Welcome to the Linux Foundation Forum!
Help me. My server is attacked DDoS
duynguyen
Posts: 4
I want to write a Script, it use to ati DDoS but i'm a newbie i can't do it.
I have a log file http://www.mediafire.com/?yz2njlm0kzj . I want to read a DDos's IP address from log file, after that i want to add that IP to Firewall . I can do it by handicraft but i want a script, it can autorun every 5 min on my server.
Thank .
0
Comments
-
Distributed Denial of Service attacks are hard to subvert because they are meant to tie up your system with answering unnecessary requests and they are meant to flood your internet connection effectively limiting outside communications. Now depending on the protocol, port and service that is attacked you can modify your firewall to drop the packets which will lower the stress on your system but it won't help with your internet connection.
Now by looking at your log it appears they these are not traditional DDOS attacks, it is only various systems trying to utilize your proxy server. The simplest way would be to find out the port used for your proxy and set the traffic to allow only your trusted ip addresses, then drop all other traffic on that port.
I wrote a quick script below that will allow you to view the unique ip addresses from your log.cat Log_dos.txt|grep IP=|cut -d "=" -f 5|cut -d " " -f 1|sort|uniq
0 -
You wrote command, but it only have IP from log file. Can you help to add DDos's IP to iptable file for me ?0
-
I did not include the command to add it the ip addresses to your block list for the following reasons:
[ul][li]Some of the IP addresses may be valid, but only you should able able to asses that[/li]
[li]The structure of your iptables firewall may be nonstandard[/li]
[li]Hopefully you use a default deny all at the end of your firewall list and if that is the case newly appended rules will never be tested[/li]
[li]I do not know the port and protocols used for the connections based off of the log file that you shared[/li][/ul]
Your best bet for a clean firewall script would be to setup rules for that port that first alllow trusted IP addresses then deny all other requests for that service so that you don't have to focus on a per address basis to deny hosts.
Now if you just want to blindly apply a rule for blocking all of those addresses on all ports and protocols (this is not recommended) then you can use this command.for ADD in $(cat Log_dos.txt|grep IP=|cut -d "=" -f 5|cut -d " " -f 1|sort|uniq) do iptables -A INPUT -p ALL -s $ADD -j DENY done
If you do not maintain an external list of all ip addresses that have been added to the deny list then this command will cause issues with duplicate rules for single ip addresses, additionally failure to use an external list will limit your ability to reinstate the rules if you system is restarted.0 -
Thank you very much. I will try to work.0
-
Hi mfillpot,
This is my config for iptables
######## iptables_Firewall.sh cript
#!/bin/sh
IPTABLES=/sbin/iptables
######### Init values
INTERNAL_INTERFACE="eth5"
INTERNAL_ADDR="192.168.1.10"
EXTERNAL_INTERFACE="eth4"
EXTERNAL_ADDR="222.255.237.87"
######### Pre-config
$IPTABLES -F FORWARD ## reset FORWARD chain
$IPTABLES -F INPUT ## reset INPUT chain
$IPTABLES -F OUTPUT ## reset OUTPUT chain
$IPTABLES -P FORWARD DROP ## Default FORWARD chain is DROP
$IPTABLES -P OUPUT ACCEPT ## Default OUTPUT chain is ACCEPT
$IPTABLES -P INPUT DROP ## Default INPUT chain is DROP
######## Rules
$IPTABLES -A INPUT -p icmp -j ACCEPT
#$IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -p icmp -icmp-type echo-request -m limit --limit 5/s -j ACCEPT
## Drop all ips DOS
$IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -s 58.186.103.244 -d $EXTERNAL_ADDR -j DROP
$IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -s 222.255.77.119 -d $EXTERNAL_ADDR -j DROP
$IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -s 58.186.217.54 -d $EXTERNAL_ADDR -j DROP
## Permit these UDP ports
$IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -s 0/0 -d $EXTERNAL_ADDR -p udp --dport 5060 -m limit --limit 4/s -j ACCEPT
$IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -s 0/0 -d $EXTERNAL_ADDR -p udp --dport 5080 -m limit --limit 4/s -j ACCEPT
$IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -s 0/0 -d $EXTERNAL_ADDR -p udp --dport 53 -m limit --limit 4/s -j ACCEPT
$IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -s 0/0 -d $EXTERNAL_ADDR -p udp -j ACCEPT
## Permit SSH
$IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT
$IPTABLES -A INPUT -i lo -p all -j ACCEPT
## Internal interface : Permit all
$IPTABLES -A INPUT -i $INTERNAL_INTERFACE -s 0/0 -p all -j ACCEPT
Please help me include your script into it to anti DOS. Everytime this script is run, it will reset iptables.
