psad: Linux Detect And Block Port Scan Attacks In Real Time

Q. How do I detect port scan attacks by analyzing Debian Linux firewall log files and block port scans in real time? How do I detect suspicious network traffic under Linux?

A. A port scanner (such as nmap) is a piece of software designed to search a network host for open ports. Cracker can use nmap to scan your network before starting attack. You can always see scan patterns by visiting /var/log/messages. But, I recommend the automated tool called psad – the port scan attack detector under Linux which is a collection of lightweight system daemons that run on Linux machines and analyze iptables log messages to detect port scans and other suspicious traffic.

psad makes use of Netfilter log messages to detect, alert, and (optionally) block port scans and other suspect traffic. For tcp scans psad analyzes tcp flags to determine the scan type (syn, fin, xmas, etc.) and corresponding command line options that could be supplied to nmap to generate such a scan. In addition, psad makes use of many tcp, udp, and icmp signatures contained within the Snort intrusion detection system.
Install psad under Debian / Ubuntu Linux

Type the following command to install psad, enter:
$ sudo apt-get update
$ sudo apt-get install psad
Configure psad

Open /etc/syslog.conf file, enter:
# vi /etc/syslog.conf
Append following code

kern.info |/var/lib/psad/psadfifo

Alternatively, you can type the following command to update syslog.conf:
echo -e ’kern.info\t|/var/lib/psad/psadfifo’ >> /etc/syslog.conf
psad Syslog needs to be configured to write all kern.info messages to a named pipe /var/lib/psad/psadfifo. Close and save the file. Restart syslog:
# /etc/init.d/sysklogd restart
# /etc/init.d/klogd
The default psad file is located at /etc/psad/psad.conf:
# vi /etc/psad/psad.conf
You need to setup correct email ID to get port scan detections messages and other settings as follows:

EMAIL_ADDRESSES vivek@nixcraft.in;

Set machine hostname (FQDN):

HOSTNAME server.nixcraft.in;

If you have only one interface on box (such as colo web server or mail server), sent HOME_NET to none:

HOME_NET NOT_USED; ### only one interface on box

You may also need to adjust danger levels as per your setup. You can also define a set of ports to ignore, for example to have psad ignore udp ports 53 and 5000, use:

IGNORE_PORTS udp/53, udp/5000;

You can also enable real time iptables blocking, by setting following two variables:

ENABLE_AUTO_IDS Y;
IPTABLES_BLOCK_METHOD Y;

psad has many more options, please read man pages for further information. Save and close the file. Restart psad:
# /etc/init.d/psad restart
Update iptables rules

psad need following two rules with logging enabled:

iptables -A INPUT -j LOG
iptables -A FORWARD -j LOG

Here is my sample Debian Linux desktop firewall script with logging enabled at the end:

#!/bin/bash
IPT=”/sbin/iptables”

echo “Starting IPv4 Wall…”
$IPT -F
$IPT -X
$IPT -t nat -F
$IPT -t nat -X
$IPT -t mangle -F
$IPT -t mangle -X
modprobe ip_conntrack

BADIPS=$(egrep -v -E “^#|^$” /root/scripts/blocked.fw)
PUB_IF=”eth0″

#unlimited
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT

# DROP all incomming traffic
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP

# block all bad ips
for ip in $BADIPS
do
$IPT -A INPUT -s $ip -j DROP
$IPT -A OUTPUT -d $ip -j DROP
done

# sync
$IPT -A INPUT -i ${PUB_IF} -p tcp ! –syn -m state –state NEW -m limit –limit 5/m –limit-burst 7 -j LOG –log-level 4 –log-prefix “Drop Syn”

$IPT -A INPUT -i ${PUB_IF} -p tcp ! –syn -m state –state NEW -j DROP

# Fragments
$IPT -A INPUT -i ${PUB_IF} -f -m limit –limit 5/m –limit-burst 7 -j LOG –log-level 4 –log-prefix “Fragments Packets”
$IPT -A INPUT -i ${PUB_IF} -f -j DROP

