【就业班作业】【第十周】解决DOS攻击生产案例:根据web日志或者或者网络连接数,监控当某个IP 并发连接数或者短时内PV达到100,即调用防火墙命令封掉对应的IP,监控频率每隔5分钟。
解决DOS攻击生产案例:根据web日志或者或者网络连接数,监控当某个IP 并发连接数或者短时内PV达到100,即调用防火墙命令封掉对应的IP,监控频率每隔5分钟。
防火墙命令为:iptables -A INPUT -s IP -j REJECT
测试脚本如下:
[root@localhost data]# ll checkddos.sh -rwxr--r-- 1 root root 270 Oct 14 14:55 checkddos.sh [root@localhost data]# cat checkddos.sh #!/bin/bash # /usr/sbin/ss -tn | awk -F " +|:" '/ESTAB/{ip[$(NF-2)]++}END{for(i in ip)if(ip[i]>10) print i}' > /data/ddosip.txt while read IP;do /usr/sbin/iptables -A INPUT -s $IP -j REJECT echo "The $IP reject" >> /data/checkddos.txt done < /data/ddosip.txt [root@localhost data]# ll total 40 -rwxr--r-- 1 root root 270 Oct 14 14:55 checkddos.sh [root@localhost data]# [root@localhost data]# ss -tn State Recv-Q Send-Q Local Address:Port Peer Address:Port ESTAB 0 0 192.168.0.14:22 192.168.0.17:48219 ESTAB 0 0 192.168.0.14:22 192.168.0.4:14687 ESTAB 0 0 192.168.0.14:22 192.168.0.4:1198 ESTAB 0 0 192.168.0.14:22 192.168.0.4:1199 ESTAB 0 0 192.168.0.14:22 192.168.0.4:1202 ESTAB 0 0 192.168.0.14:22 192.168.0.17:48217 ESTAB 0 0 192.168.0.14:22 192.168.0.4:14698 ESTAB 0 0 192.168.0.14:22 192.168.0.4:1999 ESTAB 0 280 192.168.0.14:22 192.168.0.4:1200 ESTAB 0 0 192.168.0.14:22 192.168.0.4:14695 ESTAB 0 0 192.168.0.14:22 192.168.0.4:6814 ESTAB 0 0 192.168.0.14:22 192.168.0.4:14690 ESTAB 0 0 192.168.0.14:22 192.168.0.17:48216 ESTAB 0 0 192.168.0.14:22 192.168.0.4:1201 ESTAB 0 0 192.168.0.14:22 192.168.0.4:14981 ESTAB 0 0 192.168.0.14:22 192.168.0.4:14977 ESTAB 0 0 192.168.0.14:22 192.168.0.4:14979 ESTAB 0 0 192.168.0.14:22 192.168.0.4:14976 ESTAB 0 0 192.168.0.14:22 192.168.0.4:14983 ESTAB 0 0 192.168.0.14:22 192.168.0.4:1203 ESTAB 0 0 192.168.0.14:22 192.168.0.4:14980 ESTAB 0 312 192.168.0.14:22 192.168.0.4:1726 ESTAB 0 0 192.168.0.14:22 192.168.0.4:1204 ESTAB 0 0 192.168.0.14:22 192.168.0.4:1197 ESTAB 0 0 192.168.0.14:22 192.168.0.4:14684 ESTAB 0 0 192.168.0.14:22 192.168.0.17:48218 ESTAB 0 0 192.168.0.14:22 192.168.0.4:14982 ESTAB 0 0 192.168.0.14:22 192.168.0.4:14683 ESTAB 0 0 192.168.0.14:22 192.168.0.4:14978 [root@localhost data]# bash -x /data/checkddos.sh + /usr/sbin/ss -tn + awk -F ' +|:' '/ESTAB/{ip[$(NF-2)]++}END{for(i in ip)if(ip[i]>10) print i}' + read IP + /usr/sbin/iptables -A INPUT -s 192.168.0.4 -j REJECT + echo 'The 192.168.0.4 reject' + read IP [root@localhost data]# ll total 48 -rwxr--r-- 1 root root 270 Oct 14 14:55 checkddos.sh -rw-r--r-- 1 root root 24 Oct 14 14:57 checkddos.txt-rw-r--r-- 1 root root 12 Oct 14 14:57 ddosip.txt [root@localhost data]# cat checkddos.txt The 192.168.0.4 reject [root@localhost data]# cat ddosip.txt 192.168.0.4 [root@localhost data]# [root@localhost data]# iptables -n -L |more Chain INPUT (policy ACCEPT) target prot opt source destination REJECT all -- 192.168.0.4 0.0.0.0/0 reject-with icmp-port-unreachable Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain FORWARD_IN_ZONES (0 references) target prot opt source destination Chain FORWARD_IN_ZONES_SOURCE (0 references) target prot opt source destination Chain FORWARD_OUT_ZONES (0 references) target prot opt source destination Chain FORWARD_OUT_ZONES_SOURCE (0 references) target prot opt source destination Chain FORWARD_direct (0 references) target prot opt source destination Chain FWDI_public (0 references) target prot opt source destination Chain FWDI_public_allow (0 references) target prot opt source destination Chain FWDI_public_deny (0 references) target prot opt source destination Chain FWDI_public_log (0 references) target prot opt source destination Chain FWDO_public (0 references) [root@localhost data]#
监控频率每隔5分钟
[root@localhost ~]# crontab -l */5 * * * * /data/checkddos.sh [root@localhost ~]#
(结束)