最近有几个客户遭受到轻量级DDOS攻击, DDOS是分布式拒绝服务,实现原理大体是这样,攻击者利用N多的主机同时模拟未知IP,同时批量访问被攻击主机的端口。消耗被攻击者的带宽资源和主机资源。从而影响主机正常提供服务。
DDOS大体分几种:
1 SYN 常规攻击,主要是发送大量的未知IP连接主机,主机按照TCP/IP连接正常三次握手,会返回给源地址ack/syn确认,但主机无法找到源地址,直到timeout为止,大量的未知源地址在timeout结束前占用资源。最后拖垮主机。
2 SYN 非常规攻击,主要是通过发送大量未知 大于64bit的syn连接(1000bit以上),其他和syn差不多,由于syn连接大过64bit,可能影响到防火墙syn字节溢出,可能导致防火墙锁定。并迅速吃掉主机资源。
3 针对web服务器攻击,服务器特殊端口攻击基本原理都差不多。
下面是一个小小iptables脚本,里面包括了网络上知名的ddos脚本,我在上面添加了点通用的iptables配置。我贴出来看看,希望大家能批评指导。
#!/bin/bash
# By Nick.Ma
# Date:20110831
# The program for limit account connect.
############### Global Config ##################
IPT=/sbin/iptables
IPT_LOG=/var/log/iptables
############### Service Ports ##################
WEB_PORT1="80"
WEB_PORT2="443"
#SSH_PORT="22"
SSH_PORT="`netstat -tnlp | awk -F ":" '/sshd/{ print $2}' | awk '{print $1}'`"
function copyright () {
clear
echo -e "\t\t\t\t\t\t ____ _ _ ____ _ "
echo -e "\t\t\t\t\t\t / ___| |__ (_)_ __ __ _ / ___|__ _ ___| |__ ___ "
echo -e "\t\t\t\t\t\t | | | '_ \| | '_ \ / _/ | | | / _ |/ __| '_ \ / _ \\"
echo -e "\t\t\t\t\t\t | |___| | | | | | | | (_| | | |__| (_| | (__| | | | __/ "
echo -e "\t\t\t\t\t\t \____|_| |_|_|_| |_|\__,_| \____\__,_|\___|_| |_|\___| "
echo -e "\t\t\t\t\t\t\t\t\t\t\tSofeware Firewall 1.0\n"
echo ""
echo -e "\t\t\t\t############################################### Copyright ############################################\n"
# The program for information with ChinaCacheCloud system .
echo -e "\t\t\t\t\tCopyright Clarify\n\n\t\t\t\t\tAll copyrights reserved by ChinaCache.INC.China.\n\n\t\t\t\t\tAny copying, transferring or any other usage is prohibited.\n\n\t\t\t\t\tOr else, ChinaCache possesses the right to require legal responsibilities from the violator.\n\n\t\t\t\t\tCopy Right @ 1998-2011 By ChinaCache.INC.China. Copyright\n\n"
echo -e "\t\t\t\t############################################### Copyright ############################################\n"
echo -e "ChinaCacheCloud system called cname is \"C3\"."
echo -e "The host conncet C3 master succeed!"
echo -e "Now, You will go Web page and choose packages to auto installed. "
echo -e "If you want change config ,Please calling Administrator to Cloud.BU.ChinacCache."
echo -e "Thank you ."
read -p "Press any key to continue ....."
}
copyright
############### Start Config ###################
if [ $? -ne 0 ];then
echo "Sorry. Please login with administrator /"root/""
fi
function ipt_chk () {
which iptables >> /dev/null
if [ $? -ne 0 ];then
echo -e "No have iptables on the system. Please install iptables package."
read -p "Your need install iptables package.Please enter "yes" : " yes
if [ $yes != "yes"];then
which yum
if [ $? -ne 0 ];then
apt-get install -y iptables
/etc/init.d/iptables stop
else
yum -y install -y iptables
/etc/init.d/iptables stop
chkconfig iptables off
fi
else
echo -e "Enter error.exit."
exit 1
fi
fi
}
function ipt_mod_chk () {
echo "Iptables modules check..........................."
echo "======== IPTABLES MOD LIST ========"
for mod in `modprobe -l | grep ipt | awk \
-F "/" '{ print $9}' | awk \
-F "." '{print $1}' | grep \
"^ipt"`
do
echo -e "\t $mod"
modprobe ipt_connlimit
done
}
function ipt_file () {
read -p ""
}
function ipt_init () {
for chain in INPUT OUTPUT FORWARD
do
$IPT -P $chain ACCEPT
done
$IPT -F && $IPT -X && $IPT -Z && $IPT -t nat -F && $IPT -X && $IPT -t nat -Z
# IP_FORWARD
echo "Please choose forward option [yes/no]"
read -p "IF the host forward connects that you must enter "yes" : " FORWARD
if [ $FORWARD == "yes" ];then
echo "1" > `find /proc/ -name "ip_forward"`
fi
}
# ICMP limit connect for "ICMP DDOS"
function icmp_conf () {
read -p "Do you want to startup ICMP Limit switch, \"ICMP DDOS\" Please enter "yes" :" yes
if [ $yes == "yes" ];then
$IPT -A INPUT -p icmp --icmp-type echo-request -j LOG --log-level "NOTICE" --log-prefix "[ ICMP: ]"
$IPT -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/m --limit-burst 3 -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type 8 -j DROP
fi
}
# TCP limit connect for "TCP DDOS/SYN/CC"
function tcp_conf () {
read -p "Do you want to startup TCP limit switch. remission\"TCP DDOS/SYN/CC\" Please enter "yes" : " yes
if [ $yes == "yes" ];then
echo "Wath is service ports on the system with you limit and monitor."
