Kulumkele uhlaselo DDoS nge iptables Ineendlela ezininzi zokwenza, ngobungakanani bepakethi, ngomda wonxibelelwano, njl. Apha siza kubona ukuba, ngendlela elula, ecacileyo kwaye ecaciswe kakuhle siya kuyifezekisa njani injongo, kunye nokuyeka ezinye izihlaselo ezicaphukisayo kwiiseva zethu.
# Iptables
IPT="/sbin/iptables"
ETH="eth0"
#Todo el tráfico syn
$IPT -P INPUT DROP
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -p tcp ! --syn -j REJECT --reject-with tcp-reset
$IPT -A INPUT -m state --state INVALID -j DROP
$IPT -P OUTPUT DROP
$IPT -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -p tcp ! --syn -j REJECT --reject-with tcp-reset
$IPT -A OUTPUT -m state --state INVALID -j DROP
$IPT -P FORWARD DROP
$IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -p tcp ! --syn -j REJECT --reject-with tcp-reset
$IPT -A FORWARD -m state --state INVALID -j DROP
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT
$IPT -A FORWARD -i lo -o lo -j ACCEPT
#Cuando sube la carga
$IPT -A INPUT -p tcp --syn -j REJECT --reject-with icmp-port-unreachable
#La que mejor va
$IPT -N syn-flood
$IPT -A syn-flood -m limit --limit 100/second --limit-burst 150 -j RETURN
$IPT -A syn-flood -j LOG --log-prefix "SYN flood: "
$IPT -A syn-flood -j DROP
#Igual que el de arriba pero muy raw
$IPT -N syn-flood
$IPT -A INPUT -i eth0:2 -p tcp --syn -j syn-flood
$IPT -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN
$IPT -A syn-flood -j DROP
$IPT -A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m limit --limit 1/sec -j ACCEPT
$IPT -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit 1/sec -j ACCEPT
#Descartar paquetes mal formados
$IPT -N PKT_FAKE
$IPT -A PKT_FAKE -m state --state INVALID -j DROP
$IPT -A PKT_FAKE -p tcp --dport 80 --tcp-flags ALL ACK,RST,SYN,FIN -j DROP
$IPT -A PKT_FAKE -p tcp --dport 80 --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -A PKT_FAKE -p tcp --dport 80 --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A PKT_FAKE -p tcp --dport 80 ! --syn -m state --state NEW -j DROP
$IPT -A PKT_FAKE -f -j DROP
$IPT -A PKT_FAKE -j RETURN
#Syn-flood
$IPT -N syn-flood
$IPT -A INPUT -i eth+ -p tcp --tcp-flags SYN,ACK,FIN,RST RST -j syn-flood
$IPT -A FORWARD -i eth+ -p tcp --tcp-flags SYN,ACK,FIN,RST RST -j syn-flood
$IPT -A syn-flood -m limit --limit 4/s --limit-burst 16 -j RETURN
$IPT -A syn-flood -m limit --limit 75/s --limit-burst 100 -j RETURN -A syn-flood -j LOG --log-prefix "SYN FLOOD " --log-tcp-sequence --log-tcp-options --log-ip-options -m limit --limit 1/second
$IPT -A syn-flood -j DROP
#Requiere módulo "recent"
modprobe ipt_recent
$IPT -A INPUT -p tcp --dport 80 -m state --state NEW -m recent --set
$IPT -A INPUT -p tcp --dport 80 -m state --state NEW -m recent --update --seconds 10 --hitcount 10 -j DROP
# explicación:
# Se añade cada ip que se conecte a la tabla de recent
# Por por cada ip en la tabla de recent si hace mas de x hits en x segundos, se dropea.
$IPT -I INPUT -p tcp --syn -m recent --set
$IPT -I INPUT -p tcp --syn -m recent --update --seconds 10 --hitcount 30 -j DROP
#UDP Flood
$IPT -A OUTPUT -p udp -m state --state NEW -j ACCEPT
$IPT -A OUTPUT -p udp -m limit --limit 100/s -j ACCEPT
$IPT -A OUTPUT -p udp -j DROP
Into eyenzayo kukubala inani leepakethi zeSYN (Uqhagamshelo lwe-TCP luqala) kwidilesi nganye ye-IP kwimizuzwana eyi-10 yokugqibela. Ukuba ifikelela ku-30, ilahla loo pakethi ukuze uxhulumaniso lungasekwa (I-TCP iya kuzama kwakhona amaxesha amaninzi, xa iwela ngaphantsi komda inokusekwa).
