【就业班作业】【第十周】解决DOS攻击生产案例:根据web日志或者或者网络连接数,监控当某个IP 并发连接数或者短时内PV达到100,即调用防火墙命令封掉对应的IP,监控频率每隔5分钟。

解决DOS攻击生产案例:根据web日志或者或者网络连接数,监控当某个IP 并发连接数或者短时内PV达到100,即调用防火墙命令封掉对应的IP,监控频率每隔5分钟。

防火墙命令为:iptables -A INPUT -s IP -j REJECT

测试脚本如下:

[root@localhost data]# ll checkddos.sh
-rwxr--r-- 1 root root 270 Oct 14 14:55 checkddos.sh
[root@localhost data]# cat checkddos.sh
#!/bin/bash
#
/usr/sbin/ss -tn | awk -F " +|:" '/ESTAB/{ip[$(NF-2)]++}END{for(i in ip)if(ip[i]>10) print i}' > /data/ddosip.txt
while read IP;do
     /usr/sbin/iptables -A INPUT -s $IP -j REJECT
     echo "The  $IP reject" >> /data/checkddos.txt
done < /data/ddosip.txt
[root@localhost data]# ll
total 40
-rwxr--r--  1 root root  270 Oct 14 14:55 checkddos.sh
[root@localhost data]# 
[root@localhost data]# ss -tn
State       Recv-Q Send-Q   Local Address:Port                  Peer Address:Port              
ESTAB       0      0         192.168.0.14:22          192.168.0.17:48219              
ESTAB       0      0         192.168.0.14:22           192.168.0.4:14687              
ESTAB       0      0         192.168.0.14:22           192.168.0.4:1198               
ESTAB       0      0         192.168.0.14:22           192.168.0.4:1199               
ESTAB       0      0         192.168.0.14:22           192.168.0.4:1202               
ESTAB       0      0         192.168.0.14:22          192.168.0.17:48217              
ESTAB       0      0         192.168.0.14:22           192.168.0.4:14698              
ESTAB       0      0         192.168.0.14:22           192.168.0.4:1999               
ESTAB       0      280       192.168.0.14:22           192.168.0.4:1200               
ESTAB       0      0         192.168.0.14:22           192.168.0.4:14695              
ESTAB       0      0         192.168.0.14:22           192.168.0.4:6814               
ESTAB       0      0         192.168.0.14:22           192.168.0.4:14690              
ESTAB       0      0         192.168.0.14:22          192.168.0.17:48216              
ESTAB       0      0         192.168.0.14:22           192.168.0.4:1201               
ESTAB       0      0         192.168.0.14:22           192.168.0.4:14981              
ESTAB       0      0         192.168.0.14:22           192.168.0.4:14977              
ESTAB       0      0         192.168.0.14:22           192.168.0.4:14979              
ESTAB       0      0         192.168.0.14:22           192.168.0.4:14976              
ESTAB       0      0         192.168.0.14:22           192.168.0.4:14983              
ESTAB       0      0         192.168.0.14:22           192.168.0.4:1203               
ESTAB       0      0         192.168.0.14:22           192.168.0.4:14980              
ESTAB       0      312       192.168.0.14:22           192.168.0.4:1726               
ESTAB       0      0         192.168.0.14:22           192.168.0.4:1204               
ESTAB       0      0         192.168.0.14:22           192.168.0.4:1197               
ESTAB       0      0         192.168.0.14:22           192.168.0.4:14684              
ESTAB       0      0         192.168.0.14:22          192.168.0.17:48218              
ESTAB       0      0         192.168.0.14:22           192.168.0.4:14982              
ESTAB       0      0         192.168.0.14:22           192.168.0.4:14683              
ESTAB       0      0         192.168.0.14:22           192.168.0.4:14978              
[root@localhost data]# bash -x /data/checkddos.sh 
+ /usr/sbin/ss -tn
+ awk -F ' +|:' '/ESTAB/{ip[$(NF-2)]++}END{for(i in ip)if(ip[i]>10) print i}'
+ read IP
+ /usr/sbin/iptables -A INPUT -s 192.168.0.4 -j REJECT
+ echo 'The  192.168.0.4 reject'
+ read IP
[root@localhost data]# ll
total 48
-rwxr--r--  1 root root  270 Oct 14 14:55 checkddos.sh
-rw-r--r--  1 root root   24 Oct 14 14:57 checkddos.txt-rw-r--r--  1 root root   12 Oct 14 14:57 ddosip.txt
[root@localhost data]# cat checkddos.txt 
The  192.168.0.4 reject
[root@localhost data]# cat ddosip.txt 
192.168.0.4
[root@localhost data]# 
[root@localhost data]# iptables -n -L |more
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
REJECT     all  --  192.168.0.4          0.0.0.0/0            reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD_IN_ZONES (0 references)
target     prot opt source               destination         

Chain FORWARD_IN_ZONES_SOURCE (0 references)
target     prot opt source               destination         

Chain FORWARD_OUT_ZONES (0 references)
target     prot opt source               destination         

Chain FORWARD_OUT_ZONES_SOURCE (0 references)
target     prot opt source               destination         

Chain FORWARD_direct (0 references)
target     prot opt source               destination         

Chain FWDI_public (0 references)
target     prot opt source               destination         

Chain FWDI_public_allow (0 references)
target     prot opt source               destination         

Chain FWDI_public_deny (0 references)
target     prot opt source               destination         

Chain FWDI_public_log (0 references)
target     prot opt source               destination         

Chain FWDO_public (0 references)
[root@localhost data]#

  

监控频率每隔5分钟

[root@localhost ~]# crontab -l
*/5 * * * * /data/checkddos.sh
[root@localhost ~]#

(结束)

posted @ 2020-10-14 11:34  sankeya  阅读(341)  评论(0编辑  收藏  举报