DDoS-Deflate
DDoS-Deflate
is a couple of bash scripts, that is run every X minutes, analyze the total
number of connections to your server from every IP address using netstats
command and temporarily blacklist IPs, that have more than Y active connections
to your server at the moment, script runs. Blacklisting is done using either
iptables or APF whichever you have installed. Simple!
Installation
To install
ddos protection scripts just execute the following commands from console:
cd
/usr/local
mkdir
mytmp
wget
http://www.inetbase.com/scripts/ddos/install.sh
chmod
0700 install.sh
./install.sh
That’s all…
Configuration
To configure
DDOS-Deflate (that’s the name of this script) do the following:
cd
/usr/local/ddos
edit
ddos.conf
Last line
opens ddos.conf file in editor. You can use vi if you like. I chose edit
because I am a Windows user and Edit has an interface familiar to me.
Let’s
consider all available settings one by one:
PROGDIR="/usr/local/ddos"
PROG="/usr/local/ddos/ddos.sh"
IGNORE_IP_LIST="/usr/local/ddos/ignore.ip.list"
CRON="/etc/cron.d/ddos.cron"
APF="/etc/apf/apf"
IPT="/sbin/iptables"
These above
are about various software locations. I recommend you leave them as is. They
should suite the majority of systems. BTW, if your system doesn’t have APF, it
is ok. Script can work with iptables also.
FREQ=1
This setting
affects how often (in minutes) you need to execute ddos protection script.
After changing this param, please execute command
ddos
–cron
to update
cron sheduler.
NO_OF_CONNECTIONS=150
This is the
maximum number of connections acceptable for your server. I recommend to set
this value to about 20-40 depending on your server.
BTW, don’t
repeat my mistake 
Should
you decide to use softwares, that open really many connections to your server,
like FileZilla FTP client (it spawns many FTP connections to upload your folder
ASAP), you will get blocked
Should
you decide to use softwares, that open really many connections to your server,
like FileZilla FTP client (it spawns many FTP connections to upload your folder
ASAP), you will get blocked
APF_BAN=1
If you have
AFP, then set this to 1. If you have not, script will use iptables. To check if
you have AFP or not, just execute command
afp
If you want
to use IPTables, don’t forget to start service by
service
iptables start
and to have
it autoloading at system startup by\
chkconfig
iptables on
KILL=1
If you just
testing your script, set this to 0. In this case, IPs will not get banned.
EMAIL_TO="root"
This email
address will have messages about blacklisted IPs. Leave it to root to
skip emailing.
BAN_PERIOD=600
Set this to
a number of seconds, for how long to block entruder. I recommend to set this to
1800-3600 (30-60 minutes).
You can also
add IPs to /usr/local/ddos/ignore.ip.list to whitelist them.
Uninstallation
You can
always uninstall DDoS-Deflate by executing
cd
/usr/local/mytmp
wget
http://www.inetbase.com/scripts/ddos/uninstall.ddos
chmod
0700 uninstall.ddos
./uninstall.ddos
That’s all!
No comments:
Post a Comment