Pls note, in Log_dos.txt, ips dos are ips which request more than 5 times per second. Log_dos.txt is a part copy of /var/log/message . We will write a script to filter ips dos base on message file. This file is very large so we will use tail -n 500 /var/log/message instead of. Please help.
Thank you very much.0 -
Here are the recommended modifications.
[ol]
[li]Lines 15-17 are missing the -j flag.[/li]
[li]OUPUT in line 16 should be OUTPUT[/li]
[li]Put line 17 at the end of the script, your don't want the packets to be dropped until they are evaluated[/li]
[li]You don't want to mindlessly accept all icmp packets, you want to drop specific ones to resist DOS attacks via icmp, replace line 21 with the following lines.# Allow pings 4 per minute to block ping DOS attacks $IPTABLES -A INPUT -p icmp --icmp-type echo-request -m limit --limit 4/m -j ACCEPT # Allow all echo replies including destination unreachable and time exceeded $IPTABLES -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT $IPTABLES -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT $IPTABLES -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT # Block all other icmp traffic $IPTABLES -A INPUT -p icmp -j DROP
[/li]
[li]Place the following after line 21:# Allow all response traffic $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
[/li]
Make the following in line 30 to enable the blocking of the specified addresses:for ADD in $(tail -n 500 /var/log/message|grep IP=|cut -d "=" -f 5|cut -d " " -f 1|sort|uniq) do $IPTABLES -A INPUT -p ALL -s $ADD -j DENY done
[/ol]
There can be other recommendations such as making the script modular and adding specific chains per packet type to reduce the amount of rules a packet must pass through. But with the following recommendations the firewall script should do what you want including blocking the addresses that are found with the evaluation of the for script that I gave you, however you may want to modify the script to grab only the info that was displayed in the original log file that you produced.0
Categories
- All Categories
- 167 LFX Mentorship
- 219 LFX Mentorship: Linux Kernel
- 795 Linux Foundation IT Professional Programs
- 355 Cloud Engineer IT Professional Program
- 179 Advanced Cloud Engineer IT Professional Program
- 82 DevOps Engineer IT Professional Program
- 127 Cloud Native Developer IT Professional Program
- 112 Express Training Courses
- 112 Express Courses - Discussion Forum
- 6.2K Training Courses
- 48 LFC110 Class Forum - Discontinued
- 17 LFC131 Class Forum
- 35 LFD102 Class Forum
- 227 LFD103 Class Forum
- 14 LFD110 Class Forum
- 39 LFD121 Class Forum
- 15 LFD133 Class Forum
- 7 LFD134 Class Forum
- 17 LFD137 Class Forum
- 63 LFD201 Class Forum
- 3 LFD210 Class Forum
- 5 LFD210-CN Class Forum
- 2 LFD213 Class Forum - Discontinued
- 128 LFD232 Class Forum - Discontinued
- 1 LFD233 Class Forum
- 2 LFD237 Class Forum
- 23 LFD254 Class Forum
