溫馨提示×
您好,登錄后才能下訂單哦!
點擊 登錄注冊 即表示同意《億速云用戶服務條款》
您好,登錄后才能下訂單哦!
DoS Deflate 是一個輕量級阻止拒絕服務***的bash shell腳本。我們可以根據自己需要修改特定參數,來達到目的!
安裝/卸載都很簡單,分別執行下面三步就可以了:
- wget http://www.inetbase.com/scripts/ddos/install.sh
- chmod 0700 install.sh
- ./install.sh
- wget http://www.inetbase.com/scripts/ddos/uninstall.ddos
- chmod 0700 uninstall.ddos
- ./uninstall.ddos
- [root@localhost src]#less install.sh
- #!/bin/sh
- if [ -d '/usr/local/ddos' ]; then
- echo; echo; echo "Please un-install the previous version first"
- exit 0
- else
- mkdir /usr/local/ddos
- fi
- clear
- echo; echo 'Installing DOS-Deflate 0.6'; echo
- echo; echo -n 'Downloading source files...'
- wget -q -O /usr/local/ddos/ddos.conf http://www.inetbase.com/scripts/ddos/ddos.conf
- echo -n '.'
- wget -q -O /usr/local/ddos/LICENSE http://www.inetbase.com/scripts/ddos/LICENSE
- echo -n '.'
- wget -q -O /usr/local/ddos/ignore.ip.list http://www.inetbase.com/scripts/ddos/ignore.ip.list
- echo -n '.'
- wget -q -O /usr/local/ddos/ddos.sh http://www.inetbase.com/scripts/ddos/ddos.sh
- chmod 0755 /usr/local/ddos/ddos.sh
- cp -s /usr/local/ddos/ddos.sh /usr/local/sbin/ddos
- echo '...done'
- echo; echo -n 'Creating cron to run script every minute.....(Default setting)'
- /usr/local/ddos/ddos.sh --cron > /dev/null 2>&1
- echo '.....done'
- echo; echo 'Installation has completed.'
- echo 'Config file is at /usr/local/ddos/ddos.conf'
- echo 'Please send in your comments and/or suggestions to zaf@vsnl.com'
- echo
- cat /usr/local/ddos/LICENSE | less
從install.sh可以看出DoS Deflate安裝過程主要是下載四個文件(
ddos.conf DoS Deflate配置文件
LICENSE 說明文件
ignore.ip.list 白名單文件
ddos.sh 核心安裝腳本
)和執行/usr/local/ddos/ddos.sh --cron 這個腳本。
- [root@localhost src]# cat /usr/local/ddos/ddos.sh
- #!/bin/sh
- ##############################################################################
- # DDoS-Deflate version 0.6 Author: Zaf <zaf@vsnl.com> #
- ##############################################################################
- # This program is distributed under the "Artistic License" Agreement #
- # #
- # The LICENSE file is located in the same directory as this program. Please #
- # read the LICENSE file before you make copies or distribute this program #
- ##############################################################################
- load_conf()
- {
- CONF="/usr/local/ddos/ddos.conf"
- if [ -f "$CONF" ] && [ ! "$CONF" == "" ]; then
- source $CONF
- else
- head
- echo "\$CONF not found."
