如何阻拦DDOS攻击在Linux

Sukrit Dhandhania 2009年4月13日

Linux 安全

我们跑了文章 如何阻拦一个IP地址在iptables在Linux 几天前。 这展示您如何在的情况下查出攻击者IP地址取消服务的一篇免费文章(或DOS)攻击。

要做此我们将使用叫的免费软件 psad. psad 工作同步iptables采伐并且检查港扫瞄和其他可疑交通通常是设法的某人的标志打破您的Linux服务器的iptables和显示器。

要开始,安装psad。 如果您跑有一个花梢包裹管理系统象Ubuntu或浅顶软呢帽您Linux的味道在您的系统应该能使用以下命令之一得到psad :

# sudo易于得到安装psad

# yum安装psad

如果这不为您运作头对psad 下载页 并且下载为您运作的格式。

因为我使用一台Ubuntu Linux服务器其余本指南将是Ubuntu具体。 然而,以某些未成年人扭捏您在Linux其他味道应该能做它工作。 打开 syslog.conf 文件用您喜爱的文本编辑程序:

#精力/etc/syslog.conf

增加以下线在结尾的文件:

kern.info |/var/lib/psad/psadfifo

您能使用以下命令完成同一件事:

#回声- e ‘kern.info \ t|/var/lib/psad/psadfifo’ >> /etc/syslog.conf

现在重新开始 sysklogd 并且 klog 邪魔:

/etc/init.d/sysklogd再开始
/etc/init.d/klogd再开始

方式psad工作是它将查出并且指示iptables阻拦任何可疑IPs。 有时这也许导致您使用的阻拦IP。 要克服这个问题您应该创造包含安全IP地址名单的文件。 创造一个文件象这一个:

#精力/home/calvin/safeiplist.cfg

进入IP地址您需要psad对whitelist :

127.0.0.0 /24
192.168.0.0 /24
122.164.34.240

没有用途一个剧本象跟随一配置iptables以必要的规则。 笔记 这个剧本从您的iptables设定将去除所有早先设置。 拷贝和在您的Linux服务器黏贴以下剧本,并且替换可变物 WORKDIR 并且 SAFEIPLIST 与正确设置从您的设定。

WORKDIR= " /home/calvin/ “
INTERVAL= " 5 "
HITCOUNT= " 5 "
SAFEIPLIST= " safeiplist.cfg "

CD的$WORKDIR

iptables - F
如果[- f $SAFEIPLIST]; 然后
IPS=$ (grep - Ev “^#” $SAFEIPLIST)
为i在$IPS
[[do]]
iptables -输入- s $i - j受理

fi

iptables -输入- m状态-状态新- m最近-集合
iptables -A INPUT -m state –state NEW -m recent –update –seconds $INTERVAL –hitcount $HITCOUNT -j LOG

What the script does is that it logs an IP address if it makes five or more attempts at making a connection in the span of five seconds. I would suggest you use the script as is unless you know what you are doing while modifying it. One you are done, give it executable permissions and run it.

# chmod +x /home/calvin/ipblock.sh

# /home/calvin/ipblock.sh

Now back to psad. Open the psad configuration file and edit it. These are the changes I suggest you make. Feel free to go through the psad documentation and make other changes:

EMAIL_ADDRESSES you@yourdomain.com;

Set machine’s hostname:

HOSTNAME yourdomain.com;

If you have only one network interface on this server, set HOME_NET to:

HOME_NET NOT_USED;

You can also need to adjust danger levels for psad, and define a set of ports to ignore, for example to ask psad ignore udp ports 80 and 8080, make the following change:

IGNORE_PORTS udp/80, udp/8080;

Save and close the file. Then restart psad:

# /etc/init.d/psad restart

You are now good to go. To monitor psad’s reports run the following command:

# psad -S

To remove automatically clocked IPs run the following command:

# psad -F

psad is a very versatile and powerful tool. If you know how to use it it can do wonders for you, but if you don’t you can really mess up your computer. So please use psad with caution.

Related Posts:
  • How to block an IP address in IPTables in Linux
  • Comcast: Another chapter of lies, misdirection and ps. good luck using bittorrent
  • How to determine where all your hard drive space has gone in Windows
  • Getting started with iptables in Linux
  • An introduction to the sudo command and configuration file

    • Get Simple Help tutorials just like this one in your email inbox every day - for free! Just enter your email address below:

    You can always opt out of this email subscription at any time.

    { 0 comments… add one now }

    Leave a Comment

    You can use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>