#Evitando Layer7 DoS limitando a 80 la máxima cantidad de conexiones
$IPT -A INPUT -p tcp --dport 80 -m hashlimit --hashlimit-upto 50/min --hashlimit-burst 80 --hashlimit-mode srcip --hashlimit-name http -j ACCEPT
$IPT -A INPUT -p tcp --dport 80 -j DROP
#Permitir el ping, pero a 1 paquete por segundo, para evitar un ataque ICMP Flood
$IPT -A INPUT -p icmp -m state --state NEW --icmp-type echo-request -m limit --limit 1/s --limit-burst 1 -j ACCEPT
$IPT -A INPUT -p icmp -j DROP
#Evitando que escaneen la máquina
$IPT -A INPUT -i $ETH -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE –j DROP
$IPT -A INPUT -i $ETH -p tcp -m tcp --tcp-flags SYN,FIN SYN,FIN –j DROP
$IPT -A INPUT -i $ETH -p tcp -m tcp --tcp-flags SYN,RST SYN,RST –j DROP
$IPT -A INPUT -i $ETH -p tcp -m tcp --tcp-flags FIN,RST FIN,RST –j DROP
$IPT -A INPUT -i $ETH -p tcp -m tcp --tcp-flags ACK,FIN FIN –j DROP
$IPT -A INPUT -i $ETH -p tcp -m tcp --tcp-flags ACK,URG URG –j DROP
Nasi iskripthi kwiNcama yethu: Cola.DesdeLinux.net (Script anterior)
Izalathiso:
- Ukuzama ukumisa i-DDoS (ElHacker.net Forum)
- Ulunqanda njani uhlaselo lweDDoS kunye nendlela yokufumana amava kwiiseva zokwenyani? (ElHacker.net Forum)
- Ushicilelo olunemiqathango (MaliByte.net)
- Umzekelo omhle kakhulu (LinuxGuruz.org)
- Ukuthintela uhlaselo lweDDoS (LinuxSecurity.com)
- Ukwenza lukhuni isitaki seTCP/IP ukukhusela uhlaselo (SecurityFocus.com)
Yiyo loo nto ndibeka isifundo ngaphambi kokuba iDDoS ihlasele 😉
Ukubeka / ukucacisa isizathu okanye ingxaki (isifundo esidlulileyo), kwaye kwakhona kukunika isisombululo (esi sifundo) 🙂
umqhaphu.
Ilekese yabantwana...
Inqaku elilungileyo.
Iisenti zam ezimbini:
Kwimeko yeepakethi ze-UDP, iflegi ye-SYN ayikho ngenxa yokuba iprotocol ngaphandle kolawulo lukarhulumente. Nangona kunjalo, ngokumangalisayo amazwe amaTSHA kunye ESISEKILEYO akhona kuba iptables zineetafile zangaphakathi zale njongo.
Kwelinye icala, ngokoluvo lwam, kungcono ukusebenzisa indawo ekuyiwa kuyo ye-DROP endaweni ye-REJECT, ngenxa yezizathu ezibini: okokuqala, ngokulandula omnye unika ulwazi kumhlaseli onokwenzeka, kwaye ikhompyuter isebenzisa inxalenye yoqhagamshelo lwayo ukuthumela. isaziso kwiqela elihlaselayo.
Enye into kukuba kwimeko yeprotocol ye-ICMP (kwaye ngokubanzi) kuyacetyiswa ukuba ulawule zombini izicelo kunye neempendulo, kuba ngexesha elithile siya kuba nomdla wokuzibamba, kwaye ngokwenza lo msebenzi, umntu unokusebenzisa. i-botnet kunye nokukhohlisa idilesi yomthombo yenza i-ping engapheliyo kuninzi lwezi PC ezinobungozi, kwaye iimpendulo ziya kuphelela kwi-server yethu, ukuyidiliza ukuba imida ayizange ibekwe.
Ndidla ngokuvumela iintlobo ze-ICMP 0,3,8,11 kunye ne-12 kunye nomda wokufaka omnye ngesekhondi kunye nokuqhuma ezimbini okanye ezine kakhulu, kwaye yonke enye into yi-DROP.
Enyanisweni, ngaphandle kwe-protocol ye-TCP, enokulawulwa ngcono, zonke ezinye kufuneka zikhuselwe ngomlinganiselo wokuchasana ne-DDoS usebenzisa umdlalo wohlobo lwamva nje. Ngokuphathelele oku, njengomdla, umbhali wale modyuli echaziweyo uthanda ukubeka uhlaziyo kuqala kwaye emva koko iseti.
I-Iptables ngokwenene iguquguqukayo kwaye inamandla, ukuza kuthi ga ngoku ekuphela kwento endizimisele ukuyenza kwaye andikayifezi (nangona ndisondele ekuyifezekiseni), kukwenza ukuba imodyuli ye-psd iphephe i-portcans, kodwa nayo yonke into. Ndifundile ngesi sixhobo, ndithathela ingqalelo ukuba andikakrwempa umphezulu okwangoku. 😉
Ngapha koko, kweli hlabathi kufuneka usoloko ufunda.
