本插件能实现在受到cc、压测工具等拒绝服务***时,进行比较有效的防御。实际上,它并不具备阻截能力,它是基于IPtables 防火墙,利用 netstat+过滤规则,与 IPtables防火墙实现联动。在发生恶意拒绝服务***时,本软件会实时分析连接来源的企图。当连接IP 有明显的非正常连接时,插件自动将其加入iptables 防火墙条目进行阻截。同时将***IP 记录到计划解封文件里,当达到预定时间后,插件自动从 IPtables 防火墙中解封对应IP。在基本测试过程中,应付单 IP 并发连接***、cc***等效果明显。但它并不适合于随机伪造 IP 的恶意***,但能对抗轻量 DDOS。
原DDos_firewall v1.0版 ,v2.0后改名为:DDoS-Defender
DDoS-Defender-v2.0.0版的改进以下:
=============================================== 1. 重新改写v1.0的低级代码 2. 全新的运行架构,审计流程 3. 优化运行进程的优先级,增强CPU亲和性 4. 将临时数据加载到内存虚拟交换区里,降低磁盘IO 5. 新增APF防火墙支持(暂不支持自动解锁) 6. 新增邮件通知功能下一版,将修复对APF防火墙的完美支持,部份不完美的BUG。
===============================================程序安装:
# tar zxvf DDoS-Defender-v2.0.0.tar.gz # cd DDoS-Defender-v2.0.0 # ./autoinstall.sh # /usr/local/DDos/sbin/ddosDer start #启动程序安装完成后,重新Login终端可直接使用 “ ddosDer start” 命令启动和关闭。
查看监控状态:
# ddosDer status程序主要目录介绍:
/usr/local/DDos/sbin #主要程序运行文件夹 /usr/local/DDos/logs #事件记录 /usr/local/DDos/conf #配置文件 /usr/local/DDos/lib #功能模块库《系统结构图》
SHELL源码开放:
主进程“ddos_daemon”(守护):
- #!/bin/sh
- ##############################################################################
- # DDoS-Defender version 2.0.0 Author: Sunshine <lanxera@yeah.net> #
- ##############################################################################
- # This program is distributed under the "Artistic License" Agreement #
- # The LICENSE file is located in the same directory as this program. Please #
- # read the LICENSE file before you make copies or distribute this program #
- ##############################################################################
- PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:~/bin:/usr/local/DDos/sbin
- export PATH
- CONF_FILE="/usr/local/DDos/conf/ddos.conf"
- # Print Header infomation.
- header()
- {
- echo "DDoS-Defender version 2.0.0"
- echo "Copyright (C) 2011,Sunshine <lanxera@yeah.net>"
- echo
- }
- # Check if user is root.
- if [ $(id -u) != "0" ]; then
- header
- echo "Error: You must be root to run!"
- exit 1
- fi
- # Clean tmp.
- clean_tmp() {
- if [ -d $TMP_DIR ];then
- rm -f $TMP_DIR/*
- else
- mkdir $TMP_DIR
- fi
- }
- load_conf()
- {
- if [ -f "$CONF_FILE" ] && [ ! "$CONF_FILE" == "" ]; then
- source $CONF_FILE
- clean_tmp
- else
- header >> $LOGS_FILE
- echo "\$CONF_FILE not found." |tee -a $LOGS_FILE
- exit 1
- fi
- }
- # send email for admins.
- send_mail() {
- if [ $1 -eq 1 ]; then
- dt=`date +"%y-%m-%d %H:%M:%S"`
- if [ `expr length "$EMAIL_TO"` -ne 0 ]; then
- for Addrs in $EMAIL_TO
- do
- cat $BANNED_IP_MAIL | mail -s "IP addresses banned on $dt" $Addrs
- if [ $? -eq 0 ];then
- echo "IP addresses banned on $dt,MailTo $Addrs Success."
- else
- echo "Sendmail error..."