# block bad stuff
$IPT -A INPUT -i ${PUB_IF} -p tcp –tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -i ${PUB_IF} -p tcp –tcp-flags ALL ALL -j DROP

$IPT -A INPUT -i ${PUB_IF} -p tcp –tcp-flags ALL NONE -m limit –limit 5/m –limit-burst 7 -j LOG –log-level 4 –log-prefix “NULL Packets”
$IPT -A INPUT -i ${PUB_IF} -p tcp –tcp-flags ALL NONE -j DROP # NULL packets

$IPT -A INPUT -i ${PUB_IF} -p tcp –tcp-flags SYN,RST SYN,RST -j DROP

$IPT -A INPUT -i ${PUB_IF} -p tcp –tcp-flags SYN,FIN SYN,FIN -m limit –limit 5/m –limit-burst 7 -j LOG –log-level 4 –log-prefix “XMAS Packets”
$IPT -A INPUT -i ${PUB_IF} -p tcp –tcp-flags SYN,FIN SYN,FIN -j DROP #XMAS

$IPT -A INPUT -i ${PUB_IF} -p tcp –tcp-flags FIN,ACK FIN -m limit –limit 5/m –limit-burst 7 -j LOG –log-level 4 –log-prefix “Fin Packets Scan”
$IPT -A INPUT -i ${PUB_IF} -p tcp –tcp-flags FIN,ACK FIN -j DROP # FIN packet scans

$IPT -A INPUT -i ${PUB_IF} -p tcp –tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP

# Allow full outgoing connection but no incomming stuff
$IPT -A INPUT -i eth0 -m state –state ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -o eth0 -m state –state NEW,ESTABLISHED,RELATED -j ACCEPT

# allow ssh only
$IPT -A INPUT -p tcp –destination-port 22 -j ACCEPT
$IPT -A OUTPUT -p tcp –sport 22 -j ACCEPT

# allow incoming ICMP ping pong stuff
$IPT -A INPUT -p icmp –icmp-type 8 -m state –state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -p icmp –icmp-type 0 -m state –state ESTABLISHED,RELATED -j ACCEPT

# No smb/windows sharing packets – too much logging
$IPT -A INPUT -p tcp -i eth0 –dport 137:139 -j REJECT
$IPT -A INPUT -p udp -i eth0 –dport 137:139 -j REJECT

# Log everything else
# *** Required for psad ****
$IPT -A INPUT -j LOG
$IPT -A FORWARD -j LOG
$IPT -A INPUT -j DROP

# Start ipv6 firewall
# echo “Starting IPv6 Wall…”
/root/scripts/start6.fw

exit 0

How do I view port scan report?

Simply type the following command:
# psad -S
Sample output (some of the sensitive / personally identified parts have been removed):

[+] psadwatchd (pid: 2540) %CPU: 0.0 %MEM: 0.0
Running since: Sun Jul 27 07:14:56 2008

[+] kmsgsd (pid: 2528) %CPU: 0.0 %MEM: 0.0
Running since: Sun Jul 27 07:14:55 2008

[+] psad (pid: 2524) %CPU: 0.0 %MEM: 0.8
Running since: Sun Jul 27 07:14:55 2008
Command line arguments: -c /etc/psad/psad.conf
Alert email address(es): radhika.xyz@xxxxxxxx.co.in

