DoS Deflate 是一个轻量级阻止拒绝服务***的bash shell脚本。我们可以根据自己需要修改特定参数,来达到目的!
安装/卸载都很简单,分别执行下面三步就可以了:
计算
安全
数据库
网络和加速
企业服务
wget http://www.inetbase.com/scripts/ddos/install.sh chmod 0700 install.sh ./install.sh wget http://www.inetbase.com/scripts/ddos/uninstall.ddos chmod 0700 uninstall.ddos ./uninstall.ddos [root@localhost src]#less install.sh #!/bin/sh if [ -d '/usr/local/ddos' ]; then echo; echo; echo "Please un-install the previous version first" exit 0 else mkdir /usr/local/ddos fi clear echo; echo 'Installing DOS-Deflate 0.6'; echo echo; echo -n 'Downloading source files...' wget -q -O /usr/local/ddos/ddos.conf http://www.inetbase.com/scripts/ddos/ddos.conf echo -n '.' wget -q -O /usr/local/ddos/LICENSE http://www.inetbase.com/scripts/ddos/LICENSE echo -n '.' wget -q -O /usr/local/ddos/ignore.ip.list http://www.inetbase.com/scripts/ddos/ignore.ip.list echo -n '.' wget -q -O /usr/local/ddos/ddos.sh http://www.inetbase.com/scripts/ddos/ddos.sh chmod 0755 /usr/local/ddos/ddos.sh cp -s /usr/local/ddos/ddos.sh /usr/local/sbin/ddos echo '...done' echo; echo -n 'Creating cron to run script every minute.....(Default setting)' /usr/local/ddos/ddos.sh --cron > /dev/null 2>&1 echo '.....done' echo; echo 'Installation has completed.' echo 'Config file is at /usr/local/ddos/ddos.conf' echo 'Please send in your comments and/or suggestions to zaf@vsnl.com' echo cat /usr/local/ddos/LICENSE | less 从install.sh可以看出DoS Deflate安装过程主要是下载四个文件(
ddos.conf DoS Deflate配置文件
LICENSE 说明文件
ignore.ip.list 白名单文件
ddos.sh 核心安装脚本
)和执行/usr/local/ddos/ddos.sh --cron 这个脚本。
[root@localhost src]# cat /usr/local/ddos/ddos.sh #!/bin/sh ############################################################################## # DDoS-Deflate version 0.6 Author: Zaf <zaf@vsnl.com> # ############################################################################## # This program is distributed under the "Artistic License" Agreement # # # # The LICENSE file is located in the same directory as this program. Please # # read the LICENSE file before you make copies or distribute this program # ############################################################################## load_conf() { CONF="/usr/local/ddos/ddos.conf" if [ -f "$CONF" ] && [ ! "$CONF" == "" ]; then source $CONF else head echo "\$CONF not found." exit 1 fi } ##加载配置文件/usr/local/ddos/ddos.conf head() { echo "DDoS-Deflate version 0.6" echo "Copyright (C) 2005, Zaf <zaf@vsnl.com>" echo } ##显示版本,作者信息 showhelp() { head echo 'Usage: ddos.sh [OPTIONS] [N]' echo 'N : number of tcp/udp connections (default 150)' echo 'OPTIONS:' echo '-h | --help: Show this help screen' echo '-c | --cron: Create cron job to run this script regularly (default 1 mins)' echo '-k | --kill: Block the offending ip making more than N connections' } ##显示使用方式 unbanip() { UNBAN_SCRIPT=`mktemp /tmp/unban.XXXXXXXX` TMP_FILE=`mktemp /tmp/unban.XXXXXXXX` UNBAN_IP_LIST=`mktemp /tmp/unban.XXXXXXXX` echo '#!