- fi
- done
- rm -f $TMP_DIR$BANNED_IP_MAIL
- fi
- fi
- }
- ################################################################################################
- active_exec() {
- load_conf
- header >> $LOGS_FILE
- echo "ddos_daemon Running OK. $(date +"%y-%m-%d %H:%M:%S")" >> $LOGS_FILE
- DDOS_PID="$PROC_DIR"logs/ddos_daemon.SOCK
- echo "$$" > $DDOS_PID
- BLACK_LIST=`mktemp $TMP_DIR/ddos_backlist.XXXXXXXX`
- BANNED_IP_MAIL=`mktemp $TMP_DIR/ddos_PREFIX.XXXXXXXX`
- echo "Banned the following ip addresses on `date`" > $BANNED_IP_MAIL
- echo >> $BANNED_IP_MAIL
- >> $CROND_LIST
- while true
- do
- #根据连接数反应恶意连接,格式化数据,去掉重IP
- netstat -ntu |grep -E $MONT_PORT|awk '{print $5}'|cut -f 1 -d :|sort|uniq -c|sort -rn|grep -v -E $IGNORE_IP > $BLACK_LIST
- if [ $KILL -eq 1 ]; then
- while read line; do
- CURR_LINE_CONN=$(echo $line | cut -d" " -f1) #连接数
- CURR_LINE_IP=$(echo $line | cut -d" " -f2) #连接IP
- #判断IP是否已超过连接警戒数
- if [ $CURR_LINE_CONN -lt $NO_OF_CONNECTIONS ]; then
- break
- else
- if [ $APF_BAN -eq 1 ]; then
- $APF -d $CURR_LINE_IP
- else
- #iptables没有重复条目
- if [ `iptables --list|grep $CURR_LINE_IP|wc -l` -eq 0 ];then
- $IPT -I INPUT -s $CURR_LINE_IP -j DROP
- echo "$CURR_LINE_IP with $CURR_LINE_CONN connections,Lock Now!" >> $BANNED_IP_MAIL
- #crond_file里没有重复条目
- if [ `grep '$CURR_LINE_IP' $CROND_LIST|wc -l` -eq 0 ];then
- echo "$CURR_LINE_IP with $CURR_LINE_CONN connections,Lock Now!,$(date +"%y-%m-%d %H:%M:%S")" >> $LOGS_FILE
- echo "$CURR_LINE_IP `date +%Y/%m/%d` `date +%H:%M:%S` `date +%s` LOCK" >> $CROND_LIST
- fi
- # 发送邮件通知
- if [ $SENDMAIL_ON -eq 1 ];then
- $SENDMAIL_EXE $CURR_LINE_IP"_banned_On_" $BANNED_IP_MAIL >> $LOGS_FILE
- rm -f "$TMP_DIR"/"$BANNED_IP_MAIL"
- fi
- else
- continue
- fi
- fi
- fi
- done < $BLACK_LIST
- fi
- sleep $REXEC_TIME
- done
- }
- active_exec | tee -a $LOGS_FILE
计划任务进程“ddos_flush”(守护):
- #!/bin/sh
- ##############################################################################
- # DDoS-Defender version 2.0.0 Author: Sunshine <lanxera@yeah.net> #
- ##############################################################################
- # This program is distributed under the "Artistic License" Agreement #
- # The LICENSE file is located in the same directory as this program. Please #
- # read the LICENSE file before you make copies or distribute this program #
- ##############################################################################
- PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:~/bin:/usr/local/DDos/sbin
- export PATH
- CONF_FILE="/usr/local/DDos/conf/ddos.conf"
- # Print Header infomation.
- header()
- {
- echo "DDoS-Defender version 2.0.0"
- echo "Copyright (C) 2011,Sunshine <lanxera@yeah.net>"
- echo
- }
- # Check if user is root.
- if [ $(id -u) != "0" ]; then
- header
- echo "Error: You must be root to run!"
- exit 1
- fi
- load_conf()
- {
- if [ -f "$CONF_FILE" ] && [ ! "$CONF_FILE" == "" ]; then
- source $CONF_FILE
- else
- header >> $LOGS_FILE
- echo "\$CONF_FILE not found." |tee -a $LOGS_FILE
- exit 1
- fi
- }
- ################################################################################################
- flush_exec() {
- load_conf
- echo "flush_daemon Running OK. $(date +"%y-%m-%d %H:%M:%S")" >> $LOGS_FILE
- FLUSH_PID="$PROC_DIR"logs/ddos_flush.SOCK
- TEMP_FILE=`mktemp $TMP_DIR/CROND_IP.XXXXXXXX`
- echo "$$" > $FLUSH_PID
- while true
- do
- #取得当前时间
- DT=`date +%s`
- #文件是否存在
- if [ -e $CROND_LIST ];then
- #遍历所有条目
- for i in `awk '{print $1}' $CROND_LIST`
- do
- #内容不为空
- if [ `cat $CROND_LIST|wc -l` -ne 0 ];then
- #单次最多取出一条,排除重复条目
- GET_KTIME=`grep $i $CROND_LIST|awk '{print $4}'|head -1`
- let "EXPR_KOUT=$DT - $GET_KTIME"
- #判断是否超规定时间
- if [[ $EXPR_KOUT -gt $BAN_PERIOD ]];then
- #iptables里存在条目
- if [ `iptables --list|grep $i|wc -l` -ne 0 ];then
- /sbin/iptables -D INPUT -s $i -j DROP
- echo "Clean $i OK. $(date +"%y-%m-%d %H:%M:%S")" >> $LOGS_FILE
- fi
- #清除crond_list的当前条目
