|
|
嚜
Linux撘瑕之iptables嚗銝槐pt_recentmodule嚗賡餅DDoS餅
; G; o: @: H: ^靘憒嚗雿臭誑啣銝chain嚗 iptables -N WEB_SRV_DOS ":WEB_SRV_DOS - [0:0]"
* }/ \% ?/ S6 Y, m9 ?嗅嚗其誑銝隞歹60蝘吩it port 80/443頞10甈∠IP餅銝西銝靘嚗
" W" P' \! d: o) v& Z% ]9 P2 k- z- iptables -A INPUT -p tcp -m multiport dports 80,443 -j WEB_SRV_DOS
- iptables -A WEB_SRV_DOS -p tcp --syn -m multiport --dports 80,443 -m recent --rcheck --second 60 --hitcount 10 -j LOG --log-prefix "[Possible DOS Attack]"
- iptables -A WEB_SRV_DOS -p tcp --syn -m multiport --dports 80,443 -m recent --rcheck --second 60 --hitcount 10 -j REJECT
- iptables -A WEB_SRV_DOS -p tcp --syn -m multiport --dports 80,443 -m recent --set
- iptables -A WEB_SRV_DOS -p tcp -m multiport --dports 80,443 -j ACCEPT
憒雿dmesg唬憿航炊嚗 # }) M9 d$ q! a- J! G
hitcount (200) is larger than packets to be remembered (20)
* X; U; ]6 g& W! C+ f0 e0 j/ Y銵函內雿閮剖閬閮蝞甈⊥詨之履pt_recent閮剖銝嚗舫隤踵惺pt_recent moduleip_pkt_list_tot訾閫瘙箝 u% y$ f% G5 ], M0 j! R
* O& A9 P$ |! ?6 r皜祈岫銝銝:: I& a6 R+ W% Q8 X
撠皜祈岫site澆箏之 http request [size=13.376px](臭誑撖怎撘靘頝嚗冽雓撌乩犖箸 灸rowser憭TAB嚗銝瑞reload蝬脤)6 X- D1 n) b" p& N4 k4 Z5 V$ ~5 w( e
臭誑潛曉/var/log/message銝剖箇曆閮荔 g) O$ U! q2 @, n5 \. j
May 17 07:12:00 localhost kernel: [Possible DOS Attack]IN=eth0 OUT= MAC=XX:XX:XX:XX:43:77:00:1f:YY:YY:YY:YY SRC=192.168.0.105 DST=192.168.0.102 LEN=64 TOS=0x00 PREC=0x00 TTL=64 ID=45026 DF PROTO=TCP SPT=59437 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0
& B( d! m! e7 b( J% s7 G/ u- }) [甇斗隞半rowser皜祈岫蝬脤嚗箇遨onnection refused嚗⊥銝(箸閮剖rule爹EJECT)7 r( y' d4 C u- u2 D j
OK嚗iptablesipt_recent module潭桐其
5 M5 b0 O; e. d! U& M; y7 x d2 X7 Q3 ]" L# Y$ w0 d
蝯隢嚗
% R+ z# g& L+ F3 {1 O5 i W6 M(1) iptables函雯頝臬惜喲餅餅撠嚗撠serverloading敶梢輯撠
' i( `+ ? F8 f+ e0 O(2) iptables閮剖銝頛敶改舐其脰風80,443隞亙port
" o. J5 E$ Q' w1 h% R1 r/ V(3) iptables航身摰潛函銝餅嚗箏究erver寥脰靽霅瘀臭誑摰其霈餅撠脣叫erver
( P5 m' T4 C; a+ c. u1 Y9 u憒雿舐決S Windows + IIS嚗亙瑕嚗雿臭誑AQTRONIX WebKnight憟鞎餌web application firewall嚗鋆⊿W單脰風DDoS餅賬
. P# S0 n9 J9 g6 h6 r! ^# o8 A" q [4 k* ~0 ]% z7 }0 X) h. M- w2 }3 U* u
) t' D7 v+ ]; t: http://blog.eztable.com/2011/05/17/how-to-prevent-ddos// Q* V2 j3 L0 t4 T1 Z6 [- ~( { K0 h
K6 X k' p8 V1 b8 h5 |' Q
================================================' ]( a# `# d+ y& n
菜葫舐IP 隞:! P) e) l: @: P( i; E; O0 K
sed 's/ .*//' access.log | sort | uniq -c | sort -n
) Q5 @% f) p* e0 K5 _: F# Zperl -ne 'print "$1*\n" if m#^((\d+\.){3})#' access.log | sort | uniq -c | sort -n
9 h8 M# j# ^+ q( [6 `) Z; A |
|
|
潸” 2016-10-8 21:08:05
嗉
鈭
霈
