I-DDoS nokunye ukuhlaselwa vs iptables (Ukuphepha kwe-Anti-DDoS kuma-iptables)

Gwema ukuhlaselwa DDoS con iptables Inezindlela eziningi zokukwenza, ngosayizi wepakethe, ngomkhawulo wokuxhuma, njll. Lapha sizobona ukuthi, ngendlela elula, enembile futhi echazwe kahle sizoyifeza kanjani inhloso, futhi simise okunye ukuhlaselwa okucasulayo kumaseva ethu.

# Iptables

IPT="/sbin/iptables"
ETH="eth0"

#Todo el tráfico syn
$IPT -P INPUT DROP
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -p tcp ! --syn -j REJECT --reject-with tcp-reset
$IPT -A INPUT -m state --state INVALID -j DROP
$IPT -P OUTPUT DROP
$IPT -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -p tcp ! --syn -j REJECT --reject-with tcp-reset
$IPT -A OUTPUT -m state --state INVALID -j DROP
$IPT -P FORWARD DROP
$IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -p tcp ! --syn -j REJECT --reject-with tcp-reset
$IPT -A FORWARD -m state --state INVALID -j DROP
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT
$IPT -A FORWARD -i lo -o lo -j ACCEPT

#Cuando sube la carga
$IPT -A INPUT -p tcp --syn -j REJECT --reject-with icmp-port-unreachable

#La que mejor va
$IPT -N syn-flood
$IPT -A syn-flood -m limit --limit 100/second --limit-burst 150 -j RETURN
$IPT -A syn-flood -j LOG --log-prefix "SYN flood: "
$IPT -A syn-flood -j DROP

#Igual que el de arriba pero muy raw
$IPT -N syn-flood
$IPT -A INPUT -i eth0:2 -p tcp --syn -j syn-flood
$IPT -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN
$IPT -A syn-flood -j DROP
$IPT -A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m limit --limit 1/sec -j ACCEPT
$IPT -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit 1/sec -j ACCEPT

#Descartar paquetes mal formados
$IPT -N PKT_FAKE
$IPT -A PKT_FAKE -m state --state INVALID -j DROP
$IPT -A PKT_FAKE -p tcp --dport 80 --tcp-flags ALL ACK,RST,SYN,FIN -j DROP
$IPT -A PKT_FAKE -p tcp --dport 80 --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -A PKT_FAKE -p tcp --dport 80 --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A PKT_FAKE -p tcp --dport 80 ! --syn -m state --state NEW -j DROP
$IPT -A PKT_FAKE -f -j DROP
$IPT -A PKT_FAKE -j RETURN

#Syn-flood
$IPT -N syn-flood
$IPT -A INPUT -i eth+ -p tcp --tcp-flags SYN,ACK,FIN,RST RST -j syn-flood
$IPT -A FORWARD -i eth+ -p tcp --tcp-flags SYN,ACK,FIN,RST RST -j syn-flood
$IPT -A syn-flood -m limit --limit 4/s --limit-burst 16 -j RETURN
$IPT -A syn-flood -m limit --limit 75/s --limit-burst 100 -j RETURN -A syn-flood -j LOG --log-prefix "SYN FLOOD " --log-tcp-sequence --log-tcp-options --log-ip-options -m limit --limit 1/second
$IPT -A syn-flood -j DROP

#Requiere módulo "recent"
modprobe ipt_recent
$IPT -A INPUT -p tcp --dport 80 -m state --state NEW -m recent --set
$IPT -A INPUT -p tcp --dport 80 -m state --state NEW -m recent --update --seconds 10 --hitcount 10 -j DROP

# explicación:
# Se añade cada ip que se conecte a la tabla de recent
# Por por cada ip en la tabla de recent si hace mas de x hits en x segundos, se dropea.
$IPT -I INPUT -p tcp --syn -m recent --set
$IPT -I INPUT -p tcp --syn -m recent --update --seconds 10 --hitcount 30 -j DROP

#UDP Flood
$IPT -A OUTPUT -p udp -m state --state NEW -j ACCEPT
$IPT -A OUTPUT -p udp -m limit --limit 100/s -j ACCEPT
$IPT -A OUTPUT -p udp -j DROP

Lokho okwenzayo ukubala inani lamaphakethe we-SYN (Ukuqala kokuxhumeka kwe-TCP) ekhelini ngalinye le-IP kumasekhondi ayi-10 edlule. Uma ifinyelela kuma-30 ilahla lelo phakethe ukuze uxhumano lungatholakali (I-TCP izophinda izame kaninginingi, lapho yehla ngaphansi komkhawulo engasethwa).