src: dst: chain: intf: tcp: udp: icmp: dl: alerts: os_guess:
117.32.xxx.149 xx.22.zz.121 INPUT eth0 1 0 0 2 2 –
118.167.xxx.219 xx.22.zz.121 INPUT eth0 1 0 0 2 2 –
118.167.xxx.250 xx.22.zz.121 INPUT eth0 1 0 0 2 2 –
118.167.xxx.5 xx.22.zz.121 INPUT eth0 1 0 0 2 2 –
122.167.xx.11 xx.22.zz.121 INPUT eth0 4642 0 0 4 50 –
122.167.xx.80 xx.22.zz.121 INPUT eth0 0 11 0 1 2 –
123.134.xx.34 xx.22.zz.121 INPUT eth0 20 0 0 2 9 –
125.161.xx.3 xx.22.zz.121 INPUT eth0 0 9 0 1 4 –
125.67.xx.7 xx.22.zz.121 INPUT eth0 1 0 0 2 2 –
190.159.xxx.220 xx.22.zz.121 INPUT eth0 0 9 0 1 3 –
193.140.xxx.210 xx.22.zz.121 INPUT eth0 0 10 0 1 2 –
202.xx.23x.196 xx.22.zz.121 INPUT eth0 0 13 0 1 10 –
202.xx.2×8.197 xx.22.zz.121 INPUT eth0 0 20 0 2 17 –
202.97.xxx.198 xx.22.zz.121 INPUT eth0 0 17 0 2 12 –
202.97.xxx.199 xx.22.zz.121 INPUT eth0 0 18 0 2 15 –
202.97.xxx.200 xx.22.zz.121 INPUT eth0 0 17 0 2 14 –
202.97.xxx.201 xx.22.zz.121 INPUT eth0 0 15 0 2 12 –
202.97.xxx.202 xx.22.zz.121 INPUT eth0 0 21 0 2 16 –
203.xxx.128.65 xx.22.zz.121 INPUT eth0 12 0 0 2 6 Windows XP/2000
211.90.xx.14 xx.22.zz.121 INPUT eth0 1 0 0 2 2 –
213.163.xxx.9 xx.22.zz.121 INPUT eth0 0 0 1 2 2 –
221.130.xxx.124 xx.22.zz.121 INPUT eth0 0 35 0 2 31 –
221.206.xxx.10 xx.22.zz.121 INPUT eth0 0 33 0 2 21 –
221.206.xxx.53 xx.22.zz.121 INPUT eth0 0 33 0 2 27 –
221.206.xxx.54 xx.22.zz.121 INPUT eth0 0 39 0 2 26 –
221.206.xxx.57 xx.22.zz.121 INPUT eth0 0 33 0 2 19 –
60.222.xxx.146 xx.22.zz.121 INPUT eth0 0 40 0 2 33 –
60.222.xxx.153 xx.22.zz.121 INPUT eth0 0 14 0 1 11 –
60.222.xxx.154 xx.22.zz.121 INPUT eth0 0 18 0 2 15 –

Netfilter prefix counters:
“SPAM DROP Block”: 161519
“Drop Syn Attacks”: 136

Total scan sources: 95
Total scan destinations: 1

Total packet counters:
tcp: 5868
udp: 164012
icmp: 2

How do I remove automatically blocked ips?

Simply type the following command to remove any auto-generated firewall block
# psad -F
How do I view detailed log for each IP address?

Go to /var/log/psad/ip.address/ directory. For example, view log for IP address 11.22.22.33, enter:
# cd /var/log/psad/11.22.22.33
# ls -l
Sample output:

-rw——- 1 root root 2623 2008-07-30 13:02 xx.22.zz.121_email_alert
-rw——- 1 root root 32 2008-07-30 13:02 xx.22.zz.121_packet_ctr
-rw——- 1 root root 0 2008-07-29 00:27 xx.22.zz.121_signatures
-rw——- 1 root root 11 2008-07-30 13:02 xx.22.zz.121_start_time
-rw——- 1 root root 2 2008-07-30 13:02 danger_level
-rw——- 1 root root 2 2008-07-30 13:02 email_count
-rw——- 1 root root 1798 2008-07-29 00:27 whois

Use cat / more or less command to view rest of the information.
Further readings:

man pages – psad, syslog.conf
psad project home page
I highly recommend – Linux Firewalls: Attack Detection and Response with iptables, psad, and fwsnort for further information.