read -p "Please enter service name : " sername
read -p "Please enter service port : " port #port2 port3
read -p "Please write value for service min connect number/minute." min #min2 min3
read -p "Please write value for service max connect number." max
#D_line=`$IPT -L -n --line | awk '/system("echo $port")/{pinrt $1}'`
$IPT -D INPUT `$IPT -L -n --line | grep $port | awk '{print $1}'`
#$IPT -I INPUT 5 -p tcp --syn --dport $port -j LOG --log-level "NOTICE" --log-prefix "[ $sername: ]"
#$IPT -I INPUT 6 -p tcp --syn --dport $port -m limit --limit $min/minute --limit-burst $max -j ACCEPT
#$IPT -I INPUT 7 -p tcp --syn --dport $port -j DROP
$IPT -A INPUT -p tcp --syn --dport $port -m limit --limit $min/m --limit-burst $max -j ACCEPT
$IPT -A INPUT -p tcp --syn --dport $port -j LOG --log-level "NOTICE" --log-prefix "[ $sername: ]"
# Limit one IP sub connects value .
echo -e "Limit one IP sub connects value. ***** offer conversion users max value. "
read -p "Please enter value : " conn_ip_value
$IPT -A INPUT -p tcp --syn --dport $port -m connlimit --connlimit-above $conn_ip_value -j ACCEPT
else
echo "exit."
fi
}
function ddos_conf () {
chmod +x /usr/local/ddos/ddos.sh
/usr/local/ddos/ddos.sh -c
}
function ipt_log () {
ls -l /etc/syslog.conf >> /dev/null
if [ $? -ne "0" ];then
logfile=/etc/rsyslog.d/50-default.conf
ls -l /etc/rsyslog.d/50-default.conf >> /dev/null
if [ $? -ne "0" ];then
echo -e "Sorry ! No found \"syslog.conf\" file.\nPlease call me \"syslog.conf or logfile path\"\n"
read -p "Please enter logfile path:[example:/etc/syslog.conf] : " logfile
echo -e "# iptables log file.\nkern.notice\t\t\t\t$IPT_LOG\n" >> $logfile
/etc/init.d/rsyslog restart
else
echo -e "# iptables log file.\nkern.notice\t\t\t\t$IPT_LOG\n" >> $logfile
/etc/init.d/rsyslog restart
fi
else
cat /etc/syslog.conf | grep "$IPT_LOG$" >> /dev/null
if [ $? -eq "0" ];then
cat /etc/syslog.conf | grep "$IPT_LOG$" | grep "^#" >> /dev/null
if [ $? -eq "0" ];then
echo -e "# iptables log file.\nkern.notice\t\t\t\t$IPT_LOG\n" >> /etc/syslog.conf
/etc/init.d/syslog restart
fi
fi
}
fifunction ipt_pub_conf () {
echo -e "Proto Recv-Q Send-Q L_Address Port F_Address State PID/Program name "
netstat -tnlpu | egrep "^tcp|^udp"
ipt_init
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -p tcp --dport $SSH_PORT -m state --state NEW -j ACCEPT
$IPT -A INPUT -p tcp --dport 53 -j ACCEPT
$IPT -A INPUT -p udp --dport 53 -j ACCEPT
# TCP port chain
for port in `netstat -tpnl | awk \
'{print $4}' | awk \
-F ":" '{print $2}' | grep -v "^$"`
do
$IPT -A INPUT -p tcp --dport $port -j ACCEPT
done
# UDP port chain
for port in `netstat -upnl | awk \
'{print $4}' | awk \
-F ":" '{print $2}' | grep -v "^$"`
do
$IPT -A INPUT -p udp --dport $port -j ACCEPT
done
$IPT -P INPUT DROP
}
function ipt_comm_conf () {
#ipt_init
ipt_pub_conf
icmp_conf
}
function ipt_advan_conf () {
#ipt_init
ipt_log
ipt_pub_conf
icmp_conf
tcp_conf
ddos_conf
}
function ipt_level () {
echo -e "++++++++++++++++++++++++++ Firewal Level +++++++++++++++++++++++++++\n\t1 Simple Firewall (limit present service ports.)\n\t2 Common Firewall (limit present servie ports and writen log.)\n\t3 Advan Firewall. (limit ports and writen access log\n\t\t\t LOG Level:info notice warm high ) "
read -p "If you want to simple config with service.Please choose [ 1 2 3 ] :" num
case $num in
1 )
echo -e "Simple firewall configure ....." && sleep 2
ipt_pub_conf && echo -e "Firewall installed finish. Please enter command \"iptables -L -n \" view firewall status."
;;
2 )
echo -e "Simple firewall configure ....." && sleep 3
ipt_comm_conf && echo -e "Firewall installed finish. Please enter command \"iptables -L -n \" view firewall status."
;;
3 )
echo -e "Simple firewall configure ....." && sleep 4
ipt_advan_conf && echo -e "Firewall installed finish. Please enter command \"iptables -L -n \" view firewall status."
;;
* )
echo -e "Sorry ! Enter erorr .Please running the program again.\n"
esac
}
ipt_chk
ipt_mod_chk
ipt_level
阅读(1041) | 评论(0) | 转发(0) |
