DoS-Deflate是一款免费的用来防御和减轻DDoS攻击的软件。它通过netstat监测跟踪创建大量网络连接的IP地址,在检测到某个结点超过预设的限制时,该程序会通过APF或iptables禁止或阻挡这些IP。默认配置是单IP连接数超过150就封IP,可以有效的防御小流量攻击,如果是大流量的持续攻击,也能减轻服务器压力。VPS或者服务器用都不错。

安装

wget http://www.inetbase.com/scripts/ddos/install.sh
chmod 0700 install.sh
./install.sh

配置

配置文件是 /usr/local/ddos/ddos.conf ,默认有如下配置

##### Paths of the script and other files
PROGDIR="/usr/local/ddos"
PROG="/usr/local/ddos/ddos.sh"
IGNORE_IP_LIST="/usr/local/ddos/ignore.ip.list"  # 白名单.如有反向代理,注意添加本机地址和本机外网IP地址,防止提供反向代理的主机被判定为攻击.
CRON="/etc/cron.d/ddos.cron"
APF="/etc/apf/apf"
IPT="/sbin/iptables"
 
##### frequency in minutes for running the script
##### Caution: Every time this setting is changed, run the script with --cron
##### option so that the new frequency takes effect
FREQ=1
 
##### How many connections define a bad IP? Indicate that below.  # 单IP发起连接数阀值,不建议设置太低.
NO_OF_CONNECTIONS=150
 
##### APF_BAN=1 (Make sure your APF version is atleast 0.96)
##### APF_BAN=0 (Uses iptables for banning ips instead of APF) #一般情况下你是使用iptables来做防火墙,所以这里你需要将 APF_BAN的值改为0.
APF_BAN=1
 
##### KILL=0 (Bad IPs are'nt banned, good for interactive execution of script)
##### KILL=1 (Recommended setting)
KILL=1
 
##### An email is sent to the following address when an IP is banned.   # 当单IP发起的连接数超过阀值后,将发邮件给指定的收件人.
##### Blank would suppress sending of mails
EMAIL_TO="root"
 
##### Number of seconds the banned ip should remain in blacklist.   # 设置被挡IP多少秒后移出黑名单.
BAN_PERIOD=600

编辑/usr/local/ddos/ddos.sh
找到#echo $CURR_LINE_IP >> $IGNORE_IP_LIST,取消注释
找到netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr > $BAD_IP_LIST,注释掉,
换成netstat -ntu | awk '{print $5}' | egrep -o "[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}" | sort | uniq -c | sort -nr > $BAD_IP_LIST

卸载

wget http://www.inetbase.com/scripts/ddos/uninstall.ddos
chmod 0700 uninstall.ddos
./uninstall.ddos

标签: Linux系统安全

添加新评论