CentOS / Redhat Iptables Firewall Configuration Tutorial

#!/bin/bash
# A sample firewall shell script
IPT="/sbin/iptables"
SPAMLIST="blockedip"
SPAMDROPMSG="BLOCKED IP DROP"
SYSCTL="/sbin/sysctl"
BLOCKEDIPS="/root/scripts/blocked.ips.txt"

# Stop certain attacks
echo "Setting sysctl IPv4 settings..."
$SYSCTL net.ipv4.ip_forward=0
$SYSCTL net.ipv4.conf.all.send_redirects=0
$SYSCTL net.ipv4.conf.default.send_redirects=0
$SYSCTL net.ipv4.conf.all.accept_source_route=0
$SYSCTL net.ipv4.conf.all.accept_redirects=0
$SYSCTL net.ipv4.conf.all.secure_redirects=0
$SYSCTL net.ipv4.conf.all.log_martians=1
$SYSCTL net.ipv4.conf.default.accept_source_route=0
$SYSCTL net.ipv4.conf.default.accept_redirects=0
$SYSCTL net.ipv4.conf.default.secure_redirects=0
$SYSCTL net.ipv4.icmp_echo_ignore_broadcasts=1
#$SYSCTL net.ipv4.icmp_ignore_bogus_error_messages=1
$SYSCTL net.ipv4.tcp_syncookies=1
$SYSCTL net.ipv4.conf.all.rp_filter=1
$SYSCTL net.ipv4.conf.default.rp_filter=1
$SYSCTL kernel.exec-shield=1
$SYSCTL kernel.randomize_va_space=1

echo "Starting IPv4 Firewall..."
$IPT -F
$IPT -X
$IPT -t nat -F
$IPT -t nat -X
$IPT -t mangle -F
$IPT -t mangle -X

# load modules
modprobe ip_conntrack

[ -f "$BLOCKEDIPS" ] && BADIPS=$(egrep -v -E "^#|^$" "${BLOCKEDIPS}")

# interface connected to the Internet
PUB_IF="eth0"

#Unlimited traffic for loopback
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT

# DROP all incomming traffic
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP

if [ -f "${BLOCKEDIPS}" ];
then
# create a new iptables list
$IPT -N $SPAMLIST

for ipblock in $BADIPS
do
$IPT -A $SPAMLIST -s $ipblock -j LOG --log-prefix "$SPAMDROPMSG "
$IPT -A $SPAMLIST -s $ipblock -j DROP
done

$IPT -I INPUT -j $SPAMLIST
$IPT -I OUTPUT -j $SPAMLIST
$IPT -I FORWARD -j $SPAMLIST
fi

# Block sync
$IPT -A INPUT -i ${PUB_IF} -p tcp ! --syn -m state --state NEW -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "Drop Sync"
$IPT -A INPUT -i ${PUB_IF} -p tcp ! --syn -m state --state NEW -j DROP

# Block Fragments
$IPT -A INPUT -i ${PUB_IF} -f -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "Fragments Packets"
$IPT -A INPUT -i ${PUB_IF} -f -j DROP

# Block bad stuff
$IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL ALL -j DROP

$IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL NONE -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "NULL Packets"
$IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL NONE -j DROP # NULL packets

$IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags SYN,RST SYN,RST -j DROP

$IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "XMAS Packets"
$IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP #XMAS

$IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "Fin Packets Scan"
$IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags FIN,ACK FIN -j DROP # FIN packet scans

$IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP

# Allow full outgoing connection but no incomming stuff
$IPT -A INPUT -i ${PUB_IF} -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -o ${PUB_IF} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

# Allow ssh
$IPT -A INPUT -i ${PUB_IF} -p tcp --destination-port 22 -j ACCEPT

# Allow http / https (open port 80 / 443)
$IPT -A INPUT -i ${PUB_IF} -p tcp --destination-port 80 -j ACCEPT
#$IPT -A INPUT -o ${PUB_IF} -p tcp --destination-port 443 -j ACCEPT

# allow incomming ICMP ping pong stuff
$IPT -A INPUT -i ${PUB_IF} -p icmp --icmp-type 8 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#$IPT -A OUTPUT -o ${PUB_IF} -p icmp --icmp-type 0 -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow port 53 tcp/udp (DNS Server)
$IPT -A INPUT -i ${PUB_IF} -p udp --dport 53 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#$IPT -A OUTPUT -o ${PUB_IF} -p udp --sport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPT -A INPUT -i ${PUB_IF} -p tcp --destination-port 53 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT

# Open port 110 (pop3) / 143
$IPT -A INPUT -i ${PUB_IF} -p tcp --destination-port 110 -j ACCEPT
$IPT -A INPUT -i ${PUB_IF} -p tcp --destination-port 143 -j ACCEPT

##### Add your rules below ######
#
#
##### END your rules ############

# Do not log smb/windows sharing packets - too much logging
$IPT -A INPUT -p tcp -i ${PUB_IF} --dport 137:139 -j REJECT
$IPT -A INPUT -p udp -i ${PUB_IF} --dport 137:139 -j REJECT

# log everything else and drop
$IPT -A INPUT -j LOG
$IPT -A FORWARD -j LOG
$IPT -A INPUT -j DROP

exit 0

Linux Kernel /etc/sysctl.conf Security Hardening

How do I set advanced security options of the TCP/IP stack and virtual memory to improve security and performance of my system? How do I configure Linux kernel to prevent certain kinds of attacks using /etc/sysctl.conf? How do I set Linux kernel parameters?

怎样设置 TCP/IP 堆栈和虚拟内存的高级的安全选项,以提高我的系统的安全性和性能?如何配置以防止某些类型的攻击,使用 /etc/sysctl.conf 的 Linux 内核?如何设置 Linux 内核参数?

sysctl is an interface that allows you to make changes to a running Linux kernel. With /etc/sysctl.conf you can configure various Linux networking and system settings such as:

Limit network-transmitted configuration for IPv4
Limit network-transmitted configuration for IPv6
Turn on execshield protection
Prevent against the common ‘syn flood attack’
Turn on source IP address verification
Prevents a cracker from using a spoofing attack against the IP address of the server.
Logs several types of suspicious packets, such as spoofed packets, source-routed packets, and redirects.

sysctl 是允许您更改运行的 Linux 内核的一个借口。通过 /etc/sysctl.conf,您可以配置各种 Linux 网络和系统设置,如:

  1. 限制 IPv4 的网络传输配置
  2. 限制 IPv6 的网络传输配置
  3. 打开 execshield 保护
  4. 防止常见 syn 洪水攻击
  5. 打开源 IP 地址验证
  6. 可以防止骇客使用服务器的 IP 地址欺骗攻击。
  7. 记录几种类型的可疑的数据包,如伪造的数据包,源路由的数据包和重定向。

sysctl command

The sysctl command is used to modify kernel parameters at runtime. /etc/sysctl.conf is a text file containing sysctl values to be read in and set by sysct at boot time. To view current values, enter:
# sysctl -a
# sysctl -A
# sysctl mib
# sysctl net.ipv4.conf.all.rp_filter

 

To load settings, enter:
# sysctl -p
Sample /etc/sysctl.conf

Edit /etc/sysctl.conf and update it as follows. The file is documented with comments. However, I recommend reading the official Linux kernel sysctl tuning help file (see below):

# The following is suitable for dedicated web server, mail, ftp server etc.
# —————————————
# BOOLEAN Values:
# a) 0 (zero) – disabled / no / false
# b) Non zero – enabled / yes / true
# ————————————–
# Controls IP packet forwarding
net.ipv4.ip_forward = 0

# Controls source route verification
net.ipv4.conf.default.rp_filter = 1

# Do not accept source routing
net.ipv4.conf.default.accept_source_route = 0

# Controls the System Request debugging functionality of the kernel
kernel.sysrq = 0

# Controls whether core dumps will append the PID to the core filename
# Useful for debugging multi-threaded applications
kernel.core_uses_pid = 1

# Controls the use of TCP syncookies
#net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_synack_retries = 2

########## IPv4 networking start ##############
# Send redirects, if router, but this is just server
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0

# Accept packets with SRR option? No
net.ipv4.conf.all.accept_source_route = 0

# Accept Redirects? No, this is not router
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0

# Log packets with impossible addresses to kernel log? yes
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.secure_redirects = 0

# Ignore all ICMP ECHO and TIMESTAMP requests sent to it via broadcast/multicast
net.ipv4.icmp_echo_ignore_broadcasts = 1

# Prevent against the common ‘syn flood attack’
net.ipv4.tcp_syncookies = 1

# Enable source validation by reversed path, as specified in RFC1812
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1

########## IPv6 networking start ##############
# Number of Router Solicitations to send until assuming no routers are present.
# This is host and not router
net.ipv6.conf.default.router_solicitations = 0

# Accept Router Preference in RA?
net.ipv6.conf.default.accept_ra_rtr_pref = 0

# Learn Prefix Information in Router Advertisement
net.ipv6.conf.default.accept_ra_pinfo = 0

# Setting controls whether the system will accept Hop Limit settings from a router advertisement
net.ipv6.conf.default.accept_ra_defrtr = 0

#router advertisements can cause the system to assign a global unicast address to an interface
net.ipv6.conf.default.autoconf = 0

#how many neighbor solicitations to send out per address?
net.ipv6.conf.default.dad_transmits = 0

# How many global unicast IPv6 addresses can be assigned to each interface?
net.ipv6.conf.default.max_addresses = 1

########## IPv6 networking ends ##############

#Enable ExecShield protection
kernel.exec-shield = 1
kernel.randomize_va_space = 1

# TCP and memory optimization
# increase TCP max buffer size setable using setsockopt()
#net.ipv4.tcp_rmem = 4096 87380 8388608
#net.ipv4.tcp_wmem = 4096 87380 8388608

# increase Linux auto tuning TCP buffer limits
#net.core.rmem_max = 8388608
#net.core.wmem_max = 8388608
#net.core.netdev_max_backlog = 5000
#net.ipv4.tcp_window_scaling = 1

# increase system file descriptor limit
fs.file-max = 65535

#Allow for more PIDs
kernel.pid_max = 65536

#Increase system IP port limits
net.ipv4.ip_local_port_range = 2000 65000

(D)DoS Deflate

(D)DoS Deflate is a lightweight bash shell script designed to assist in the process of blocking a denial of service attack. It utilizes the command below to create a list of IP addresses connected to the server, along with their total number of connections. It is one of the simplest and easiest to install solutions at the software level.

netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

IP addresses with over a pre-configured number of connections are automatically blocked in the server’s firewall, which can be direct iptables or Advanced Policy Firewall (APF). (We highly recommend that you use APF on your server in general, but deflate will work without it.)

Notable Features

  • It is possible to whitelist IP addresses, via /usr/local/ddos/ignore.ip.list.
  • Simple configuration file: /usr/local/ddos/ddos.conf
  • IP addresses are automatically unblocked after a preconfigured time limit (default: 600 seconds)
  • The script can run at a chosen frequency via the configuration file (default: 1 minute)
  • You can receive email alerts when IP addresses are blocked.

Installation

wget http://www.inetbase.com/scripts/ddos/install.sh
chmod 0700 install.sh
./install.sh

Uninstallation

wget http://www.inetbase.com/scripts/ddos/uninstall.ddos
chmod 0700 uninstall.ddos
./uninstall.ddos

Questions?

Although most things are explained on this page, if you have any further questions, you may contact the original developer of the script, Zaf.

 

http://deflate.medialayer.com/