yum install nano
wget http://www.inetbase.com/scripts/ddos/install.sh chmod 0700 install.sh ./install.sh
##### Paths of the script and other files PROGDIR="/usr/local/ddos" PROG="/usr/local/ddos/ddos.sh" IGNORE_IP_LIST="/usr/local/ddos/ignore.ip.list" CRON="/etc/cron.d/ddos.cron" APF="/etc/apf/apf" IPT="/sbin/iptables" ##### frequency in minutes for running the script ##### Caution: Every time this setting is changed, run the script with --cron ##### option so that the new frequency takes effect FREQ=1 ##### How many connections define a bad IP? Indicate that below. NO_OF_CONNECTIONS=150 ##### APF_BAN=1 (Make sure your APF version is atleast 0.96) ##### APF_BAN=0 (Uses iptables for banning ips instead of APF) APF_BAN=1 ##### KILL=0 (Bad IPs are'nt banned, good for interactive execution of script) ##### KILL=1 (Recommended setting) KILL=1 "/usr/local/ddos/ddos.conf" 30L, 971C
Media999 wrote: » Getting emails every few mins saying its banning IPs so hope it works. Site is accessible anyway.
ChRoMe wrote: » Is it probable for a large amount of users behind the same IP to access your site at the same time? I'm just curious how you came up with the number of 100 connections. You should be very careful about verifying you are stopping actual attacks and not random users.
Stuxnet wrote: » quite alarming that somebody is allowed run sudoer or root that doesn't know how to install a package or edit a file ?
Media999 wrote: » How did you learn without starting somewhere?
Media999 wrote: » I was monitoring netstat and no one went anywhere near 100 except the same ip which was DDOSing the site. All it does is ban the IP for 5 mins anyway so not a big deal if it accidentally bans a regular as they can just let me know but no complaints so far. Pretty certain its not a whole ISP.
ChRoMe wrote: » Its near guaranteed, you will have users coming from the same IP, at some stage, which will cause a false positive on the DDOS bans. Its going to be rare for users to contact you about it, I'd strongly suggest logging verbosely for a while and reviewing those logs.
srsly78 wrote: » If it's just a single ip then how is this a ddos?.
gctest50 wrote: » Spoofed source address ddos ?
/sbin/iptables -I INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 100 -j REJECT --reject-with tcp-reset
FruitLover wrote: » The point he's getting at is that the first 'D' in 'DDoS' stands for 'distributed'. If it's a single IP then it's not distributed, it's just a DoS attack, which is relatively easy to defeat. Distributed attacks are far more difficult to defend against.