Guji kai hari DDoS con iptables Yana da hanyoyi da yawa don yin shi, ta girman fakiti, ta iyakar iyaka, da dai sauransu. Anan zamu ga yadda, a cikin sauki, mai saukin ganewa kuma ingantacciyar hanyar da zamu iya cimma burin, tare da dakatar da wasu hare-hare masu tayar da hankali akan sabarmu.
# Iptables
IPT="/sbin/iptables"
ETH="eth0"
#Todo el tráfico syn
$IPT -P INPUT DROP
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -p tcp ! --syn -j REJECT --reject-with tcp-reset
$IPT -A INPUT -m state --state INVALID -j DROP
$IPT -P OUTPUT DROP
$IPT -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -p tcp ! --syn -j REJECT --reject-with tcp-reset
$IPT -A OUTPUT -m state --state INVALID -j DROP
$IPT -P FORWARD DROP
$IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -p tcp ! --syn -j REJECT --reject-with tcp-reset
$IPT -A FORWARD -m state --state INVALID -j DROP
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT
$IPT -A FORWARD -i lo -o lo -j ACCEPT
#Cuando sube la carga
$IPT -A INPUT -p tcp --syn -j REJECT --reject-with icmp-port-unreachable
#La que mejor va
$IPT -N syn-flood
$IPT -A syn-flood -m limit --limit 100/second --limit-burst 150 -j RETURN
$IPT -A syn-flood -j LOG --log-prefix "SYN flood: "
$IPT -A syn-flood -j DROP
#Igual que el de arriba pero muy raw
$IPT -N syn-flood
$IPT -A INPUT -i eth0:2 -p tcp --syn -j syn-flood
$IPT -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN
$IPT -A syn-flood -j DROP
$IPT -A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m limit --limit 1/sec -j ACCEPT
$IPT -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit 1/sec -j ACCEPT
#Descartar paquetes mal formados
$IPT -N PKT_FAKE
$IPT -A PKT_FAKE -m state --state INVALID -j DROP
$IPT -A PKT_FAKE -p tcp --dport 80 --tcp-flags ALL ACK,RST,SYN,FIN -j DROP
$IPT -A PKT_FAKE -p tcp --dport 80 --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -A PKT_FAKE -p tcp --dport 80 --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A PKT_FAKE -p tcp --dport 80 ! --syn -m state --state NEW -j DROP
$IPT -A PKT_FAKE -f -j DROP
$IPT -A PKT_FAKE -j RETURN
#Syn-flood
$IPT -N syn-flood
$IPT -A INPUT -i eth+ -p tcp --tcp-flags SYN,ACK,FIN,RST RST -j syn-flood
$IPT -A FORWARD -i eth+ -p tcp --tcp-flags SYN,ACK,FIN,RST RST -j syn-flood
$IPT -A syn-flood -m limit --limit 4/s --limit-burst 16 -j RETURN
$IPT -A syn-flood -m limit --limit 75/s --limit-burst 100 -j RETURN -A syn-flood -j LOG --log-prefix "SYN FLOOD " --log-tcp-sequence --log-tcp-options --log-ip-options -m limit --limit 1/second
$IPT -A syn-flood -j DROP
#Requiere módulo "recent"
modprobe ipt_recent
$IPT -A INPUT -p tcp --dport 80 -m state --state NEW -m recent --set
$IPT -A INPUT -p tcp --dport 80 -m state --state NEW -m recent --update --seconds 10 --hitcount 10 -j DROP
# explicación:
# Se añade cada ip que se conecte a la tabla de recent
# Por por cada ip en la tabla de recent si hace mas de x hits en x segundos, se dropea.
$IPT -I INPUT -p tcp --syn -m recent --set
$IPT -I INPUT -p tcp --syn -m recent --update --seconds 10 --hitcount 30 -j DROP
#UDP Flood
$IPT -A OUTPUT -p udp -m state --state NEW -j ACCEPT
$IPT -A OUTPUT -p udp -m limit --limit 100/s -j ACCEPT
$IPT -A OUTPUT -p udp -j DROP
Abin da yake yi shine ƙidaya adadin fakitin SYN (Fara haɗin TCP) don kowane adireshin IP a cikin sakan 10 na ƙarshe. Idan ya kai 30, sai ya watsar da fakitin don haka haɗin ba zai tabbata ba (TCP zai sake gwadawa sau da yawa, lokacin da ya sauka ƙasa da iyakar da za'a iya saita shi).