- 697 LFD259 Class Forum
- 109 LFD272 Class Forum
- 3 LFD272-JP クラス フォーラム
- 10 LFD273 Class Forum
- 152 LFS101 Class Forum
- 1 LFS111 Class Forum
- 1 LFS112 Class Forum
- 1 LFS116 Class Forum
- 1 LFS118 Class Forum
- LFS120 Class Forum
- 7 LFS142 Class Forum
- 7 LFS144 Class Forum
- 3 LFS145 Class Forum
- 1 LFS146 Class Forum
- 3 LFS147 Class Forum
- 1 LFS148 Class Forum
- 15 LFS151 Class Forum
- 1 LFS157 Class Forum
- 33 LFS158 Class Forum
- 8 LFS162 Class Forum
- 1 LFS166 Class Forum
- 1 LFS167 Class Forum
- 3 LFS170 Class Forum
- 2 LFS171 Class Forum
- 1 LFS178 Class Forum
- 1 LFS180 Class Forum
- 1 LFS182 Class Forum
- 1 LFS183 Class Forum
- 29 LFS200 Class Forum
- 736 LFS201 Class Forum - Discontinued
- 2 LFS201-JP クラス フォーラム
- 14 LFS203 Class Forum
- 102 LFS207 Class Forum
- 1 LFS207-DE-Klassenforum
- 1 LFS207-JP クラス フォーラム
- 301 LFS211 Class Forum
- 55 LFS216 Class Forum
- 48 LFS241 Class Forum
- 42 LFS242 Class Forum
- 37 LFS243 Class Forum
- 15 LFS244 Class Forum
- LFS245 Class Forum
- LFS246 Class Forum
- 50 LFS250 Class Forum
- 1 LFS250-JP クラス フォーラム
- LFS251 Class Forum
- 154 LFS253 Class Forum
- LFS254 Class Forum
- LFS255 Class Forum
- 5 LFS256 Class Forum
- 1 LFS257 Class Forum
- 1.3K LFS258 Class Forum
- 10 LFS258-JP クラス フォーラム
- 111 LFS260 Class Forum
- 159 LFS261 Class Forum
- 41 LFS262 Class Forum
- 82 LFS263 Class Forum - Discontinued
- 15 LFS264 Class Forum - Discontinued
- 11 LFS266 Class Forum - Discontinued
- 20 LFS267 Class Forum
- 24 LFS268 Class Forum
- 29 LFS269 Class Forum
- 1 LFS270 Class Forum
- 199 LFS272 Class Forum
- 1 LFS272-JP クラス フォーラム
- LFS274 Class Forum
- 3 LFS281 Class Forum
- 9 LFW111 Class Forum
- 260 LFW211 Class Forum
- 182 LFW212 Class Forum
- 13 SKF100 Class Forum
- 1 SKF200 Class Forum
- 1 SKF201 Class Forum
- 782 Hardware
- 198 Drivers
- 68 I/O Devices
- 37 Monitors
- 96 Multimedia
- 174 Networking
- 91 Printers & Scanners
- 83 Storage
- 743 Linux Distributions
- 80 Debian
- 67 Fedora
- 15 Linux Mint
- 13 Mageia
- 23 openSUSE
- 143 Red Hat Enterprise
- 31 Slackware
- 13 SUSE Enterprise
- 348 Ubuntu
- 461 Linux System Administration
- 39 Cloud Computing
- 70 Command Line/Scripting
- Github systems admin projects
- 90 Linux Security
- 77 Network Management
- 101 System Management
- 46 Web Management
- 64 Mobile Computing
- 17 Android
- 34 Development
- 1.2K New to Linux
- 1K Getting Started with Linux
- 371 Off Topic
- 114 Introductions
- 174 Small Talk
- 19 Study Material
- 507 Programming and Development
- 285 Kernel Development
- 204 Software Development
- 1.8K Software
- 211 Applications
- 180 Command Line
- 3 Compiling/Installing
- 405 Games
- 309 Installation
- 97 All In Program
- 97 All In Forum
Upcoming Training
-
August 20, 2018
Kubernetes Administration (LFS458)
-
August 20, 2018
Linux System Administration (LFS301)
-
August 27, 2018
Open Source Virtualization (LFS462)
-
August 27, 2018
Linux Kernel Debugging and Security (LFD440)