ddos-deflate 轻量级防ddos工具

Posted on Posted in 安全
Tips: 本文创建于2016年4月29日,已超过 2 年,内容或图片可能已经失效!

官网上不去(不是墙的原因)

github fork

#IP 连接数  
  
netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n  
  
-> c1 ~/git/ddos-deflate git:(master) ☺ ls  
ChangeLog  config  install.sh  LICENSE  Makefile  man  README.md  src  uninstall.sh  
-> c1 ~/git/ddos-deflate git:(master) ☺ ./install.sh   
  
-> c1 ~/git/ddos-deflate git:(master) ☺ vim /etc/ddos/ddos.conf  
  
# Paths of the script and other files  
PROGDIR="/usr/local/ddos"        
SBINDIR="/usr/local/sbin"        
PROG="$PROGDIR/ddos.sh"  
IGNORE_IP_LIST="ignore.ip.list"     #IP地址白名单  
IGNORE_HOST_LIST="ignore.host.list"  
CRON="/etc/cron.d/ddos"      #定时执行程序    
# Make sure your APF version is atleast 0.96  
APF="/usr/sbin/apf"              
CSF="/usr/sbin/csf"              
IPT="/sbin/iptables"             
    
# frequency in minutes for running the script as a cron job  
# Caution: Every time this setting is changed, run the script with --cron  
#          option so that the new frequency takes effect  
FREQ=1  #检查时间间隔,默认1分钟  
   
# frequency in seconds when running as a daemon  
DAEMON_FREQ=5  
   
# How many connections define a bad IP? Indicate that below.  
NO_OF_CONNECTIONS=150   #最大连接数量,超过这个数IP就会屏蔽,一般默认  
   
# The firewall to use for blocking/unblocking, valid values are:  
# auto, apf, csf and iptables  
FIREWALL="auto"  
   
# An email is sent to the following address when an IP is banned.  
# Blank would suppress sending of mails  
EMAIL_TO="root"  
   
# Number of seconds the banned ip should remain in blacklist.  
BAN_PERIOD=600  
   
# Connection states to block. See: man netstat  
CONN_STATES="ESTABLISHED|SYN_SENT|SYN_RECV|FIN_WAIT1|FIN_WAIT2|TIME_WAIT|CLOSE_WAIT|LAST_ACK|CLOSING"     
  
# github上的解释很全  
  
Usage  
  
The installer will automatically detect if your system supports init.d scripts, systemd services or cron jobs. If one of them is found it will install apropiate files and start the ddos script. In the case of init.d and systemd the ddos script is started as a daemon, which monitoring interval is set at 5 seconds by default. The daemon is much faster detecting attacks than the cron job since cron's are capped at 1 minute intervals.  
  
Once you hava (D)Dos deflate installed proceed to modify the config files to fit your needs.  
  
/etc/ddos/ignore.host.list  
  
On this file you can add a list of host names to be whitelisted, for example:  
  
googlebot.com   
my-dynamic-ip.somehost.com  
/etc/ddos/ignore.ip.list  
  
On this file you can add a list of ip addresses to be whitelisted, for example:  
  
12.43.63.13   
129.134.131.2  
/etc/ddos/ddos.conf  
  
The behaviour of the ddos script is modified by this configuration file. For more details see man ddos which has documentation of the different configuration options.  
  
After you modify the config files you will need to restart the daemon. If running on systemd:  
  
systemctl restart ddos  
If running as classical init.d script:  
  
/etc/init.d/ddos restart   
or   
service ddos restart  
When running the script as a cronjob no restarting is required.  

CLI Usage

ddos [OPTIONS] [N]

N : number of tcp/udp connections (default 150)

OPTIONS

  • -h | --help: Show the help screen.
  • -c | --cron: Create cron job to run the script regularly (default 1 mins).
  • -i | --ignore-list: List whitelisted ip addresses.
  • -b | --bans-list: List currently banned ip addresses.
  • -d | --start: Initialize a daemon to monitor connections.
  • -s | --stop: Stop the daemon.
  • -t | --status: Show status of daemon and pid if currently running.
  • -v | --view: Display active connections to the server.
  • -k | --kill: Block all ip addresses making more than N connections.
» 转载请注明来源:若我若鱼 » ddos-deflate 轻量级防ddos工具

Leave a Reply

Your email address will not be published. Required fields are marked *

19 + fifteen =