#Evitando Layer7 DoS limitando a 80 la máxima cantidad de conexiones
$IPT -A INPUT -p tcp --dport 80 -m hashlimit --hashlimit-upto 50/min --hashlimit-burst 80 --hashlimit-mode srcip --hashlimit-name http -j ACCEPT
$IPT -A INPUT -p tcp --dport 80 -j DROP

#Permitir el ping, pero a 1 paquete por segundo, para evitar un ataque ICMP Flood
$IPT -A INPUT -p icmp -m state --state NEW --icmp-type echo-request -m limit --limit 1/s --limit-burst 1 -j ACCEPT
$IPT -A INPUT -p icmp -j DROP

#Evitando que escaneen la máquina
$IPT -A INPUT -i $ETH -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE –j DROP
$IPT -A INPUT -i $ETH -p tcp -m tcp --tcp-flags SYN,FIN SYN,FIN –j DROP
$IPT -A INPUT -i $ETH -p tcp -m tcp --tcp-flags SYN,RST SYN,RST –j DROP
$IPT -A INPUT -i $ETH -p tcp -m tcp --tcp-flags FIN,RST FIN,RST –j DROP
$IPT -A INPUT -i $ETH -p tcp -m tcp --tcp-flags ACK,FIN FIN –j DROP
$IPT -A INPUT -i $ETH -p tcp -m tcp --tcp-flags ACK,URG URG –j DROP

Nawu umbhalo ku-Namathisela kwethu: Namathisela.DesdeLinux.net (Script anterior)

Izinkomba:


Amazwana ayi-14, shiya okwakho

Shiya umbono wakho

Ikheli lakho le ngeke ishicilelwe. Ezidingekayo ibhalwe nge *

*

*

  1. Ubhekele imininingwane: Miguel Ángel Gatón
  2. Inhloso yedatha: Lawula Ugaxekile, ukuphathwa kwamazwana.
  3. Ukusemthethweni: Imvume yakho
  4. Ukuxhumana kwemininingwane: Imininingwane ngeke idluliselwe kubantu besithathu ngaphandle kwesibopho esisemthethweni.
  5. Isitoreji sedatha: Idatabase ebanjwe yi-Occentus Networks (EU)
  6. Amalungelo: Nganoma yisiphi isikhathi ungakhawulela, uthole futhi ususe imininingwane yakho.

  1.   KZKG ^ Gaara kusho

    Futhi yingakho ngibeka okokufundisa ngaphambi kokuhlaselwa kwe-DDoS 😉
    Ukubeka / ukuchaza isizathu noma inkinga (okokufundisa okwedlule), futhi ngikunikeze nesixazululo (lesi sifundo) 🙂

    1.    phumlani kusho

      ephelele

  2.   I-Koratsuki kusho

    Uswidi wezingane ...

  3.   Hugo kusho

    I-athikili enhle.

    Amasenti ami amabili:

    Endabeni yamaphakethe we-UDP, ifulegi le-SYN alikho ngoba liyinkqubo elandelwayo ngaphandle kokulawulwa kombuso. Kodwa-ke, ngokudabukisayo, izifundazwe EZISHA NEZISEKILE zikhona ngoba ama-iptable ngaphakathi aphethe amatafula ngale njongo.

    Ngakolunye uhlangothi, ngombono wami kungcono ukusebenzisa indawo ye-DROP esikhundleni se-REJECT, ngezizathu ezimbili: okokuqala, uma umuntu owenqabayo enikeza imininingwane kumhlaseli ongahle abe khona, futhi nekhompyutha isebenzisa ingxenye yokuxhumana kwayo ukuthumela isaziso eqenjini elihlaselayo.

    Enye into ukuthi esimweni sephrothokholi ye-ICMP (futhi ngokuvamile) kulula ukulawula zombili izicelo nezimpendulo, ngoba mhlawumbe sinesifiso esithile sokuzibamba, futhi ngokunika amandla lo msebenzi, othile angasebenzisa botnet nokukhohlisa ikheli lomthombo ukubamba amaningi ala ma-PC afakwe engozini, futhi izimpendulo zizoya kuseva yethu, ziyidilize uma kungabekelwanga mingcele.

    Imvamisa ngivumela izinhlobo ze-ICMP 0,3,8,11 no-12 ngomkhawulo wokufaka owodwa ngomzuzwana nokuqhuma kwamabili noma amane aphezulu, nakho konke okunye kushiyelwe ku-DROP.

    Eqinisweni, ngaphandle kweprotocol ye-TCP engalawulwa kangcono, zonke ezinye kufanele zivikelwe ngesilinganiso se-anti-DDoS ngomdlalo wohlobo lwakamuva. Mayelana nalokhu, njengelukuluku, umbhali wale mojuli uthanda ukubeka isibuyekezo kuqala bese kuba isethi.

    Ama-Iptable aguquguquka kakhulu futhi anamandla, kuze kube manje ukuphela kwento engiphakamise ukuyenza futhi angikaphumeleli (yize sengiseduze ukuyifeza), ukunika amandla imodyuli ye-psd ukugwema amachweba, kepha noma ngayo yonke into ngifunde ngethuluzi, ngicabanga ukuthi angikaze ngiklwebhe ebusweni okwamanje. 😉

    Noma kunjalo, kuleli zwe kufanele ufunde njalo.

