나는 같은 주제에 관해 많은 질문을 했습니다. 예를 들면 다음과 같습니다.여기, 그리고여기.
대답은 다음과 같이 규칙을 설정해야 한다고 말했습니다.
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
그런 다음 다음과 같이 나머지를 추가하기 시작합니다.
# Dynamic Badguy List. Detect and DROP Bad IPs that try to access port 20000.
# Once they are on the BADGUY list then DROP all packets from them.
iptables -A INPUT -i eth0 -m recent --update --hitcount 5 --seconds 90000 --name BADGUY -j LOG --log-prefix "Port 20000 BAD:" --log-level info
iptables -A INPUT -i eth0 -m recent --update --hitcount 5 --seconds 90000 --name BADGUY -j DROP
iptables -A INPUT -i eth0 -p tcp -m tcp --dport 20000 -m recent --set --name BADGUY -j ACCEPT
정확하게 이 작업을 수행했지만 일부 IP는 여전히 IP당 100개 이상의 연결을 열 수 있습니다. 그렇다면 IP 연결을 제한하는 적절한 방법은 무엇입니까?
우리가 특히 관심을 갖고 있는 내용은 다음과 같습니다.
tcp 0 75981 45.233.22.66:22 77.101.61.108:49746 ESTABLISHED
tcp 0 77442 45.233.22.66:22 77.101.61.108:49866 ESTABLISHED
tcp 0 106643 45.233.22.66:22 77.101.61.108:49662 ESTABLISHED
tcp 0 75826 45.233.22.66:22 77.101.61.108:49727 ESTABLISHED
tcp 97 0 45.233.22.66:22 77.101.61.108:50448 CLOSE_WAIT
tcp 0 105924 45.233.22.66:22 77.101.61.108:49798 ESTABLISHED
tcp 0 77441 45.233.22.66:22 77.101.61.108:49852 ESTABLISHED
tcp 0 77442 45.233.22.66:22 77.101.61.108:49813 ESTABLISHED
tcp 0 75223 45.233.22.66:22 77.101.61.108:49655 ESTABLISHED
그리고
tcp 0 73838 45.233.22.66:22 212.252.97.90:24457 ESTABLISHED
tcp 0 73502 45.233.22.66:22 212.252.97.90:24101 ESTABLISHED
tcp 0 74848 45.233.22.66:22 212.252.97.90:24397 ESTABLISHED
tcp 0 70703 45.233.22.66:22 212.252.97.90:24315 ESTABLISHED
tcp 0 70620 45.233.22.66:22 212.252.97.90:24292 ESTABLISHED
tcp 0 73501 45.233.22.66:22 212.252.97.90:24362 ESTABLISHED
tcp 0 73500 45.233.22.66:22 212.252.97.90:24122 ESTABLISHED
이는 적중 횟수 규칙이 허용해야 하는 것보다 더 많은 연결인 것 같습니다.
여기 iptable vxnl이 있습니다
Chain INPUT (policy ACCEPT 35537 packets, 4077701 bytes)
pkts bytes target prot opt in out source destination
1939108 97521172 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 flags:0x17/0x02 #conn src/32 > 2 reject-with tcp-reset
1112785 217196313 ACCEPT all -- eth0 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
69985 3510824 LOG all -- eth0 * 0.0.0.0/0 0.0.0.0/0 recent: UPDATE seconds: 90000 hit_count: 5 name: BADGUY side: source mask: 255.255.255.255 LOG flags 0 level 6 prefix "Port 22 BAD:"
69985 3510824 DROP all -- eth0 * 0.0.0.0/0 0.0.0.0/0 recent: UPDATE seconds: 90000 hit_count: 5 name: BADGUY side: source mask: 255.255.255.255
217171 11052690 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 recent: SET name: BADGUY side: source mask: 255.255.255.255
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 3258297 packets, 496362303 bytes)
pkts bytes target prot opt in out source destination
답변1
점성 DDOS 공격에 대해 제안된 iptables 규칙 세트 솔루션은 다음 스크립트입니다.