- exit 1
- fi
- }
- ##加載配置文件/usr/local/ddos/ddos.conf
- head()
- {
- echo "DDoS-Deflate version 0.6"
- echo "Copyright (C) 2005, Zaf <zaf@vsnl.com>"
- echo
- }
- ##顯示版本,作者信息
- showhelp()
- {
- head
- echo 'Usage: ddos.sh [OPTIONS] [N]'
- echo 'N : number of tcp/udp connections (default 150)'
- echo 'OPTIONS:'
- echo '-h | --help: Show this help screen'
- echo '-c | --cron: Create cron job to run this script regularly (default 1 mins)'
- echo '-k | --kill: Block the offending ip making more than N connections'
- }
- ##顯示使用方式
- unbanip()
- {
- UNBAN_SCRIPT=`mktemp /tmp/unban.XXXXXXXX`
- TMP_FILE=`mktemp /tmp/unban.XXXXXXXX`
- UNBAN_IP_LIST=`mktemp /tmp/unban.XXXXXXXX`
- echo '#!/bin/sh' > $UNBAN_SCRIPT
- echo "sleep $BAN_PERIOD" >> $UNBAN_SCRIPT
- if [ $APF_BAN -eq 1 ]; then
- while read line; do
- echo "$APF -u $line" >> $UNBAN_SCRIPT
- echo $line >> $UNBAN_IP_LIST
- done < $BANNED_IP_LIST
- else
- while read line; do
- echo "$IPT -D INPUT -s $line -j DROP" >> $UNBAN_SCRIPT
- echo $line >> $UNBAN_IP_LIST
- done < $BANNED_IP_LIST
- fi
- echo "grep -v --file=$UNBAN_IP_LIST $IGNORE_IP_LIST > $TMP_FILE" >> $UNBAN_SCRIPT
- echo "mv $TMP_FILE $IGNORE_IP_LIST" >> $UNBAN_SCRIPT
- echo "rm -f $UNBAN_SCRIPT" >> $UNBAN_SCRIPT
- echo "rm -f $UNBAN_IP_LIST" >> $UNBAN_SCRIPT
- echo "rm -f $TMP_FILE" >> $UNBAN_SCRIPT
- . $UNBAN_SCRIPT &
- }
- ##用于取消已經被禁止訪問的ip
- add_to_cron()
- {
- rm -f $CRON
- sleep 1
- service crond restart
- sleep 1
- echo "SHELL=/bin/sh" > $CRON
- if [ $FREQ -le 2 ]; then
- echo "0-59/$FREQ * * * * root /usr/local/ddos/ddos.sh >/dev/null 2>&1" >> $CRON
- else
- let "START_MINUTE = $RANDOM % ($FREQ - 1)"
- let "START_MINUTE = $START_MINUTE + 1"
- let "END_MINUTE = 60 - $FREQ + $START_MINUTE"
- echo "$START_MINUTE-$END_MINUTE/$FREQ * * * * root /usr/local/ddos/ddos.sh >/dev/null 2>&1" >> $CRON
- fi
- service crond restart
- }
- ##執行主程序,生成crontab,在安裝的時候執行一次
- load_conf
- while [ $1 ]; do
- case $1 in
- '-h' | '--help' | '?' )
- showhelp
- exit
- ;;
- '--cron' | '-c' )
- add_to_cron
- exit
- ;;
- '--kill' | '-k' )
- KILL=1
- ;;
- *[0-9]* )
- NO_OF_CONNECTIONS=$1
- ;;
- * )
- showhelp
- exit
- ;;
- esac
- shift
- done
- TMP_PREFIX='/tmp/ddos'
- TMP_FILE="mktemp $TMP_PREFIX.XXXXXXXX"
- BANNED_IP_MAIL=`$TMP_FILE`
- BANNED_IP_LIST=`$TMP_FILE`
- echo "Banned the following ip addresses on `date`" > $BANNED_IP_MAIL
- echo >> $BANNED_IP_MAIL
- BAD_IP_LIST=`$TMP_FILE`
- netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr > $BAD_IP_LIST
- cat $BAD_IP_LIST
- if [ $KILL -eq 1 ]; then
- IP_BAN_NOW=0
- while read line; do
- CURR_LINE_CONN=$(echo $line | cut -d" " -f1)
- CURR_LINE_IP=$(echo $line | cut -d" " -f2)
- if [ $CURR_LINE_CONN -lt $NO_OF_CONNECTIONS ]; then
- break
- fi
- IGNORE_BAN=`grep -c $CURR_LINE_IP $IGNORE_IP_LIST`
