|
嚜
Linux撘瑕之iptables嚗銝槐pt_recentmodule嚗賡餅DDoS餅
1 l& Q: ?! \" U靘憒嚗雿臭誑啣銝chain嚗 iptables -N WEB_SRV_DOS ":WEB_SRV_DOS - [0:0]"& z+ [$ R( s1 q
嗅嚗其誑銝隞歹60蝘吩it port 80/443頞10甈∠IP餅銝西銝靘嚗
! ~# P8 I, u* x! |9 v- iptables -A INPUT -p tcp -m multiport dports 80,443 -j WEB_SRV_DOS
- iptables -A WEB_SRV_DOS -p tcp --syn -m multiport --dports 80,443 -m recent --rcheck --second 60 --hitcount 10 -j LOG --log-prefix "[Possible DOS Attack]"
- iptables -A WEB_SRV_DOS -p tcp --syn -m multiport --dports 80,443 -m recent --rcheck --second 60 --hitcount 10 -j REJECT
- iptables -A WEB_SRV_DOS -p tcp --syn -m multiport --dports 80,443 -m recent --set
- iptables -A WEB_SRV_DOS -p tcp -m multiport --dports 80,443 -j ACCEPT
銴鋆賭誨蝣
1 B4 F+ F7 N: w7 O U7 ^憒雿dmesg唬憿航炊嚗 8 g7 z6 X% O: T! {/ s$ @8 `; ~3 Z' v
hitcount (200) is larger than packets to be remembered (20)
7 x1 A: G6 o; e' x6 z( l# t; \銵函內雿閮剖閬閮蝞甈⊥詨之履pt_recent閮剖銝嚗舫隤踵惺pt_recent moduleip_pkt_list_tot訾閫瘙箝 r( t9 g, ^- D. ^/ y# x1 q' g+ p
6 R7 Q8 Q0 R2 G8 x) r5 r8 t. ]
皜祈岫銝銝:1 ^! x" l3 `) C' m2 j- V8 d
撠皜祈岫site澆箏之 http request [size=13.376px](臭誑撖怎撘靘頝嚗冽雓撌乩犖箸 灸rowser憭TAB嚗銝瑞reload蝬脤)
' F* H% `/ y- B( ?臭誑潛曉/var/log/message銝剖箇曆閮荔
7 e8 E% W' _* C9 [: g( HMay 17 07:12:00 localhost kernel: [Possible DOS Attack]IN=eth0 OUT= MAC=XX:XX:XX:XX:43:77:00:1f:YY:YY:YY:YY SRC=192.168.0.105 DST=192.168.0.102 LEN=64 TOS=0x00 PREC=0x00 TTL=64 ID=45026 DF PROTO=TCP SPT=59437 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=03 c0 @. Z1 \! I* w8 h0 X4 [: C i
甇斗隞半rowser皜祈岫蝬脤嚗箇遨onnection refused嚗⊥銝(箸閮剖rule爹EJECT)
) J( n6 e- J+ ^( b7 g- L, FOK嚗iptablesipt_recent module潭桐其
) q4 W% S: `2 `% J" r& R! t2 |+ ~3 i4 u3 o- C) B) P4 a
蝯隢嚗
( y1 ^0 `8 a" P/ E. h, f* z(1) iptables函雯頝臬惜喲餅餅撠嚗撠serverloading敶梢輯撠
" M, D, K) U# c, f0 A7 }(2) iptables閮剖銝頛敶改舐其脰風80,443隞亙port: U; f. Z+ \7 M+ [: B: a
(3) iptables航身摰潛函銝餅嚗箏究erver寥脰靽霅瘀臭誑摰其霈餅撠脣叫erver
, ^1 @- K! D M) @憒雿舐決S Windows + IIS嚗亙瑕嚗雿臭誑AQTRONIX WebKnight憟鞎餌web application firewall嚗鋆⊿W單脰風DDoS餅賬
5 q$ G# m3 H0 J- X+ u" @8 q
- x% I' O' `+ L# M/ f9 m1 f& W
: S( V9 h: k+ }, h% h" z3 X- u: http://blog.eztable.com/2011/05/17/how-to-prevent-ddos/
- A$ n2 g0 W7 x J' ^1 s; E0 e% U/ J1 p2 f7 y$ Y
================================================
% J3 ?7 W% |) f菜葫舐IP 隞:
8 U8 B! A2 Q1 ~# K' }" h! Esed 's/ .*//' access.log | sort | uniq -c | sort -n& ]0 F5 d! o0 Q4 M n
perl -ne 'print "$1*\n" if m#^((\d+\.){3})#' access.log | sort | uniq -c | sort -n
" D4 p* `8 h- p3 I( `$ t |
|
|