当突然有大量的链接骚扰你的Web服务器,然后这样的攻击会持续几天。
你去网上,查找应对方案,一般是通过netstat 将top 10的大于XX数量的IP 拒绝。那些脚本都不太完善,而且会反复重复添加到iptables。
我遇到的这次攻击,在http Referer 含有 XXDD0S 还有在access, 比较好处理
写了下面的脚本,分成两个部分:
1. 收集器
2. 处理器
收集器,用于持续收集攻击IP地址。然后重定向到管道
处理器,从管道中获取收集到的IP地址,如果是新IP 就通过iptables 封杀,如果已经添加过,就跳过
#!/bin/bash ######################################## # Homepage: http://netkiller.github.com # Author: neo <[email protected]> ######################################## BLACK=/tmp/black.lst PIPE=/tmp/pipe pidfile=/tmp/firewall.pid KEYWORD=XXDD0S ######################################## if [ -z $1 ]; then echo "$0 clear|fw|collect|process|close" fi if [ "$1" == "clear" ]; then rm -rf $BLACK rm -rf $PIPE echo "Clear OK!!!" fi if [ "$1" == "close" ]; then kill `cat $pidfile` echo > $pidfile fi if [ ! -f $BLACK ]; then touch $BLACK fi if [ ! -e $PIPE ]; then mkfifo $PIPE fi if [ "$1" == 'fw' ]; then iptables -A OUTPUT -p tcp --dport 2049 -j REJECT iptables -A OUTPUT -p tcp -m multiport --dports 22,21 -j REJECT fi if [ "$1" == "collect" ]; then killall tail ACCESSLOG=/www/logs/www.example.com/access.$(date +'%Y-%m-%d').log for (( ; ; )) do tail -f $ACCESSLOG | grep $KEYWORD | cut -d ' ' -f1 > $PIPE done & echo $! > $pidfile fi if [ "$1" == "process" ]; then for (( ; ; )) do while read line do grep $line ${BLACK} if [ $? -eq 1 ] ; then echo $line >> ${BLACK} iptables -I INPUT -p tcp --dport 80 -s $line -j DROP fi done < $PIPE done & echo $! >> $pidfile fi
同时有做了一些限制
iptables -A INPUT -i eth0 -p tcp --dport 80 --syn -m connlimit --connlimit-above 20 -j DROP
也常是使用:
iptables -A INPUT -p tcp --dport 80 -m string --algo bm --string "XXDD0S" -j DROP
但效果不好,无论DROP,还是REJECT 都不能立即拒绝掉,仍然对服务器有影响
另外上面收集到的IP地址。
通过脚本转换成Cisco ASA Firewall 命令,然后添加到硬件防火墙中。
object-group network blacklist description deny ip to example.com network-object host 61.190.10.181 network-object host 61.190.10.182 network-object host 61.190.10.183 network-object host 61.191.55.248 network-object host 61.190.10.181 network-object host 61.185.114.87 network-object host 60.210.111.236 network-object host 218.64.182.105 network-object host 210.51.51.157 network-object host 63.221.138.204 network-object host 119.188.10.163 access-list outside extended deny tcp object-group blacklist host xxx.xxx.xxx.xxx
如果有兴趣还可一看看这篇文章:
http://netkiller-github-com.iteye.com/blogs/1319293
延伸阅读: