The beginning of the story, on March 30, is supposed to be a friendly business attack on the company's website.
The attack starts at 4 p.m. on the attack website, there is also Alibaba cloud ip in it. Angry. I want to complain.
Start to talk about how to solve it. First, use netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
Nima sells lots. Which turtle son has been requesting this page. Concurrent 2800.
First, disable his ip from the firewall.
iptables -I INPUT -s 1.2.3.4 -j DROP
Five names go on. Think about how to guard against this next time.
1. First, we found the ddos deflate open source to slightly reduce it
Switch super administrator command
wget http://www.inetbase.com/scripts/ddos/install.sh //Download DDoS deflate
chmod 0700 install.sh //add permission
./install.sh //implement
Install Lu Jin in / usr/local/ddos /. After the installation, a ddos.cron file will be automatically added to / etc/cron.d /
We don't have to worry about this.
2. Because ddos.sh will automatically add the connection address to the white list. I think that if you accidentally delete the DROP INPUT in iptables, the attacker's IP will come in. We make a change to the source code of ddos.sh.
3. Modify the configuration file ddos.conf
##### Paths of the script and other files
PROGDIR="/usr/local/ddos"
PROG="/usr/local/ddos/ddos.sh"
IGNORE_IP_LIST="/usr/local/ddos/ignore.ip.list" //IP address white list
CRON="/etc/cron.d/ddos.cron" //Timed execution procedure
APF="/etc/apf/apf"
IPT="/sbin/iptables"
##### frequency in minutes for running the script
##### Caution: Every time this setting is changed, run the script with --cron
##### option so that the new frequency takes effect
FREQ=1 //Check the time interval. The default is 1 minute (when you modify this value, you need to manually / usr/local/ddos/ddos.sh -c to set the ddos.cron timing file)
##### How many connections define a bad IP? Indicate that below.
NO_OF_CONNECTIONS=150 //The maximum number of connections. If the number exceeds this, the IP will be blocked. Generally, the default is OK
##### APF_BAN=1 (Make sure your APF version is atleast 0.96)
##### APF_BAN=0 (Uses iptables for banning ips instead of APF)
APF_BAN=0 What I'm setting up here is0 Shield through firewall
##### KILL=0 (Bad IPs are'nt banned, good for interactive execution of script)
##### KILL=1 (Recommended setting)
KILL=1 //Whether to shield IP is OK by default
##### An email is sent to the following address when an IP is banned.
##### Blank would suppress sending of mails
EMAIL_TO="root" //When the IP address is blocked, send email to the specified mailbox. It is recommended to use it. Just change it to your own mailbox (you must install and send email to use it, which will be discussed later)
##### Number of seconds the banned ip should remain in blacklist.
BAN_PERIOD=600 //Disable IP time, 600 seconds by default, adjustable according to the situation
//The user can modify the configuration file according to the annotation prompt added to the default configuration file.ddos.sh source code
#!/bin/sh
##############################################################################
# DDoS-Deflate version 0.6 Author: Zaf <zaf@vsnl.com> #
##############################################################################
# This program is distributed under the "Artistic License" Agreement #
# #
# The LICENSE file is located in the same directory as this program. Please #
# read the LICENSE file before you make copies or distribute this program #
##############################################################################
load_conf()
{
CONF="/usr/local/ddos/ddos.conf"
if [ -f "$CONF" ] && [ ! "$CONF" == "" ]; then
source $CONF
else
head
echo "\$CONF not found."