#Evitando Layer7 DoS limitando a 80 la máxima cantidad de conexiones
$IPT -A INPUT -p tcp --dport 80 -m hashlimit --hashlimit-upto 50/min --hashlimit-burst 80 --hashlimit-mode srcip --hashlimit-name http -j ACCEPT
$IPT -A INPUT -p tcp --dport 80 -j DROP
#Permitir el ping, pero a 1 paquete por segundo, para evitar un ataque ICMP Flood
$IPT -A INPUT -p icmp -m state --state NEW --icmp-type echo-request -m limit --limit 1/s --limit-burst 1 -j ACCEPT
$IPT -A INPUT -p icmp -j DROP
#Evitando que escaneen la máquina
$IPT -A INPUT -i $ETH -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE –j DROP
$IPT -A INPUT -i $ETH -p tcp -m tcp --tcp-flags SYN,FIN SYN,FIN –j DROP
$IPT -A INPUT -i $ETH -p tcp -m tcp --tcp-flags SYN,RST SYN,RST –j DROP
$IPT -A INPUT -i $ETH -p tcp -m tcp --tcp-flags FIN,RST FIN,RST –j DROP
$IPT -A INPUT -i $ETH -p tcp -m tcp --tcp-flags ACK,FIN FIN –j DROP
$IPT -A INPUT -i $ETH -p tcp -m tcp --tcp-flags ACK,URG URG –j DROP
Ga rubutun a cikin Manna: Manna.DesdeLinux.net (Rubutun da ya gabata)
Abubuwan da suka shafi:
- Oƙarin dakatar da DDoS (Dandalin ElHacker.net)
- Yadda ake kaucewa harin DDoS da yadda ake dandana shi akan sabar gaske? (Dandalin ElHacker.net)
- Rubuta tare da sharadi (MaliByte.net)
- Misali mai kyau (LinuxGuruz.org)
- Tsayar da harin DDoS (LinuxSecurity.com)
- Eningarfafa TCP / IP Stack don hana hare-hare (TsaroFocus.com)
Kuma wannan shine dalilin da ya sa na sanya darasi kafin harin DDoS 😉
Don sanya / bayyana dalili ko matsala (koyarwar da ta gabata), sannan kuma ta baku mafita (wannan koyarwar) 🙂
cikakke.
Alewa yara ...
Labari mai kyau.
Katin na biyu:
Game da fakitin UDP, tutar SYN ba ta wanzu saboda yarjejeniya ce ba tare da ikon jihohi ba. Koyaya, sabanin haka, jihohin NEW da KASASHE sun wanzu saboda abubuwa masu ɓoye ciki suna ɗaukar tebur don wannan dalili.
A gefe guda kuma, a ganina ya fi kyau a yi amfani da DUTSE maimakon MUTANE, saboda dalilai biyu: na farko, tare da ƙin yarda ana ba da bayani ga mai yiwuwar kai hari, kuma kwamfutar tana amfani da wani ɓangare na haɗinta don aikawa sanarwa ga kungiyar masu kai hari.
Wani abu kuma shine game da yarjejeniyar ICMP (kuma gabaɗaya) yana da sauƙi don daidaita buƙatun da amsoshi, saboda wataƙila muna da sha'awar wani lokaci na yin pinging kanmu, kuma ta hanyar ba da wannan aikin, wani zai iya amfani da botnet kuma ya gurbata shi Adireshin tushen zuwa ping da yawa daga cikin waɗannan kwamfyutocin masu rikitarwa ba tare da ƙarshe ba, kuma martani zai tafi zuwa sabarmu, ya ruguje shi idan ba'a sanya iyaka ba.
Yawancin lokaci nakan ba da izinin nau'ikan ICMP 0,3,8,11 da 12 tare da iyakokin shigarwa na dakika ɗaya da fashewar iyakar biyu ko huɗu, kuma duk abin da ya rage to DROP.
A zahiri, ban da yarjejeniyar TCP da za'a iya daidaita shi da kyau, duk sauran yakamata a kiyaye su da matakan anti DDoS ta hanyar wasan kwanan nan. Dangane da wannan, azaman son sani, marubucin wannan kundin yana son sanya sabuntawa da farko sannan saitin.
Abubuwan haɓaka suna da sassauƙa da ƙarfi sosai, har zuwa yanzu abin da kawai na gabatar da shawarar yi kuma har yanzu ban cimma shi ba (duk da cewa na kusa cimma shi), shine a ba da sigin na psd don kaucewa tashar jiragen ruwa, amma har ma da komai Na koya game da wannan kayan aikin, Ina tsammanin ban taɓa ɓoye yanayin ba tukuna. 😉
Koyaya, a cikin duniyar nan koyaushe kuyi karatu.
