|
嚜
Linux撘瑕之iptables嚗銝槐pt_recentmodule嚗賡餅DDoS餅8 d, u) J8 o8 K: B& l7 e! k" A$ X' @
靘憒嚗雿臭誑啣銝chain嚗 iptables -N WEB_SRV_DOS ":WEB_SRV_DOS - [0:0]"+ A6 q* t Y/ k2 R; {
嗅嚗其誑銝隞歹60蝘吩it port 80/443頞10甈∠IP餅銝西銝靘嚗
1 M3 L h( ]7 \8 a3 B- iptables -A INPUT -p tcp -m multiport dports 80,443 -j WEB_SRV_DOS
- iptables -A WEB_SRV_DOS -p tcp --syn -m multiport --dports 80,443 -m recent --rcheck --second 60 --hitcount 10 -j LOG --log-prefix "[Possible DOS Attack]"
- iptables -A WEB_SRV_DOS -p tcp --syn -m multiport --dports 80,443 -m recent --rcheck --second 60 --hitcount 10 -j REJECT
- iptables -A WEB_SRV_DOS -p tcp --syn -m multiport --dports 80,443 -m recent --set
- iptables -A WEB_SRV_DOS -p tcp -m multiport --dports 80,443 -j ACCEPT
銴鋆賭誨蝣
( n F4 W8 v) M憒雿dmesg唬憿航炊嚗 # F: m) Q5 j4 ~- T1 o
hitcount (200) is larger than packets to be remembered (20) , t E9 n D9 i) M/ h2 s
銵函內雿閮剖閬閮蝞甈⊥詨之履pt_recent閮剖銝嚗舫隤踵惺pt_recent moduleip_pkt_list_tot訾閫瘙箝& d/ l/ F \7 U4 [" q
8 ]( G$ h9 f Q: }2 C+ I# O3 c
皜祈岫銝銝:
: v' g3 z5 c. Z. E5 W9 K0 l/ m撠皜祈岫site澆箏之 http request [size=13.376px](臭誑撖怎撘靘頝嚗冽雓撌乩犖箸 灸rowser憭TAB嚗銝瑞reload蝬脤)* K" @( m% f4 R( H* f7 e
臭誑潛曉/var/log/message銝剖箇曆閮荔3 e3 N6 K7 R3 z" q8 x5 D( G* N* d
May 17 07:12:00 localhost kernel: [Possible DOS Attack]IN=eth0 OUT= MAC=XX:XX:XX:XX:43:77:00:1f:YY:YY:YY:YY SRC=192.168.0.105 DST=192.168.0.102 LEN=64 TOS=0x00 PREC=0x00 TTL=64 ID=45026 DF PROTO=TCP SPT=59437 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0
# [7 x8 k5 U8 Z5 c `5 D$ K甇斗隞半rowser皜祈岫蝬脤嚗箇遨onnection refused嚗⊥銝(箸閮剖rule爹EJECT)
2 [; p; ]* u3 h! g" _OK嚗iptablesipt_recent module潭桐其
$ p+ K$ N8 V9 j% B+ x+ y' n
$ U# @ T9 a1 k5 V9 z. `蝯隢嚗- E D1 V0 ~: o1 Y0 ?7 j
(1) iptables函雯頝臬惜喲餅餅撠嚗撠serverloading敶梢輯撠
" S, i1 e* j9 y4 A/ N! R9 s(2) iptables閮剖銝頛敶改舐其脰風80,443隞亙port
: ?& ]( l; F2 q* ~" D% J8 l(3) iptables航身摰潛函銝餅嚗箏究erver寥脰靽霅瘀臭誑摰其霈餅撠脣叫erver6 I- @3 r8 d3 F
憒雿舐決S Windows + IIS嚗亙瑕嚗雿臭誑AQTRONIX WebKnight憟鞎餌web application firewall嚗鋆⊿W單脰風DDoS餅賬
$ Q' E" e& H9 u6 q* y$ F4 i6 ?2 ~6 K9 Q5 B& `/ `7 K; T* h! w
- v+ R, c, U5 q! g+ J% M
: http://blog.eztable.com/2011/05/17/how-to-prevent-ddos/
: i ~! g7 [# {* v8 M! V2 U2 U) Y: c/ M
================================================8 K% T9 l! A/ R8 w9 T& L7 a
菜葫舐IP 隞:
8 w* g! ~+ j2 [9 R9 o; A/ u8 Zsed 's/ .*//' access.log | sort | uniq -c | sort -n0 I# v4 G Q& i j" u+ W/ F& i& \7 C
perl -ne 'print "$1*\n" if m#^((\d+\.){3})#' access.log | sort | uniq -c | sort -n/ }& g# n0 `0 B* q4 k! @, X$ n
|
|
|