/bin/sh' > $UNBAN_SCRIPT echo "sleep $BAN_PERIOD" >> $UNBAN_SCRIPT if [ $APF_BAN -eq 1 ]; then while read line; do echo "$APF -u $line" >> $UNBAN_SCRIPT echo $line >> $UNBAN_IP_LIST done < $BANNED_IP_LIST else while read line; do echo "$IPT -D INPUT -s $line -j DROP" >> $UNBAN_SCRIPT echo $line >> $UNBAN_IP_LIST done < $BANNED_IP_LIST fi echo "grep -v --file=$UNBAN_IP_LIST $IGNORE_IP_LIST > $TMP_FILE" >> $UNBAN_SCRIPT echo "mv $TMP_FILE $IGNORE_IP_LIST" >> $UNBAN_SCRIPT echo "rm -f $UNBAN_SCRIPT" >> $UNBAN_SCRIPT echo "rm -f $UNBAN_IP_LIST" >> $UNBAN_SCRIPT echo "rm -f $TMP_FILE" >> $UNBAN_SCRIPT . $UNBAN_SCRIPT & } ##用于取消已经被禁止访问的ip add_to_cron() { rm -f $CRON sleep 1 service crond restart sleep 1 echo "SHELL=/bin/sh" > $CRON if [ $FREQ -le 2 ]; then echo "0-59/$FREQ * * * * root /usr/local/ddos/ddos.sh >/dev/null 2>&1" >> $CRON else let "START_MINUTE = $RANDOM % ($FREQ - 1)" let "START_MINUTE = $START_MINUTE + 1" let "END_MINUTE = 60 - $FREQ + $START_MINUTE" echo "$START_MINUTE-$END_MINUTE/$FREQ * * * * root /usr/local/ddos/ddos.sh >/dev/null 2>&1" >> $CRON fi service crond restart } ##执行主程序,生成crontab,在安装的时候执行一次 load_conf while [ $1 ]; do case $1 in '-h' | '--help' | '?' ) showhelp exit ;; '--cron' | '-c' ) add_to_cron exit ;; '--kill' | '-k' ) KILL=1 ;; *[0-9]* ) NO_OF_CONNECTIONS=$1 ;; * ) showhelp exit ;; esac shift done TMP_PREFIX='/tmp/ddos' TMP_FILE="mktemp $TMP_PREFIX.XXXXXXXX" BANNED_IP_MAIL=`$TMP_FILE` BANNED_IP_LIST=`$TMP_FILE` echo "Banned the following ip addresses on `date`" > $BANNED_IP_MAIL echo >> $BANNED_IP_MAIL BAD_IP_LIST=`$TMP_FILE` netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr > $BAD_IP_LIST cat $BAD_IP_LIST if [ $KILL -eq 1 ]; then IP_BAN_NOW=0 while read line; do CURR_LINE_CONN=$(echo $line | cut -d" " -f1) CURR_LINE_IP=$(echo $line | cut -d" " -f2) if [ $CURR_LINE_CONN -lt $NO_OF_CONNECTIONS ]; then break fi IGNORE_BAN=`grep -c $CURR_LINE_IP $IGNORE_IP_LIST` if [ $IGNORE_BAN -ge 1 ]; then continue fi IP_BAN_NOW=1 echo "$CURR_LINE_IP with $CURR_LINE_CONN connections" >> $BANNED_IP_MAIL echo $CURR_LINE_IP >> $BANNED_IP_LIST echo $CURR_LINE_IP >> $IGNORE_IP_LIST if [ $APF_BAN -eq 1 ]; then $APF -d $CURR_LINE_IP else $IPT -I INPUT -s $CURR_LINE_IP -j DROP fi done < $BAD_IP_LIST if [ $IP_BAN_NOW -eq 1 ]; then dt=`date` if [ $EMAIL_TO != "" ]; then cat $BANNED_IP_MAIL | mail -s "IP addresses banned on $dt" $EMAIL_TO fi unbanip fi fi rm -f $TMP_PREFIX.* 整个脚本判断的根据通过单个ip连接数,然后根据/usr/local/ddos/ddos.conf里面定义的NO_OF_CONNECTIONS的值判断有没有达到drop条件,如果达到再根据里面定义(APF_BAN默认是APF,如需要iptables需要改)使用:iptables或者APF来drop掉这个ip地址,让它在规定的时间内(由BAN_PERIOD定义)无法访问该服务器。可以看出整个脚本如果使用iptables过滤的话是很简单的,完全自己可以写一个脚本来实现上面功能。
#!/bin/bash NO_OF_CONNECTIONS=100 BLACKLIST=/var/tmp/black WHITELIST=/var/tmp/white #cat ${ACCCESS_LOG} | awk '{print $1}' | sort | uniq -c | sort -r -n | head -n 200 >> my_check if [ ! -f ${BLACKLIST} ]; then touch ${BLACKLIST} fi if [ ! -f ${WHITELIST} ]; then touch ${WHITELIST} fi while read Num Ipaddr ;do if [ $(grep -c $Ipaddr ${WHITELIST}) -ne 0 ]; then echo 'Allow IP:' $Ipaddr continue fi if [ $(grep -c $Ipaddr ${BLACKLIST}) -eq 0 ] ; then if [ $Num -gt $NO_OF_CONNECTIONS ];then echo 'Deny IP:' $Ipaddr echo $Ipaddr >> ${BLACKLIST} iptables -I INPUT -p tcp --dport 80 -s $Ipaddr -j DROP fi fi done <<-'EOF' `netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr` EOF 只是上面的脚本少了解封被禁止的ip过程,我个人认为解封没有太大意义.无论是DoS Deflate或者是上面我自己写的脚本,最重要的都是NO_OF_CONNECTIONS值设置。
iptables
iptables 四表五链