- if [ $IGNORE_BAN -ge 1 ]; then
- continue
- fi
- IP_BAN_NOW=1
- echo "$CURR_LINE_IP with $CURR_LINE_CONN connections" >> $BANNED_IP_MAIL
- echo $CURR_LINE_IP >> $BANNED_IP_LIST
- echo $CURR_LINE_IP >> $IGNORE_IP_LIST
- if [ $APF_BAN -eq 1 ]; then
- $APF -d $CURR_LINE_IP
- else
- $IPT -I INPUT -s $CURR_LINE_IP -j DROP
- fi
- done < $BAD_IP_LIST
- if [ $IP_BAN_NOW -eq 1 ]; then
- dt=`date`
- if [ $EMAIL_TO != "" ]; then
- cat $BANNED_IP_MAIL | mail -s "IP addresses banned on $dt" $EMAIL_TO
- fi
- unbanip
- fi
- fi
- rm -f $TMP_PREFIX.*
整個腳本判斷的根據通過單個ip連接數,然后根據/usr/local/ddos/ddos.conf里面定義的NO_OF_CONNECTIONS的值判斷有沒有達到drop條件,如果達到再根據里面定義(APF_BAN默認是APF,如需要iptables需要改)使用:iptables或者APF來drop掉這個ip地址,讓它在規定的時間內(由BAN_PERIOD定義)無法訪問該服務器。可以看出整個腳本如果使用iptables過濾的話是很簡單的,完全自己可以寫一個腳本來實現上面功能。
- #!/bin/bash
- NO_OF_CONNECTIONS=100
- BLACKLIST=/var/tmp/black
- WHITELIST=/var/tmp/white
- #cat ${ACCCESS_LOG} | awk '{print $1}' | sort | uniq -c | sort -r -n | head -n 200 >> my_check
- if [ ! -f ${BLACKLIST} ]; then
- touch ${BLACKLIST}
- fi
- if [ ! -f ${WHITELIST} ]; then
- touch ${WHITELIST}
- fi
- while read Num Ipaddr ;do
- if [ $(grep -c $Ipaddr ${WHITELIST}) -ne 0 ]; then
- echo 'Allow IP:' $Ipaddr
- continue
- fi
- if [ $(grep -c $Ipaddr ${BLACKLIST}) -eq 0 ] ; then
- if [ $Num -gt $NO_OF_CONNECTIONS ];then
- echo 'Deny IP:' $Ipaddr
- echo $Ipaddr >> ${BLACKLIST}
- iptables -I INPUT -p tcp --dport 80 -s $Ipaddr -j DROP
- fi
- fi
- done <<-'EOF'
- `netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr`
- EOF
只是上面的腳本少了解封被禁止的ip過程,我個人認為解封沒有太大意義.無論是DoS Deflate或者是上面我自己寫的腳本,最重要的都是NO_OF_CONNECTIONS值設置。
iptables
iptables 四表五鏈
- iptables(nat,filter,mangle,raw)(INPUT,FORWARD,OUTPUT,PREROUTING,POSTROUTING)
- filter: INPUT, OUTPUT, FORWARD
- nat: PREROUTING, POSTROUTING, OUTPUT
- mangle: PREROUTING, INPUT, FORWARD, OUTPUT, POSTROUTING
- 規則管理類:
- -A
- -I
- -D
- -R
- 鏈接管理類:
- -F, flush, 清空鏈
- -N, new, 新建鏈
- -X, delete, 刪除自定義的空鏈
- -E, rename
- 默認策略:
- -P, policy
- 清空計數器:
- -Z, zero
- 每條規則(包括默認策略)都有兩個計數器:
- 被此規則匹配到的所有數據包的個數;
- 被此規則匹配到的所有數據包的大小之和;
- 查看類:
- -L, list
- -n, numeric
- -v, verbose
- -vv
- -vvv
- -x, exactly
- --line-numbers
- 基本匹配:
- -s SOURCE:IP, NETWORK
- -d DESTINATION:IP, NETWORK
- -p {tcp|udp|icmp}
- -i INTERFACE
- -o INTERFACE
- 擴展匹配:(調用iptables的模塊,以便擴展iptables的匹配功能, -m)
- 隱含擴展
- -p tcp
- --sport PORT
- --dport PORT
- --tcp-flags ACK,SYN,RST,FIN SYN = --syn
- --tcp-flags ACK,SYN,RST,FIN SYN,ACK,RST,FIN
- --sport 22:23
- -p UDP
- --sport PORT
- --dport PORT
- -p icmp
- --icmp-type
- 8: echo-request
- 0: echo-reply
- 顯式擴展:
- -m state --state NEW
- NEW
- ESTABLISHED
- INVALID
- RELATED
- -m multiport
- --source-ports 22,53,80
- --destination-ports
- --ports
- -m iprange
- --src-range
- --dst-range
- -m limit
- --limit