exit 1
fi
}
head()
{
echo "DDoS-Deflate version 0.6"
echo "Copyright (C) 2005, Zaf <zaf@vsnl.com>"
echo
}
showhelp()
{
head
echo 'Usage: ddos.sh [OPTIONS] [N]'
echo 'N : number of tcp/udp connections (default 150)'
echo 'OPTIONS:'
echo '-h | --help: Show this help screen'
echo '-c | --cron: Create cron job to run this script regularly (default 1 mins)'
echo '-k | --kill: Block the offending ip making more than N connections'
}
unbanip()
{
UNBAN_SCRIPT=`mktemp /tmp/unban.XXXXXXXX`
TMP_FILE=`mktemp /tmp/unban.XXXXXXXX`
UNBAN_IP_LIST=`mktemp /tmp/unban.XXXXXXXX`
echo '#!/bin/sh' > $UNBAN_SCRIPT
echo "sleep $BAN_PERIOD" >> $UNBAN_SCRIPT
if [ $APF_BAN -eq 1 ]; then
while read line; do
echo "$APF -u $line" >> $UNBAN_SCRIPT
echo $line >> $UNBAN_IP_LIST
done < $BANNED_IP_LIST
else
while read line; do
echo "$IPT -D INPUT -s $line -j DROP" >> $UNBAN_SCRIPT
echo $line >> $UNBAN_IP_LIST
done < $BANNED_IP_LIST
fi
echo "grep -v --file=$UNBAN_IP_LIST $IGNORE_IP_LIST > $TMP_FILE" >> $UNBAN_SCRIPT
echo "mv $TMP_FILE $IGNORE_IP_LIST" >> $UNBAN_SCRIPT
echo "rm -f $UNBAN_SCRIPT" >> $UNBAN_SCRIPT
echo "rm -f $UNBAN_IP_LIST" >> $UNBAN_SCRIPT
echo "rm -f $TMP_FILE" >> $UNBAN_SCRIPT
. $UNBAN_SCRIPT &
}
add_to_cron()
{
rm -f $CRON
sleep 1
service crond restart
sleep 1
echo "SHELL=/bin/sh" > $CRON
if [ $FREQ -le 2 ]; then
echo "0-59/$FREQ * * * * root /usr/local/ddos/ddos.sh >/dev/null 2>&1" >> $CRON
else
let "START_MINUTE = $RANDOM % ($FREQ - 1)"
let "START_MINUTE = $START_MINUTE + 1"
let "END_MINUTE = 60 - $FREQ + $START_MINUTE"
echo "$START_MINUTE-$END_MINUTE/$FREQ * * * * root /usr/local/ddos/ddos.sh >/dev/null 2>&1" >> $CRON
fi
service crond restart
}
load_conf
while [ $1 ]; do
case $1 in
'-h' | '--help' | '?' )
showhelp
exit
;;
'--cron' | '-c' )
add_to_cron
exit
;;
'--kill' | '-k' )
KILL=1
;;
*[0-9]* )
NO_OF_CONNECTIONS=$1
;;
* )
showhelp
exit
;;
esac
shift
done
TMP_PREFIX='/tmp/ddos'
TMP_FILE="mktemp $TMP_PREFIX.XXXXXXXX"
BANNED_IP_MAIL=`$TMP_FILE`
BANNED_IP_LIST=`$TMP_FILE`
IPTABLES_LIST=`$TMP_FILE` #New firewall list file
echo "Banned the following ip addresses on `date`" > $BANNED_IP_MAIL
echo >> $BANNED_IP_MAIL
BAD_IP_LIST=`$TMP_FILE`
netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr > $BAD_IP_LIST
cat $BAD_IP_LIST
echo ***************************
$IPT -L -n > $IPTABLES_LIST
cat $IPTABLES_LIST
if [ $KILL -eq 1 ]; then
IP_BAN_NOW=0
while read line; do
CURR_LINE_CONN=$(echo $line | cut -d" " -f1)
CURR_LINE_IP=$(echo $line | cut -d" " -f2)
if [ $CURR_LINE_CONN -lt $NO_OF_CONNECTIONS ]; then
break
fi
IGNORE_BAN=`grep -c $CURR_LINE_IP $IGNORE_IP_LIST`
if [ $IGNORE_BAN -ge 1 ]; then
continue
fi
#Check whether this ip exists in the firewall
IPTABLES_EXSISTS=`grep -c $CURR_LINE_IP $IPTABLES_LIST`
#If this IP exists, no subsequent processing will be done
#echo $IPTABLES_EXSISTS
if [ $IPTABLES_EXSISTS -ge 1 ]; then
continue
fi
IP_BAN_NOW=1
echo "$CURR_LINE_IP with $CURR_LINE_CONN connections" >> $BANNED_IP_MAIL
echo $CURR_LINE_IP >> $BANNED_IP_LIST
#For fear of manual modification and ignoring IP, there is an error. The next time we're going to attack, we need to get rid of this line
# echo $CURR_LINE_IP >> $IGNORE_IP_LIST
if [ $APF_BAN -eq 1 ]; then
$APF -d $CURR_LINE_IP
else
$IPT -I INPUT -s $CURR_LINE_IP -j DROP
fi
done < $BAD_IP_LIST
if [ $IP_BAN_NOW -eq 1 ]; then
dt=`date`
#No email
#if [ $EMAIL_TO != "" ]; then
# cat $BANNED_IP_MAIL | mail -s "IP addresses banned on $dt" $EMAIL_TO
#fi
unbanip
fi
fi
rm -f $TMP_PREFIX.*
OK, I'll write it for you next time. One thousand nginx logs, the same ip forbidden script,
Thanks for watching.