Welcome to the Linux Foundation Forum!

Help me. My server is attacked DDoS

duynguyen
duynguyen Posts: 4
in Red Hat Enterprise

I want to write a Script, it use to ati DDoS but i'm a newbie i can't do it.

I have a log file http://www.mediafire.com/?yz2njlm0kzj . I want to read a DDos's IP address from log file, after that i want to add that IP to Firewall . I can do it by handicraft but i want a script, it can autorun every 5 min on my server.

Thank .

Comments

  • mfillpot
    mfillpot Posts: 2,177
    Distributed Denial of Service attacks are hard to subvert because they are meant to tie up your system with answering unnecessary requests and they are meant to flood your internet connection effectively limiting outside communications. Now depending on the protocol, port and service that is attacked you can modify your firewall to drop the packets which will lower the stress on your system but it won't help with your internet connection.

    Now by looking at your log it appears they these are not traditional DDOS attacks, it is only various systems trying to utilize your proxy server. The simplest way would be to find out the port used for your proxy and set the traffic to allow only your trusted ip addresses, then drop all other traffic on that port.

    I wrote a quick script below that will allow you to view the unique ip addresses from your log.
    cat Log_dos.txt|grep IP=|cut -d "=" -f 5|cut -d " " -f 1|sort|uniq
  • duynguyen
    duynguyen Posts: 4
    You wrote command, but it only have IP from log file. Can you help to add DDos's IP to iptable file for me ?
  • mfillpot
    mfillpot Posts: 2,177
    I did not include the command to add it the ip addresses to your block list for the following reasons:
    [ul][li]Some of the IP addresses may be valid, but only you should able able to asses that[/li]
    [li]The structure of your iptables firewall may be nonstandard[/li]
    [li]Hopefully you use a default deny all at the end of your firewall list and if that is the case newly appended rules will never be tested[/li]
    [li]I do not know the port and protocols used for the connections based off of the log file that you shared[/li][/ul]

    Your best bet for a clean firewall script would be to setup rules for that port that first alllow trusted IP addresses then deny all other requests for that service so that you don't have to focus on a per address basis to deny hosts.

    Now if you just want to blindly apply a rule for blocking all of those addresses on all ports and protocols (this is not recommended) then you can use this command. 
    for ADD in $(cat Log_dos.txt|grep IP=|cut -d "=" -f 5|cut -d " " -f 1|sort|uniq)
do iptables -A INPUT -p ALL -s $ADD -j DENY
done

    If you do not maintain an external list of all ip addresses that have been added to the deny list then this command will cause issues with duplicate rules for single ip addresses, additionally failure to use an external list will limit your ability to reinstate the rules if you system is restarted.
  • duynguyen
    duynguyen Posts: 4
    Thank you very much. I will try to work.
  • duynguyen
    duynguyen Posts: 4
    Hi mfillpot,
    This is my config for iptables



    ######## iptables_Firewall.sh cript
    #!/bin/sh
    IPTABLES=/sbin/iptables

    ######### Init values
    INTERNAL_INTERFACE="eth5"
    INTERNAL_ADDR="192.168.1.10"
    EXTERNAL_INTERFACE="eth4"
    EXTERNAL_ADDR="222.255.237.87"

    ######### Pre-config
    $IPTABLES -F FORWARD ## reset FORWARD chain
    $IPTABLES -F INPUT ## reset INPUT chain
    $IPTABLES -F OUTPUT ## reset OUTPUT chain
    $IPTABLES -P FORWARD DROP ## Default FORWARD chain is DROP
    $IPTABLES -P OUPUT ACCEPT ## Default OUTPUT chain is ACCEPT
    $IPTABLES -P INPUT DROP ## Default INPUT chain is DROP

    ######## Rules

    $IPTABLES -A INPUT -p icmp -j ACCEPT

    #$IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -p icmp -icmp-type echo-request -m limit --limit 5/s -j ACCEPT


    ## Drop all ips DOS
    $IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -s 58.186.103.244 -d $EXTERNAL_ADDR -j DROP
    $IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -s 222.255.77.119 -d $EXTERNAL_ADDR -j DROP
    $IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -s 58.186.217.54 -d $EXTERNAL_ADDR -j DROP

    ## Permit these UDP ports

    $IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -s 0/0 -d $EXTERNAL_ADDR -p udp --dport 5060 -m limit --limit 4/s -j ACCEPT
    $IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -s 0/0 -d $EXTERNAL_ADDR -p udp --dport 5080 -m limit --limit 4/s -j ACCEPT
    $IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -s 0/0 -d $EXTERNAL_ADDR -p udp --dport 53 -m limit --limit 4/s -j ACCEPT

    $IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -s 0/0 -d $EXTERNAL_ADDR -p udp -j ACCEPT


    ## Permit SSH
    $IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT
    $IPTABLES -A INPUT -i lo -p all -j ACCEPT

    ## Internal interface : Permit all
    $IPTABLES -A INPUT -i $INTERNAL_INTERFACE -s 0/0 -p all -j ACCEPT



    Please help me include your script into it to anti DOS. Everytime this script is run, it will reset iptables.
    Pls note, in Log_dos.txt, ips dos are ips which request more than 5 times per second. Log_dos.txt is a part copy of /var/log/message . We will write a script to filter ips dos base on message file. This file is very large so we will use tail -n 500 /var/log/message instead of. Please help.

    Thank you very much.
  • mfillpot
    mfillpot Posts: 2,177
    Here are the recommended modifications.
    [ol]
    [li]Lines 15-17 are missing the -j flag.[/li]
    [li]OUPUT in line 16 should be OUTPUT[/li]
    [li]Put line 17 at the end of the script, your don't want the packets to be dropped until they are evaluated[/li]
    [li]You don't want to mindlessly accept all icmp packets, you want to drop specific ones to resist DOS attacks via icmp, replace line 21 with the following lines. 
    # Allow pings 4 per minute to block ping DOS attacks
$IPTABLES -A INPUT -p icmp --icmp-type echo-request -m limit --limit 4/m -j ACCEPT

# Allow all echo replies including destination unreachable and time exceeded
$IPTABLES -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT

# Block all other icmp traffic
$IPTABLES -A INPUT -p icmp -j DROP
    [/li]
    [li]Place the following after line 21: 
    # Allow all response traffic
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    [/li]
    Make the following in line 30 to enable the blocking of the specified addresses: 
    for ADD in $(tail -n 500 /var/log/message|grep IP=|cut -d "=" -f 5|cut -d " " -f 1|sort|uniq)
do $IPTABLES -A INPUT -p ALL -s $ADD -j DENY
done
    [/ol]

    There can be other recommendations such as making the script modular and adding specific chains per packet type to reduce the amount of rules a packet must pass through. But with the following recommendations the firewall script should do what you want including blocking the addresses that are found with the evaluation of the for script that I gave you, however you may want to modify the script to grab only the info that was displayed in the original log file that you produced.

Categories

Upcoming Training