Linux 防ddos攻击工具(D)DoS-Deflate
DDoS deflate安装简单,下面是详细的安装和配置步骤:
1.安装 DDoS deflate
wget http://www.inetbase.com/scripts/ddos/install.sh chmod 0700 install.sh ./install.sh
//弹出版权信息后,在SSH下键入 q , 即可退出版权信息。
2.配置 DDoS deflate .
安装成功后会提示Config file is at /usr/local/ddos/ddos.conf,所以你可以在ddos.conf里进行简要配置.
# vim /usr/local/ddos/ddos.conf
##### Paths of the script and other files PROGDIR=”/usr/local/ddos” PROG=”/usr/local/ddos/ddos.sh” IGNORE_IP_LIST=”/usr/local/ddos/ignore.ip.list” //白名单 CRON=”/etc/cron.d/ddos.cron” APF=”/etc/apf/apf” IPT=”/sbin/iptables” —————————————————————————- ##### frequency in minutes for running the script ##### Caution: Every time this setting is changed, run the script with –cron ##### option so that the new frequency takes effect FREQ=1 //ddos.sh执行的频率,单位是分钟,搭配crontab来执行. 如果你更改了该设置,请执行 /usr/local/ddos/ddos.sh –cron —————————————————————————- ##### How many connections define a bad IP? Indicate that below. NO_OF_CONNECTIONS=150 //当哪个IP的连接数达到150就加入黑名单;查看连接数你可以执行 #netstat -ntu | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -n —————————————————————————- ##### APF_BAN=1 (Make sure your APF version is atleast 0.96) ##### APF_BAN=0 (Uses iptables for banning ips instead of APF) APF_BAN=0 //一般情况下你是使用iptables来做防火墙,所以这里你需要将 APF_BAN的值改为0. —————————————————————————- ##### KILL=0 (Bad IPs are’nt banned, good for interactive execution of script) ##### KILL=1 (Recommended setting) KILL=1 //将非法的的IP加入iptables的INPUT链中,DROP之. —————————————————————————- ##### An email is sent to the following address when an IP is banned. ##### Blank would suppress sending of mails EMAIL_TO=”root” //给root发一封邮件 —————————————————————————- ##### Number of seconds the banned ip should remain in blacklist. BAN_PERIOD=600 //关押黑名单中的IP的时长
3.卸载 DDoS deflate ,如果你不想用.
wget http://www.inetbase.com/scripts/ddos/uninstall.ddos chmod 0700 uninstall.ddos ./uninstall.ddos
另外如果总是会收到以下类似的邮件提示的话
Banned the following ip addresses on Tue Aug 5 01:32:01 BST 2008
1120 with 1120 connections
请查看/usr/local/ddos/ddos.sh文件的第117行
netstat -ntu | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -nr > $BAD_IP_LIST
修改为以下代码即可!
netstat -ntu | awk ‘{print $5}’ | cut -d: -f1 | sed -n ‘/[0-9]/p’ | sort | uniq -c | sort -nr > $BAD_IP_LIST
补充:
原脚本没有精确处理ip可作修改
运行时问题显示(注意有非ip):
1 66.249.73.65
1 Address
1 servers)
4 180.153.240.69
编辑/usr/local/ddos/ddos.sh文件
找到
netstat -ntu | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -nr > $BAD_IP_LIST
,注释掉,换成
netstat -ntu | awk '{print $5}' | egrep -o "[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}" | sort | uniq -c | sort -nr > $BAD_IP_LIST
另外在ubuntu等系统上跑会出现
root@yy008:~# /usr/local/ddos/ddos.sh [: 84: /usr/local/ddos/ddos.conf: unexpected operator DDoS-Deflate version 0.6 Copyright (C) 2005, Zaf <zaf@vsnl.com> $CONF not found.
解决办法是把该文件最前(第一行的)
#!/bin/sh
替换成
#!/bin/bash
运行即正常了!
另外运行
/usr/local/ddos/ddos.sh --cron
出现
crond: unrecognized service crond: unrecognized service
接决方法
修改编辑/usr/local/ddos/ddos.sh文件
找到
crond
改为
cron
即可,显示结果是
/usr/local/ddos/ddos.sh --cron cron stop/waiting cron start/running, process 3396 cron stop/waiting cron start/running, process 3408
命令查看
crontab -l