iptables(nat,filter,mangle,raw)(INPUT,FORWARD,OUTPUT,PREROUTING,POSTROUTING) filter: INPUT, OUTPUT, FORWARD nat: PREROUTING, POSTROUTING, OUTPUT mangle: PREROUTING, INPUT, FORWARD, OUTPUT, POSTROUTING 规则管理类: -A -I -D -R 链接管理类: -F, flush, 清空链 -N, new, 新建链 -X, delete, 删除自定义的空链 -E, rename 默认策略: -P, policy 清空计数器: -Z, zero 每条规则(包括默认策略)都有两个计数器: 被此规则匹配到的所有数据包的个数; 被此规则匹配到的所有数据包的大小之和; 查看类: -L, list -n, numeric -v, verbose -vv -vvv -x, exactly --line-numbers 基本匹配: -s SOURCE:IP, NETWORK -d DESTINATION:IP, NETWORK -p {tcp|udp|icmp} -i INTERFACE -o INTERFACE 扩展匹配:(调用iptables的模块,以便扩展iptables的匹配功能, -m) 隐含扩展 -p tcp --sport PORT --dport PORT --tcp-flags ACK,SYN,RST,FIN SYN = --syn --tcp-flags ACK,SYN,RST,FIN SYN,ACK,RST,FIN --sport 22:23 -p UDP --sport PORT --dport PORT -p icmp --icmp-type 8: echo-request 0: echo-reply 显式扩展: -m state --state NEW NEW ESTABLISHED INVALID RELATED -m multiport --source-ports 22,53,80 --destination-ports --ports -m iprange --src-range --dst-range -m limit --limit --limit-burst -m string --algo bm|kmp --string "STRING" 处理动作 -j ACCEPT DROP REJECT SNAT DNAT REDIRECT NASQUERADE 基本操作举例:
iptables -F ##清空所有的链中的规则-F 仅仅是清空链中规则,并不影响 -P 设置的默认规则 ,故使用这条命令一定要小心。 iptables -t nat -F PREROUTING ##把nat表中的PREROUTING链中的规则清空 iptables -t filter -A INPUT -s 172.16.0.0/16 -p udp --dport 53 -j DROP ##A插入一条规则默认放在最后一条 iptables -t filter -I INPUT -s 172.16.0.0/16 -p udp --dport 53 -j DROP ##I插入一条规则默认放在第一条 iptables -t filter -I INPUT 3 -s 172.16.0.0/16 -p udp --dport 53 -j DROP ##插入一条规则放在第三条 iptables -L -n --line-numbers ##查看iptables规则,并在每条规则前显示行号。 iptables -D INPUT 5 ## 删除INPUT 链的第五条规则 iptables -t nat -A PREROUTING -d 1.1.1.1 -p tcp --dport 80 -j DNAT --to-destination 192.168.1.103:8080##DNAT 自定义链应用:(先定义一个自定义链clean_in,然后把自定义链关联到主链上)
iptables -N clean_in iptables -A clean_in -d 255.255.255.255 -p icmp -j DROP iptables -A clean_in -d 172.16.255.255 -p icmp -j DROP iptables -A clean_in -p tcp ! --syn -m state --state NEW -j DROP iptables -A clean_in -p tcp --tcp-flags ALL ALL -j DROP iptables -A clean_in -p tcp --tcp-flags ALL NONE -j DROP iptables -A clean_in -d 172.16.100.1 -j RETURN iptables -A INPUT -d 172.16.100.1 -j clean_in iptables高级应用:(使用iptables前需要了解tcp连接/断开过程和ip报文头部结构,tcp数据包头结构。)
##服务器(本地ip192.168.1.103)只允许22,53,80,443端口和本机通迅并拒绝本机向外主动发起请求(防C/S******)
iptables -I INPUT 1 -m state --state ESTABLISHED -j ACCEPT iptables -A INPUT -d 192.168.1.103 -p tcp -m multiport --destination-ports 22,53,80,443 -m state --state NEW -j ACCEPT iptables -A OUTPUT -m state --state ESTABLISHED -j ACCEPT iptables -P INPUT DROP iptables -P OUTPUT DROP ##连接数限定(设置ssh连接单个ip不能超过2个,利用recent和state模块限制单IP在300s内只能与本机建立3个新连接。被限制五分钟后即可恢复访问。常用于防ddos***)
iptables -I INPUT 1 -m state --state ESTABLISHED -j ACCEPT iptables -I INPUT 2 -d 192.168.1.103 -p tcp --dport 22 -m state --state NEW -m connlimit ! --connlimit-above 2 -j ACCEPT iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 300 --hitcount 2 --name SSH -j DROP iptables -A OUTPUT -m state --state ESTABLISHED -j ACCEPT iptables -P INPUT DROP iptables -P OUTPUT DROP ##匹配数据包数限制(--limit 平均速率,--limit-burst峰值速率)
iptables -I INPUT 1 -m state --state ESTABLISHED -j ACCEPT iptables -A INPUT -d 202.75.219.205 -p tcp --dport 80 -m state --state NEW -m limit --limit 30/second --limit-burst 50 -j ACCEPT iptables -A INPUT -d 202.75.219.205 -p tcp -m state --state NEW -m multiport --destination-ports 22,53,80,443 -j ACCEPT iptables -A OUTPUT -m state --state ESTABLISHED -j ACCEPT iptables -P INPUT DROP iptables -P OUTPUT DROP
亿速云「云服务器」,即开即用、新一代英特尔至强铂金CPU、三副本存储NVMe SSD云盘,价格低至29元/月。点击查看>>
免责声明:本站发布的内容(图片、视频和文字)以原创、转载和分享为主,文章观点不代表本网站立场,如果涉及侵权请联系站长邮箱:is@yisu.com进行举报,并提供相关证据,一经查实,将立刻删除涉嫌侵权内容。
