Block DDoS Attacks -ish - This will block IP's that get over 100 connections at a time in netstat. This is a high enough limit for me that I don't have to worry about regular users hitting an issue. Note that if you use it, someone spamming a page refresh on your site before their page loads will build up connections that won't drop for I think 30 seconds. They could potentially get themselves blocked, but they shouldn't really be spamming page refreshes. That's not really a lot different than a DoS attack.
Code: Select all
#!/bin/bash
while true;
do
for f in `netstat -utn | awk '{print $5}' | grep -v [a-z] | cut -d : -f 1 | sort | uniq -c | sort -nr | sed 's/^ *//' | awk '$1 > 100' | awk '{print $2}'`; do ./block.sh $f; echo `date`": ${f}"; done
sleep 3
done
Code: Select all
#!/bin/bash
iptables -A INPUT -s $1 -j DROP
iptables-save | awk '!x[$0]++' | iptables-restore
iptables-save > /etc/network/iptables.rules
Code: Select all
#!/bin/bash
pam_tally2 -r > /dev/null
while true;
do
sleep 60
for f in `pam_tally2 -r | tail -n +2 | awk '$2 >= 10' | awk '{print $5}'`;
do
./blockssh.sh $f
echo "Blocked: ${f}"
done
done
Code: Select all
auth required pam_tally2.so deny=3 onerr=fail unlock_time=300
Code: Select all
service ssh restart