How to Block Flooders

First create an hourly cron job to create iptables rules dynamically. Therefore we need a little script:
Login to the root shell, change the directory to /etc/cron.hourly and create a new file. For that you can use the editor nano or pico
cd /etc/cron.hourly
nano killclones

Edit the created file as follows:

#!/bin/bash
IPS=`netstat -n | grep tcp | cut -c 45- | sed 's/:.*//' | grep -v 127.0.0.1 | sort | uniq -c | sort | grep ' [4-9][0-9]+ ' | fgrep -v YOUR_SERVER_IP | sed -e 's/[^0-9]*[0-9]* \([0-9.]*\).*/\1/g'`
echo $IPS
for IP in $IPS; do
        iptables -I INPUT -s $IP -j DROP
echo $IP >> /tmp/killedips
done

Change "YOUR_SERVER_IP" to the IP of your server (e.g. 123.45.67.8), then save and close the file
Next, create a daily cron job to delete all dynamically created rules:
Therefore change the directory to /etc/cron.daily/ and make a second new file with a content like this:

cd /etc/cron.daily/
nano removeipdrops

This file should remove every day the last 20 IP's which the other script has blocked. Write the following code into the new file

#!/bin/bash
IPS=`head /tmp/killedips -n 20`
for IP in $IPS; do
        iptables -I INPUT -s $IP -j ACCEPT
done

k, save and close it and enjoy wink

thx to pabs

-- TammO - 29 Dec 2004

This topic: Sysadmin > FloodBlocking
Topic revision: 30 Dec 2004, SchoHase
This site is powered by FoswikiCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding Foswiki? Send feedback