST=`$TMP_FILE`
- echo "Banned the following ip addresses on `date`" > $BANNED_IP_MAIL
- echo >> $BANNED_IP_MAIL
- BAD_IP_LIST=`$TMP_FILE`
- netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr > $BAD_IP_LIST
- cat $BAD_IP_LIST
- if [ $KILL -eq 1 ]; then
- IP_BAN_NOW=0
- while read line; do
- CURR_LINE_CONN=$(echo $line | cut -d" " -f1)
- CURR_LINE_IP=$(echo $line | cut -d" " -f2)
- if [ $CURR_LINE_CONN -lt $NO_OF_CONNECTIONS ]; then
- break
- fi
- IGNORE_BAN=`grep -c $CURR_LINE_IP $IGNORE_IP_LIST`
- if [ $IGNORE_BAN -ge 1 ]; then
- continue
- fi
- IP_BAN_NOW=1
- echo "$CURR_LINE_IP with $CURR_LINE_CONN connections" >> $BANNED_IP_MAIL
- echo $CURR_LINE_IP >> $BANNED_IP_LIST
- echo $CURR_LINE_IP >> $IGNORE_IP_LIST
- if [ $APF_BAN -eq 1 ]; then
- $APF -d $CURR_LINE_IP
- else
- $IPT -I INPUT -s $CURR_LINE_IP -j DROP
- fi
- done < $BAD_IP_LIST
- if [ $IP_BAN_NOW -eq 1 ]; then
- dt=`date`
- if [ $EMAIL_TO != "" ]; then
- cat $BANNED_IP_MAIL | mail -s "IP addresses banned on $dt" $EMAIL_TO
- fi
- unbanip
- fi
- fi
- rm -f $TMP_PREFIX.*
整个脚本判断的根据通过单个ip连接数,然后根据/usr/local/ddos/ddos.conf里面定义的NO_OF_CONNECTIONS的值判断有没有达到drop条件,如果达到再根据里面定义(APF_BAN默认是APF,如需要iptables需要改)使用:iptables或者APF来drop掉这个ip地址,让它在规定的时间内(由BAN_PERIOD定义)无法访问该服务器。可以看出整个脚本如果使用iptables过滤的话是很简单的,完全自己可以写一个脚本来实现上面功能。
- #!/bin/bash
- NO_OF_CONNECTIONS=100
- BLACKLIST=/var/tmp/black
- WHITELIST=/var/tmp/white
- #cat ${ACCCESS_LOG} | awk '{print $1}' | sort | uniq -c | sort -r -n | head -n 200 >> my_check
- if [ ! -f ${BLACKLIST} ]; then
- touch ${BLACKLIST}
- fi
- if [ ! -f ${WHITELIST} ]; then
- touch ${WHITELIST}
- fi
- while read Num Ipaddr ;do
- if [ $(grep -c $Ipaddr ${WHITELIST}) -ne 0 ]; then
- echo 'Allow IP:' $Ipaddr
- continue
- fi
- if [ $(grep -c $Ipaddr ${BLACKLIST}) -eq 0 ] ; then
- if [ $Num -gt $NO_OF_CONNECTIONS ];then
- echo 'Deny IP:' $Ipaddr
- echo $Ipaddr >> ${BLACKLIST}
- iptables -I INPUT -p tcp --dport 80 -s $Ipaddr -j DROP
- fi
- fi
- done <<-'EOF'
- `netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr`
- EOF
只是上面的脚本少了解封被禁止的ip过程,我个人认为解封没有太大意义.无论是DoS Deflate或者是上面我自己写的脚本,最重要的都是NO_OF_CONNECTIONS值设置。
iptables
iptables 四表五链
- iptables(nat,filter,mangle,raw)(INPUT,FORWARD,OUTPUT,PREROUTING,POSTROUTING)
- filter: INPUT, OUTPUT, FORWARD
- nat: PREROUTING, POSTROUTING, OUTPUT
- mangle: PREROUTING, INPUT, FORWARD, OUTPUT, POSTROUTING
- 规则管理类:
- -A
- -I
- -D
- -R
- 链接管理类:
- -F, flush, 清空链
- -N, new, 新建链
- -X, delete, 删除自定义的空链
- -E, rename
- 默认策略:
- -P, policy
- 清空计数器:
- -Z, zero
- 每条规则(包括默认策略)都有两个计数器:
- 被此规则匹配到的所有数据包的个数;
- 被此规则匹配到的所有数据包的大小之和;
- 查看类:
- -L, list
- -n, numeric
- -v, verbose
- -vv
- -vvv
- -x, exactly
- --line-numbers
- 基本匹配:
- -s SOURCE:IP, NETWORK
- -d DESTINATION:IP, NETWORK
- -p {tcp|udp|icmp}
- -i INTERFACE
- -o INTERFACE
- 扩展匹配:(调用iptables的模块,以便扩展iptables的匹配功能, -m)
- 隐含扩展
- -p tcp
- --sport PORT
- --dport PORT
- --tcp-flags ACK,SYN,RST,FIN SYN = --syn
- --tcp-flags ACK,SYN,RST,FIN SYN,ACK,RST,FIN
- --sport 22:23
- -p UDP
- --sport PORT
- --dport PORT