Kyakkyawan maki Hugo, akan fayil don ƙamus ɗinmu: D, kamar koyaushe, koya ...
Af, na riga na sami tsarin psd don yayi min aiki. Matsalar ita ce ta fara dogara ne akan aikin kernel wanda aka rage shi tare da patch-o-matic, don haka an cire shi daga matakan da aka gina a cikin netfilter ta tsohuwa. Don haka yanzu a cikin Debian don amfani da tsawo na psd, da farko yakamata kayi wannan:
aptitude -RvW install iptables-dev xtables-addons-{common,source} module-assistant
module-assistant auto-install xtables-addons-source
Ana iya amfani dashi koyaushe, bisa ga umarnin:
man xtables-addonsHugo, me yasa baku buga iptables.sh tare da shawarwarinku don inganta rubutun wannan post din (wanda yake da kyau) gami da psd
Gracias
Labari mai kyau, kyawawan kayan aiki da kyakkyawan bayani daga @hugo. Ina ƙara samun tabbaci cewa har yanzu ina da sauran abubuwan da zan koya.
Ba kai kadai bane, a kalla ni ... Na yi rashi miliyan ... 😀
Barkan ku dai baki daya, kuma godiya ga gudummawar, amma gaskiyar magana itace muna cikin damuwa, bamu san me zamuyi yanzu ba, kuma munzo gareku ne saboda wannan abubuwan da muka sani cewa ku masana ne a tsarin.
Ni ne shugaban wata al'umma a Spain na tushen yajin aiki kuma muna daya daga cikin kalilan wadanda har yanzu da kyar suke tsaye, muna karbar hare-hare akai-akai daga inji da sauran hare-hare a wasu lokuta, abin da yake ci gaba yana cire kadan amma ya koka da Sabis kadan amma wanda yake lokaci yayi lalacewa. An saka inji a kan centos 6.2
kuma muna da tcadmin don sarrafa sabobin. Kuna iya sanya mana tsari wanda zai iya dakatar da irin wannan harin ko da kuwa kaɗan ne, shine cewa mun riga mun kasance da matsananciyar damuwa,
kuma ba mu san wanda za mu juya zuwa gare shi ba, mun san cewa akwai botnets biyu, ɗaya na gida ɗaya kuma ɗayan ana biyan lokaci da ƙarfi. Don haka muke jimre wa mummunan harin irin wannan kusan shekara guda, idan kuna iya taimaka mana za mu kasance da godiya har abada saboda ba za a iya ci gaba ba a yanzu, Ina so in daidaita sabobin kamar hoobie, kuma ni ba yaro bane cewa ina tabbatar muku amma wannan yana da yawa a gare ni. Idan kuna son ts3 na yayi magana ko wani abu zan so ku taimaka mana don haka zamu sanya sakamako a nan da duk abin da aka warware don amfanin mutane da yawa, zai zama shafin yanar gizon da aka fi ziyarta na wannan shekara ina tabbatar muku saboda abin ban mamaki ne yadda yake fusatar da waɗannan hare-haren. ddos Tunda munyi kokarin saita shi da kanmu kuma mun toshe hanyar zuwa na'uran dole ne mu tsara shi daga halittun don haka kuyi tunanin yadda muke.
Ina aika gaisuwa mai kyau. Kuma taya murna ga ɓataccen blog, mutane da yawa sun sami wanda aka sabunta shi da wannan. -Miguel Mala'ika-
Barka dai yaya kake 🙂
Rubuta zuwa imel na, za mu yi farin cikin taimaka muku 😀 -» kzkggaara[@]desdelinux[.] net
Barka dai mutane, har zuwa yanzu da nake aiki, ɗauki wannan rubutun, yana da kyau ta hanya ... shakku ɗaya ne kawai: Shin koyaushe na '' kwanan nan '' baya rage aikin?
Gaisuwa - Na gode / Wanene yake son ka?
Kyakkyawan gudummawa abokina, zan sanya ku a cikin nassoshin bidiyo na koyawa da muke hawa, runguma daga Costa Rica
Sannu,
Ba za a iya amfani da rubutun a tashar jiragen ruwa da yawa ba?
Ina da sabar wasa kuma ina samun hare-hare zuwa duka gidan yanar gizo da kuma tashar sabar wasan.
A gaisuwa.