- --limit-burst
- -m string
- --algo bm|kmp
- --string "STRING"
- 處理動作
- -j
- ACCEPT
- DROP
- REJECT
- SNAT
- DNAT
- REDIRECT
- NASQUERADE
基本操作舉例:
- iptables -F ##清空所有的鏈中的規則-F 僅僅是清空鏈中規則,并不影響 -P 設置的默認規則 ,故使用這條命令一定要小心。
- iptables -t nat -F PREROUTING ##把nat表中的PREROUTING鏈中的規則清空
- iptables -t filter -A INPUT -s 172.16.0.0/16 -p udp --dport 53 -j DROP ##A插入一條規則默認放在最后一條
- iptables -t filter -I INPUT -s 172.16.0.0/16 -p udp --dport 53 -j DROP ##I插入一條規則默認放在第一條
- iptables -t filter -I INPUT 3 -s 172.16.0.0/16 -p udp --dport 53 -j DROP ##插入一條規則放在第三條
- iptables -L -n --line-numbers ##查看iptables規則,并在每條規則前顯示行號。
- iptables -D INPUT 5 ## 刪除INPUT 鏈的第五條規則
- iptables -t nat -A PREROUTING -d 1.1.1.1 -p tcp --dport 80 -j DNAT --to-destination 192.168.1.103:8080##DNAT
自定義鏈應用:(先定義一個自定義鏈clean_in,然后把自定義鏈關聯到主鏈上)
- iptables -N clean_in
- iptables -A clean_in -d 255.255.255.255 -p icmp -j DROP
- iptables -A clean_in -d 172.16.255.255 -p icmp -j DROP
- iptables -A clean_in -p tcp ! --syn -m state --state NEW -j DROP
- iptables -A clean_in -p tcp --tcp-flags ALL ALL -j DROP
- iptables -A clean_in -p tcp --tcp-flags ALL NONE -j DROP
- iptables -A clean_in -d 172.16.100.1 -j RETURN
- iptables -A INPUT -d 172.16.100.1 -j clean_in
iptables高級應用:(使用iptables前需要了解tcp連接/斷開過程和ip報文頭部結構,tcp數據包頭結構。)
##服務器(本地ip192.168.1.103)只允許22,53,80,443端口和本機通迅并拒絕本機向外主動發起請求(防C/S******)
- iptables -I INPUT 1 -m state --state ESTABLISHED -j ACCEPT
- iptables -A INPUT -d 192.168.1.103 -p tcp -m multiport --destination-ports 22,53,80,443 -m state --state NEW -j ACCEPT
- iptables -A OUTPUT -m state --state ESTABLISHED -j ACCEPT
- iptables -P INPUT DROP
- iptables -P OUTPUT DROP
##連接數限定(設置ssh連接單個ip不能超過2個,利用recent和state模塊限制單IP在300s內只能與本機建立3個新連接。被限制五分鐘后即可恢復訪問。常用于防ddos***)
- iptables -I INPUT 1 -m state --state ESTABLISHED -j ACCEPT
- iptables -I INPUT 2 -d 192.168.1.103 -p tcp --dport 22 -m state --state NEW -m connlimit ! --connlimit-above 2 -j ACCEPT
- iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH
- iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 300 --hitcount 2 --name SSH -j DROP
- iptables -A OUTPUT -m state --state ESTABLISHED -j ACCEPT
- iptables -P INPUT DROP
- iptables -P OUTPUT DROP
##匹配數據包數限制(--limit 平均速率,--limit-burst峰值速率)
- iptables -I INPUT 1 -m state --state ESTABLISHED -j ACCEPT
- iptables -A INPUT -d 202.75.219.205 -p tcp --dport 80 -m state --state NEW -m limit --limit 30/second --limit-burst 50 -j ACCEPT
- iptables -A INPUT -d 202.75.219.205 -p tcp -m state --state NEW -m multiport --destination-ports 22,53,80,443 -j ACCEPT
- iptables -A OUTPUT -m state --state ESTABLISHED -j ACCEPT
- iptables -P INPUT DROP
- iptables -P OUTPUT DROP
免責聲明:本站發布的內容(圖片、視頻和文字)以原創、轉載和分享為主,文章觀點不代表本網站立場,如果涉及侵權請聯系站長郵箱:is@yisu.com進行舉報,并提供相關證據,一經查實,將立刻刪除涉嫌侵權內容。