- -p icmp
- --icmp-type
- 8: echo-request
- 0: echo-reply
- 显式扩展:
- -m state --state NEW
- NEW
- ESTABLISHED
- INVALID
- RELATED
- -m multiport
- --source-ports 22,53,80
- --destination-ports
- --ports
- -m iprange
- --src-range
- --dst-range
- -m limit
- --limit
- --limit-burst
- -m string
- --algo bm|kmp
- --string "STRING"
- 处理动作
- -j
- ACCEPT
- DROP
- REJECT
- SNAT
- DNAT
- REDIRECT
- NASQUERADE
基本操作举例:
- iptables -F ##清空所有的链中的规则-F 仅仅是清空链中规则,并不影响 -P 设置的默认规则 ,故使用这条命令一定要小心。
- iptables -t nat -F PREROUTING ##把nat表中的PREROUTING链中的规则清空
- iptables -t filter -A INPUT -s 172.16.0.0/16 -p udp --dport 53 -j DROP ##A插入一条规则默认放在最后一条
- iptables -t filter -I INPUT -s 172.16.0.0/16 -p udp --dport 53 -j DROP ##I插入一条规则默认放在第一条
- iptables -t filter -I INPUT 3 -s 172.16.0.0/16 -p udp --dport 53 -j DROP ##插入一条规则放在第三条
- iptables -L -n --line-numbers ##查看iptables规则,并在每条规则前显示行号。
- iptables -D INPUT 5 ## 删除INPUT 链的第五条规则
- iptables -t nat -A PREROUTING -d 1.1.1.1 -p tcp --dport 80 -j DNAT --to-destination 192.168.1.103:8080##DNAT
自定义链应用:(先定义一个自定义链clean_in,然后把自定义链关联到主链上)
- iptables -N clean_in
- iptables -A clean_in -d 255.255.255.255 -p icmp -j DROP
- iptables -A clean_in -d 172.16.255.255 -p icmp -j DROP
- iptables -A clean_in -p tcp ! --syn -m state --state NEW -j DROP
- iptables -A clean_in -p tcp --tcp-flags ALL ALL -j DROP
- iptables -A clean_in -p tcp --tcp-flags ALL NONE -j DROP
- iptables -A clean_in -d 172.16.100.1 -j RETURN
- iptables -A INPUT -d 172.16.100.1 -j clean_in
iptables高级应用:(使用iptables前需要了解tcp连接/断开过程和ip报文头部结构,tcp数据包头结构。)
##服务器(本地ip192.168.1.103)只允许22,53,80,443端口和本机通迅并拒绝本机向外主动发起请求(防C/S******)
- iptables -I INPUT 1 -m state --state ESTABLISHED -j ACCEPT
- iptables -A INPUT -d 192.168.1.103 -p tcp -m multiport --destination-ports 22,53,80,443 -m state --state NEW -j ACCEPT
- iptables -A OUTPUT -m state --state ESTABLISHED -j ACCEPT
- iptables -P INPUT DROP
- iptables -P OUTPUT DROP
##连接数限定(设置ssh连接单个ip不能超过2个,利用recent和state模块限制单IP在300s内只能与本机建立3个新连接。被限制五分钟后即可恢复访问。常用于防ddos***)
- iptables -I INPUT 1 -m state --state ESTABLISHED -j ACCEPT
- iptables -I INPUT 2 -d 192.168.1.103 -p tcp --dport 22 -m state --state NEW -m connlimit ! --connlimit-above 2 -j ACCEPT
- iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH
- iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 300 --hitcount 2 --name SSH -j DROP
- iptables -A OUTPUT -m state --state ESTABLISHED -j ACCEPT
- iptables -P INPUT DROP
- iptables -P OUTPUT DROP
##匹配数据包数限制(--limit 平均速率,--limit-burst峰值速率)
- iptables -I INPUT 1 -m state --state ESTABLISHED -j ACCEPT
- iptables -A INPUT -d 202.75.219.205 -p tcp --dport 80 -m state --state NEW -m limit --limit 30/second --limit-burst 50 -j ACCEPT
- iptables -A INPUT -d 202.75.219.205 -p tcp -m state --state NEW -m multiport --destination-ports 22,53,80,443 -j ACCEPT
- iptables -A OUTPUT -m state --state ESTABLISHED -j ACCEPT
- iptables -P INPUT DROP
- iptables -P OUTPUT DROP
网页题目:DoSDeflateIptables
标题网址:http://azwzsj.com/article/jjcsgd.html