Amanqaku alungileyo uHugo, agcinwe kwiglosari yethu :D, njengesiqhelo, ukufunda…
Ngendlela, sele ndikwazile ukufumana imodyuli ye-psd ukuba indisebenzele. Ingxaki yayikukuba ekuqaleni yayixhomekeke ekusebenzeni kwe-kernel eyehlisiwe kunye ne-patch-o-matic, ngoko yasuswa kwiimodyuli ezakhelwe kwi-netfilter ngokungagqibekanga. Ke ngoku kwiDebian ukusebenzisa ulwandiso lwepsd, kufuneka wenze oku kuqala:
aptitude -RvW install iptables-dev xtables-addons-{common,source} module-assistant
module-assistant auto-install xtables-addons-source
Emva koko ingasetyenziswa ngokuqhelekileyo, ngokwemiyalelo:
man xtables-addonsHugo, kutheni ungashicileli iptables.sh ngeengcebiso zakho zokuphucula iskripthi kule post (elungileyo) kuquka i-psd
Gracias
Inqaku eligqwesileyo, iiptables ezigqwesileyo kunye nengcaciso egqwesileyo ngu @hugo. Ndiye ndiqiniseke ngakumbi ukuba kuninzi ekusafuneka ndikufunde.
Ayinguwe wedwa, noko ayindim.. Ndilahlekelwe yi million... 😀
Molweni nonke, kwaye ndiyabulela ngegalelo, kodwa inyaniso yeyokuba siphelelwe lithemba, asazi ukuba senzeni ngoku, kwaye siza kuni ngale nto ye-iptables kuba siyazi ukuba nizingcali zenkqubo.
Ndiyanixelela, ndiyinkokeli yomthombo woqhankqalazo loluntu eSpain kwaye singomnye wabambalwa abangekami, sifumana uhlaselo lwe-ddos rhoqo kumatshini kunye nolunye uhlaselo ngamaxesha, rhoqo. enye ithatha kancinane kodwa inciphisa umncedisi kancinane kodwa leyo yexesha yenza umonakalo omkhulu. Umatshini wethu uxhonywe kwi-centos 6.2
kwaye sine-tcadmin yokulawula abancedisi. Ungasenza ulungelelwaniso olunokuthi lumise olu hlobo lohlaselo nokuba luncinci, sele sinqwenela,
kwaye asazi ukuba ngubani oza kubhenela kuye, siyazi ukuba zivela kwiibhotnets ezimbini, enye yenzelwe ekhaya kwaye enye ihlawulwe ngexesha kunye namandla. Sinyamezele ukuhlaselwa okukhohlakeleyo kolu hlobo phantse unyaka, ukuba ungasinceda siya kuba nombulelo ngonaphakade kuba sele ingenakulondolozwa, ndiyakuthanda ukuseta amaseva afana ne-hoobie, kwaye andiyena umntwana, ukuba ndiyakuqinisekisa, kodwa oku kuninzi kum. Ukuba ufuna i-ts3 yam ithethe okanye nantoni na, ndingathanda ukuba ungasinceda ukuze sikwazi ukuthumela apha iziphumo kunye nayo yonke into ababeyisombulula ukuze kulunge abantu abaninzi, iya kuba yibhlog evakatyelwe kakhulu yonyaka, ndiyakuqinisekisa kuba iyamangalisa indlela olucaphukisa ngayo olu hlaselo. ddos. Ekubeni sizame ukuyiqwalasela ngokwethu kwaye sivale ukufikelela kumatshini, kwafuneka siyifomethe kwi-bios, ngoko khawucinge ukuba sinjani.
Ndithumela umbuliso onobubele. Kwaye ndiyavuyisana neblogi elahlekileyo yenza abantu abaninzi ibe yinto ehlaziyiweyo njengale. -Miguel Angel-
Molo unjani 🙂
Escríbeme a mi email, te ayudamos con mucho gusto 😀 -» kzkggaara[@]desdelinux[.]umnatha
Molweni bafana, ndide ndisebenze ndisebenzisa lo mbhalo, ulunge kakhulu ngendlela ... umbuzo omnye: Ngaba imodyuli "yakutshanje" ayinciphisi ukusebenza?
Imibuliso - Enkosi / Ngubani okuthandayo?
Igalelo elibalaseleyo mhlobo wam, ndiza kukubeka kwiimbekiselo zesifundo sevidiyo esiyenzayo, i-hug evela eCosta Rica.
Sawubona,
Andikwazi ukusebenzisa iscript kumazibuko amaninzi?
Ndinomncedisi womdlalo kwaye ndifumana uhlaselo kuzo zombini iwebhu kunye nechweba leseva yomdlalo.
A ubingelele.