最新消息:Kglan,DDOS防护,CC防护,Syn防护,系统架构,高级网络安全

利用shell和合iptables防御DDOS攻击和CC攻击

CC防护 admin 17浏览

利用shell和合iptables防御DDOS攻击和CC攻击

部分日志:

 

引用 

www.*****.com:80 118.251.244.183 – – [26/May/2010:20:22:15 +0800] "POST/syxcms/vote.php?act=submit HTTP/1.1" 200 56 "http://www.*****.com/news/201005/news-6213.shtml" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"

www.*****.com:80 118.251.244.183 – – [26/May/2010:20:22:15 +0800] "POST /syxcms/vote.php?act=submit HTTP/1.1" 200 56 "http://www.*****.com/news/201005/news-6213.shtml" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"

www.*****.com:80 118.251.244.183 – – [26/May/2010:20:22:15 +0800] "POST /syxcms/vote.php?act=submit HTTP/1.1" 200 56 "http://www.*****.com/news/201005/news-6213.shtml" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"

www.*****.com:80 118.251.244.183 – – [26/May/2010:20:22:15 +0800] "POST /syxcms/vote.php?act=submit HTTP/1.1" 200 56 "http://www.*****.com/news/201005/news-6213.shtml" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"

www.*****.com:80 118.251.244.183 – – [26/May/2010:20:22:15 +0800] "POST /syxcms/vote.php?act=submit HTTP/1.1" 200 56 "http://www.*****.com/news/201005/news-6213.shtml" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"

www.*****.com:80 118.251.244.183 – – [26/May/2010:20:22:15 +0800] "POST /syxcms/vote.php?act=submit HTTP/1.1" 200 56 "http://www.*****.com/news/201005/news-6213.shtml" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"

www.*****.com:80 118.251.244.183 – – [26/May/2010:20:22:16 +0800] "POST /syxcms/vote.php?act=submit HTTP/1.1" 200 56 "http://www.*****.com/news/201005/news-6213.shtml" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"

www.*****.com:80 118.251.244.183 – – [26/May/2010:20:22:16 +0800] "POST /syxcms/vote.php?act=submit HTTP/1.1" 200 72 "http://www.*****.com/news/201005/news-6213.shtml" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"

www.*****.com:80 118.251.244.183 – – [26/May/2010:20:22:16 +0800] "POST /syxcms/vote.php?act=submit HTTP/1.1" 200 56 "http://www.*****.com/news/201005/news-6213.shtml" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"

 

大概原理就是对最新日志里面的客户端访问IP进行采样统计分析,然后对超出正常访问次数的IP进行屏蔽,如下面统计分析后的结果:对最新1000条日志的客户端访问IP进行排序统计访问次数。比如第一个IP 219.128.20.68 1000条日志就有295条,访问肯定不正常

 

root@ubuntu134:# tail access.log -n 1000 |grep vote.php |awk {print $2} |sort |uniq -c |sort -nr

295 219.128.20.68

175 113.250.97.209

164 218.87.140.39

153 59.61.215.42

98 222.240.182.234

83 220.181.110.65

73 120.38.1.255

62 221.3.99.106

21 220.249.83.74

12 218.22.10.114

1 123.52.158.16

1 114.81.115.201

 

然后就是自动处理,如果1000条日志单IP超过50条就屏蔽掉

*/2 * * * * /usr/local/nginx/var/log/drop.sh

#!/bin/sh

cd /usr/local/nginx/var/log

tail access.log -n 1000 |grep vote.php |awk {print $2} |sort |uniq -c |sort -nr |awk {if ($2!=null && $1>50) {print $2}} > drop_ip.txt

for i in `cat drop_ip.txt`

do

/sbin/iptables -I INPUT -s $i -j DROP;

done

 

这shell 每几分钟执行一次,就可自动屏蔽那些不正常IP,相信大家都看的懂,下面是针对连接数屏蔽代码

#!/bin/sh

/bin/netstat -ant |grep 80 |awk {print $5} |awk -F : {print $1} |sort |uniq -c |sort -rn |grep -v -E 192.168|127.0 |awk {if ($2!=null && $1>50) {print $2}} > drop_ip.txt

for i in `cat drop_ip.txt`

do

/sbin/iptables -I INPUT -s $i -j DROP;

done

 

说下,grep -v -E 192.168|127.0  也就是排除内网IP,免得把自己给屏蔽了,当然还可以加些自己的IP。

转载请注明:Kglan » 利用shell和合iptables防御DDOS攻击和CC攻击