#!/bin/sh
FWVER=0.01
#
# Vlark.Lopin rule set. Smythies 2016.09.18 Ver:0.01
# Attempt to manage severe DDOS attack.
# Port 20000 should only ever have 2 open
# connections at a time. If more, ban them.
#
# If too many SSH attempts, ban them.
# DROP all other unsolicited input.
# If ssh port has been moved, adjust rules
# accordingly.
#
# Requires a larger (1000) than default (100)
# xt_recent table size.
#
# See also:
# http://askubuntu.com/questions/818524/correctly-limit-ip-connections
# http://askubuntu.com/questions/808297/i-have-massive-attack-on-port-in-my-server
# http://askubuntu.com/questions/817478/ip-tables-limit-connetion-per-ip-address-can-be-bypassed
#
# run as sudo
#
echo "Loading Vlark.Lopin rule set version $FWVER..\n"
# The location of the iptables program
#
IPTABLES=/sbin/iptables
#Setting the EXTERNAL and INTERNAL interfaces and addresses for the network
#
# Vlark.Lopin
EXTIF="eth0"
# Doug
#EXTIF="enp9s0"
UNIVERSE="0.0.0.0/0"
#Clearing any previous configuration
#
echo " Clearing any existing rules and setting default policies.."
$IPTABLES -P INPUT DROP
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -F FORWARD
# Otherwise, I can not seem to delete it later on
$IPTABLES -F add-to-connlimit-list
# Delete user defined chains
$IPTABLES -X
# Reset all IPTABLES counters
$IPTABLES -Z
# We want to force load the xt_recent module, so that we override the
# default maximum table size. We want 1000 whereas the default is 100.
# Note: It is unlikely that is needs to be 1000 forever. Once the
# bad guys give up, the attempts will become much less frequent, and
# the table size can probably be reduced to default.
# i.e. this force load segment can be commented out, and then it will
# autoload as required.
#
modprobe xt_recent ip_list_tot=1000
#######################################################################
# USER DEFINED CHAIN SUBROUTINES:
#
# add-to-connlimit-list
# To many connections from an IP address has been detected.
# Add the IP address to the bad guy list, and DROP the packet.
# If desired, comment out the log rule.
$IPTABLES -N add-to-connlimit-list
#$IPTABLES -A add-to-connlimit-list -m recent --update --hitcount 1 --seconds 90000 --name BADGUY_CONN
$IPTABLES -A add-to-connlimit-list -m recent --set --name BADGUY_CONN
$IPTABLES -A add-to-connlimit-list -j LOG --log-prefix "CONNLIMIT_ADD:" --log-level info
$IPTABLES -A add-to-connlimit-list -j DROP
#######################################################################
# INPUT: Incoming traffic from various interfaces. All rulesets are
# already flushed and set to a default policy of DROP.
#
# loopback interfaces are valid.
#
$IPTABLES -A INPUT -i lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT
# A NEW TCP connection requires SYN bit set and FIN,RST,ACK reset.
# More importantly, this check might prevent lingering packets from
# a forgotten legitimite connection from getting a valid user on the
# bad guy list
#
$IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "NEW TCP no SYN:" --log-level info
$IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j REJECT
# Not sure if this one is needed or not
#
$IPTABLES -A INPUT -i $EXTIF -p tcp -m state --state INVALID -j LOG --log-prefix "IINVALID:" --log-level info
$IPTABLES -A INPUT -i $EXTIF -p tcp -m state --state INVALID -j DROP
# Allow any related traffic coming back to the server in.
#
$IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -m state --state ESTABLISHED,RELATED -j ACCEPT