  4.   I-Koratsuki kusho

    Amaphuzu amahle uHugo, kufayela le-glossary yethu: D, njalonjalo, iyafunda ...

    1.    Hugo kusho

      Ngendlela, sengivele ngithole imodyuli ye-psd ukuthi ingisebenzele. Inkinga ukuthi ekuqaleni bekuncike ekusebenzeni kwe-kernel eyehlisiwe kanye ne-patch-o-matic, ngakho-ke isuswe kumamojula akhelwe ngaphakathi ku-netfilter ngokuzenzakalela. Ngakho-ke manje kwaDebian ukusebenzisa isandiso se-psd, okokuqala kufanele wenze lokhu:


      aptitude -RvW install iptables-dev xtables-addons-{common,source} module-assistant
      module-assistant auto-install xtables-addons-source

      Ingasetshenziswa ngokujwayelekile, ngokwemiyalo:

      man xtables-addons

      1.    kude kusho

        Hugo, kungani ungashicileli i-iptables.sh neziphakamiso zakho zokuthuthukisa iskripthi salokhu okuthunyelwe (okuhle) kufaka phakathi i-psd

        Gracias

  5.   nelson kusho

    I-athikili enhle kakhulu, ama-iptable amahle kakhulu nencazelo enhle evela ku- @hugo. Ngiya ngokuya ngikholelwa ngokwengeziwe ukuthi kusenokuningi okufanele ngikufunde.

  6.   I-Koratsuki kusho

    Akuwena wedwa, okungenani mina ... ngiphuthelwa isigidi ... 😀

  7.   UMiguel Angel kusho

    Sanibonani nonke, futhi siyabonga ngomnikelo, kepha iqiniso ukuthi sikhathazekile, asazi ukuthi senzeni manje, futhi size kini ngalokhu kwama-iptables esaziyo ukuthi niyizingcweti ezinhlelweni.
    Ngingumholi womphakathi waseSpain womthombo wesiteleka esiphikisayo futhi singabanye babambalwa abasamile ngokulambisa, sithola ukuhlaselwa okuqhubekayo emshinini nokunye ukuhlaselwa ngezikhathi ezithile, okuqhubekayo kususa okuncane kepha kubeka iseva okuncane kepha okusesikhathi kwenza umonakalo omkhulu. Umshini wethu ugibele kuma-6.2 centos
    futhi sine-tcadmin yokulawula amaseva. Ungasenzela ukucushwa okungamisa lolu hlobo lokuhlaselwa noma okuncane, ngukuthi sesivele siphelelwe yithemba,
    futhi asazi ukuthi siphendukele kubani, siyazi ukuthi kukhona ama-botnets amabili, elinye lenzelwe elinye likhokhelwe isikhathi namandla. Besilokhu sikhuthazelela ukuhlaselwa ngonya kwalolu hlobo cishe unyaka wonke, uma ungasisiza sizojabula kuze kube phakade ngoba akusimameki manje, ngiyathanda ukumisa amaseva afana ne-hoobie, futhi angisiyona ingane engikuqinisekisa ngayo kodwa lokhu kuningi kimi. Uma ufuna i-ts3 yami ikhulume noma yini engingathanda uma ungasisiza ngakho-ke sizothumela lapha imiphumela nakho konke okuxazululwe ukuze kuzuze abantu abaningi, kungaba ibhulogi evakashelwa kakhulu yonyaka engikuqinisekisa ngayo ngoba kuyamangalisa ukuthi kucasula kanjani lokhu kuhlaselwa ama-ddos. Njengoba sizamile ukuyilungiselela sisodwa futhi savimba ukufinyelela emshinini, bekufanele siyifomethe kusuka kuma-bios ngakho-ke zicabange ukuthi sinjani.
    Ngithumela ukubingelela okuhle. Futhi ngiyakuhalalisela nge-blog elahlekile, abantu abaningi bathola eyodwa ebuyekezwe ngalena. -Ingilosi kaMiguel-

    1.    KZKG ^ Gaara kusho

      Sawubona, unjani?
      Escríbeme a mi email, te ayudamos con mucho gusto 😀 -» kzkggaara[@]desdelinux[.]net

  8.   ArthurShelby kusho

    Sanibonani bafana, kuze kube manje lapho ngisebenza khona, thathani lo mbhalo, omuhle kakhulu ngendlela ... ukungabaza okukodwa nje: Ngabe imodyuli «yakamuva» ayikunciphisi ukusebenza?

    Ukubingelela - Ngiyabonga / Ubani okuthandayo?

  9.   UJose Tapia kusho

    Umnikelo omuhle kakhulu mngani wami, ngizokubeka kuzinkomba zevidiyo yokufundisa esiyikhuphukayo, i-hug evela eCosta Rica

  10.   UCristian Marfil Reinoso kusho

    Sawubona,

    Awukwazi ukusebenzisa iskripthi emachwebeni amaningi?
    Ngineseva yomdlalo futhi ngithola ukuhlaselwa kuyo yomibili iwebhu namachweba eseva womdlalo.

    A ukubingelela.