|
|
嚜
Linux撘瑕之iptables嚗銝槐pt_recentmodule嚗賡餅DDoS餅
% x: t1 F6 L! M, ?* y; s, o靘憒嚗雿臭誑啣銝chain嚗 iptables -N WEB_SRV_DOS ":WEB_SRV_DOS - [0:0]"
1 R& ]8 ~7 Z( B. X P* q1 ?嗅嚗其誑銝隞歹60蝘吩it port 80/443頞10甈∠IP餅銝西銝靘嚗& }3 z9 p: W/ p) g
- iptables -A INPUT -p tcp -m multiport dports 80,443 -j WEB_SRV_DOS
- iptables -A WEB_SRV_DOS -p tcp --syn -m multiport --dports 80,443 -m recent --rcheck --second 60 --hitcount 10 -j LOG --log-prefix "[Possible DOS Attack]"
- iptables -A WEB_SRV_DOS -p tcp --syn -m multiport --dports 80,443 -m recent --rcheck --second 60 --hitcount 10 -j REJECT
- iptables -A WEB_SRV_DOS -p tcp --syn -m multiport --dports 80,443 -m recent --set
- iptables -A WEB_SRV_DOS -p tcp -m multiport --dports 80,443 -j ACCEPT
$ g- B j K% U) G# A4 @( P6 E憒雿dmesg唬憿航炊嚗
+ f; X& k0 g, _) ?9 P) l; X; Ihitcount (200) is larger than packets to be remembered (20)
! P: l" v( p+ P# d2 |銵函內雿閮剖閬閮蝞甈⊥詨之履pt_recent閮剖銝嚗舫隤踵惺pt_recent moduleip_pkt_list_tot訾閫瘙箝
/ {9 u3 w5 a& n" J K' ~" [: Q8 B
9 i+ e" B2 _2 w7 h# t# b皜祈岫銝銝:
/ ^/ }! x+ b5 Y, |1 v5 v! P撠皜祈岫site澆箏之 http request [size=13.376px](臭誑撖怎撘靘頝嚗冽雓撌乩犖箸 灸rowser憭TAB嚗銝瑞reload蝬脤)) ~. i- K! C: J4 v( ^
臭誑潛曉/var/log/message銝剖箇曆閮荔
2 c4 r) i4 m1 \May 17 07:12:00 localhost kernel: [Possible DOS Attack]IN=eth0 OUT= MAC=XX:XX:XX:XX:43:77:00:1f:YY:YY:YY:YY SRC=192.168.0.105 DST=192.168.0.102 LEN=64 TOS=0x00 PREC=0x00 TTL=64 ID=45026 DF PROTO=TCP SPT=59437 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0
" Z1 H4 {, e9 R$ @% W. ?5 h1 I甇斗隞半rowser皜祈岫蝬脤嚗箇遨onnection refused嚗⊥銝(箸閮剖rule爹EJECT)
) `9 ]2 ~- Q* O/ p/ `OK嚗iptablesipt_recent module潭桐其) P2 N, q. `& \/ S. M
: E6 h" d) u3 Q4 k1 [. y5 `
蝯隢嚗. ^. I4 v* I8 @: s7 E! t- y
(1) iptables函雯頝臬惜喲餅餅撠嚗撠serverloading敶梢輯撠
7 O0 w8 u' ~# G6 B: R+ Z(2) iptables閮剖銝頛敶改舐其脰風80,443隞亙port
0 p4 i2 O2 ^5 h5 z5 j(3) iptables航身摰潛函銝餅嚗箏究erver寥脰靽霅瘀臭誑摰其霈餅撠脣叫erver
9 l" O4 a# i& G0 R4 ^8 B8 U憒雿舐決S Windows + IIS嚗亙瑕嚗雿臭誑AQTRONIX WebKnight憟鞎餌web application firewall嚗鋆⊿W單脰風DDoS餅賬2 O9 {( y& G9 h1 g. z) C/ y R- Q
8 t, L0 W: y& n0 F0 X5 }: K ]
; G5 h. L5 U7 \: `, }! B/ H: http://blog.eztable.com/2011/05/17/how-to-prevent-ddos/
5 a/ F; N; @9 i5 }5 S6 x6 S* O
+ I* X# J, K {* a8 v3 \================================================
( U, \/ _& y: q% U菜葫舐IP 隞:1 q& u* r, |. X' a0 r4 O3 v% [
sed 's/ .*//' access.log | sort | uniq -c | sort -n
& l) F w+ m" Zperl -ne 'print "$1*\n" if m#^((\d+\.){3})#' access.log | sort | uniq -c | sort -n
i% m2 F8 q# U- g |
|
|
潸” 2016-10-8 21:08:05
嗉
鈭
霈