# external interface, from any source, for any remaining ICMP traffic is valid
# Note: consider to not allow, as this is often how bad guys find you
#
$IPTABLES -A INPUT -i $EXTIF -p ICMP -s $UNIVERSE -j ACCEPT
# Secure Shell on port 22 (Change to whatever port you moved SSH to).
#
# Sometimes I uncomment the next line to simply disable external SSH access.
# Particulalry useful when I am rebooting often, thereby losing my current BADGUY table.
#$IPTABLES -A INPUT -i $EXTIF -m state --state NEW -p tcp -s $UNIVERSE --dport 22 -j DROP
# Dynamic Badguy List. Detect and DROP Bad IPs that do password attacks on SSH.
# Once they are on the BADGUY list then DROP all packets from them.
# Sometimes make the lock time very long. Typically to try to get rid of coordinated attacks from China.
$IPTABLES -A INPUT -i $EXTIF -m recent --update --hitcount 5 --seconds 90000 --name BADGUY_SSH -j LOG --log-prefix "SSH BAD:" --log-level info
$IPTABLES -A INPUT -i $EXTIF -m recent --update --hitcount 5 --seconds 90000 --name BADGUY_SSH -j DROP
$IPTABLES -A INPUT -i $EXTIF -p tcp -m tcp --dport 22 -m recent --set --name BADGUY_SSH -j ACCEPT
# Port 20000. Limit to 2 connections per IP address.
# Otherwise ban them.
# Note: The logging is useful for debugging, but might overwhelm the log files. Comment out the logging rule as required.
#
$IPTABLES -A INPUT -i $EXTIF -m recent --update --hitcount 1 --seconds 90000 --name BADGUY_CONN -j LOG --log-prefix "CONNLIMIT:" --log-level info
$IPTABLES -A INPUT -i $EXTIF -m recent --update --hitcount 1 --seconds 90000 --name BADGUY_CONN -j DROP
$IPTABLES -A INPUT -p tcp --dport 20000 -m connlimit --connlimit-above 2 -j add-to-connlimit-list
$IPTABLES -A INPUT -m state --state NEW -p tcp --dport 20000 -j ACCEPT
# port 4 is needed. (Consider doing it the same as the SSH port).
# If UDP is needed, then add it.
#
$IPTABLES -A INPUT -m state --state NEW -p tcp --dport 4 -j ACCEPT
# O.K. at this point, we will DROP the packet, however some will be dropped without logging just to make the log file
# less cluttered.
#
$IPTABLES -A INPUT -i $EXTIF -p udp --dport 33434 -j DROP
$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 23 -j DROP
# If your log file is too cluttered, consdier to comment out this log rule.
# It is useful for debugging, but might overwhlem your log files.
#
$IPTABLES -A INPUT -s $UNIVERSE -d $UNIVERSE -j LOG --log-prefix "ICATCH:" --log-level info
# With a default policy of DROP, the following rule isn't actually neeeded.
$IPTABLES -A INPUT -s $UNIVERSE -d $UNIVERSE -j DROP
echo Vlark.Lopin rule set version $FWVER done.
이 스크립트를 디버깅한 후 부팅 시 자동으로 로드되도록 하려면 파일에 pre-up 지시어를 추가하세요 /etc/network/intefaces. 예를 들어 내 파일은 다음과 같습니다.
# interfaces file for smythies.com 2016.01.30
# attempt to set local DNS herein, as the method
# used with the old 12.04 server no longer works.
#
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
# The loopback network interface
auto lo
iface lo inet loopback
pre-up /home/doug/init/doug_firewall
dns-nameservers 127.0.0.1
# The primary interface (d-link PCI card)
auto enp4s0
iface enp4s0 inet dhcp
# Local network interface (uses built in ethernet port)
auto enp2s0
iface enp2s0 inet static
address 192.168.111.1
network 192.168.111.0
netmask 255.255.255.0
broadcast 192.168.111.255
내 스크립트 파일에 대한 권한은 다음과 같습니다.
$ ls -l /home/doug/init/doug_firewall
-rwxr-xr-x 1 doug doug 61703 Aug 27 15:55 /home/doug/init/doug_firewall
또는 755.