How to Block Flooders
First create an hourly cron job to create iptables rules dynamically. Therefore we need a little script:
Login to the root shell, change the directory to /etc/cron.hourly and create a new file.
For that you can use the editor nano or pico
cd /etc/cron.hourly
nano killclones
Edit the created file as follows:
#!/bin/bash
IPS=`netstat -n | grep tcp | cut -c 45- | sed 's/:.*//' | grep -v 127.0.0.1 | sort | uniq -c | sort | grep ' [4-9][0-9]+ ' | fgrep -v YOUR_SERVER_IP | sed -e 's/[^0-9]*[0-9]* \([0-9.]*\).*/\1/g'`
echo $IPS
for IP in $IPS; do
iptables -I INPUT -s $IP -j DROP
echo $IP >> /tmp/killedips
done
Change "YOUR_SERVER_IP" to the IP of your server (e.g. 123.45.67.8), then save and close the file
Next, create a daily cron job to delete all dynamically created rules:
Therefore change the directory to /etc/cron.daily/ and make a second new file with a content like this:
cd /etc/cron.daily/
nano removeipdrops
This file should remove every day the last 20 IP's which the other script has blocked.
Write the following code into the new file
#!/bin/bash
IPS=`head /tmp/killedips -n 20`
for IP in $IPS; do
iptables -I INPUT -s $IP -j ACCEPT
done
k, save and close it and enjoy
thx to pabs
--
TammO - 29 Dec 2004
to top