- cp $CROND_LIST $TEMP_FILE
- sed -e "/$i/d" $TEMP_FILE > $CROND_LIST
- rm -f $TEMP_FILE
- fi
- fi
- done
- fi
- sleep $REXEC_TIME
- done
- }
- flush_exec | tee -a $LOGS_FILE
主控制进程“ddosDer”:
- #!/bin/sh
- ##############################################################################
- # DDoS-Defender version 2.0.0 Author: Sunshine <lanxera@yeah.net> #
- ##############################################################################
- # This program is distributed under the "Artistic License" Agreement #
- # The LICENSE file is located in the same directory as this program. Please #
- # read the LICENSE file before you make copies or distribute this program #
- ##############################################################################
- PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:~/bin:/usr/local/DDos
- export PATH
- CONF_FILE="/usr/local/DDos/conf/ddos.conf"
- if [ -f "$CONF_FILE" ] && [ ! "$CONF_FILE" == "" ]; then
- source $CONF_FILE
- else
- header >> $LOGS_FILE
- echo "\$CONF_FILE not found." |tee -a $LOGS_FILE
- exit 1
- fi
- DDOS_DAEMON="/usr/local/DDos/sbin/ddos_daemon"
- FLUSH_DAEMON="/usr/local/DDos/sbin/ddos_flush"
- DDOS_PID="$PROC_DIR"logs/ddos_daemon.SOCK
- FLUSH_PID="$PROC_DIR"logs/ddos_flush.SOCK
- header()
- {
- echo "DDoS-Defender version 2.0.0"
- echo "Copyright (C) 2011,Sunshine <lanxera@yeah.net>"
- }
- do_start() {
- $CHECKIPTABLES 1>/dev/null
- if [ `pgrep -f 'ddos_daemon'|wc -l` -eq 0 ];then
- nice -n -4 $DDOS_DAEMON &
- nice -n -4 $FLUSH_DAEMON &
- else
- echo -e "ddos_daemon already running!"
- exit 1
- fi
- }
- do_stop() {
- if [ `pgrep -f 'ddos_daemon'|wc -l` -eq 0 ];then
- echo -e "ddos_daemon not running!"
- else
- #kill -9 `cat $DDOS_PID`
- killall ddos_daemon
- fi
- if [ `pgrep -f 'ddos_flush'|wc -l` -eq 0 ];then
- echo -e "ddos_flush not running!"
- else
- #kill -9 `cat $FLUSH_PID`
- killall ddos_flush
- fi
- if [ `pgrep -f 'ddos_flush'|wc -l` -ne 0 ]&&[ `pgrep -f 'ddos_daemon'|wc -l` -ne 0 ];then
- #kill -9 `cat $DDOS_PID`
- #kill -9 `cat $FLUSH_PID`
- killall ddos_daemon
- killall ddos_flush
- rm -rf $DDOS_PID $FLUSH_PID
- fi
- }
- do_restart() {
- do_stop
- do_start
- }
- do_status() {
- header
- echo "------------------------------DROP LIST---------------------------------"
- echo "IP Y/m/d H:M:S Unix/time Active"
- if [ -e $CROND_LIST ];then
- column -t $CROND_LIST
- fi
- echo "------------------------------IPTABLES LIST-----------------------------"
- echo "target prot opt source destination"
- iptables --list|grep 'DROP'|awk { 'printf "%-10s%-5s%-4s%-20s%-11s\n",$1,$2,$3,$4,$5'}
- echo "------------------------------NETSTAT TOP20----------------------------"
- echo "Num Proto Recv-Q Send-Q Local Address Foreign Address State"
- netstat -ntu |grep -E $MONT_PORT|grep -v -E $IGNORE_IP|sed 's/:/ /g'|awk '{print $1,$2,$3,$4,$6,$8}'|sort|uniq -c|sort -rn|awk '{printf "%-6s%-06s%-07s%-07s%-20s%-20s%-10s\n",$1,$2,$3,$4,$5,$6,$7}'|head -20
- #netstat -ntu |grep -E $MONT_PORT|awk '{print $5}'|cut -f 1 -d sort|uniq -c|sort -rn|grep -v -E $IGNORE_IP
- echo "------------------------------------------------------------------------"
- if [ `pgrep -f 'ddos_daemon'|wc -l` -ne 0 ];then
- echo -n ">>> ddos_daemon already running! "
- else
- echo -n ">>> ddos_daemon not running! "
- fi
- if [ `pgrep -f 'ddos_flush'|wc -l` -ne 0 ];then
- echo " ddos_flush already running! <<<"
- else
- echo " ddos_flush not running! <<<"
- fi
- }
- case "$1" in
- start)
- echo -e "Starting ddos_daemon ..."
- do_start
- echo "Done."
- ;;
- stop)
- echo -e "Stopping ddos_daemon ..."
- do_stop
- echo "Done."
- ;;
- restart)
- echo -e "Restarting ddos_daemon ..."
- do_restart
- echo "Done."
- ;;
- status)
- while true
- do
- clear
- do_status
- sleep 5
- done
- ;;
- *)
- echo $"Usage: $prog {start|stop|restart|status}"
- exit 1
- esac
配置文件实例:
- ##### Paths of the script and other files
- PROC_DIR="/usr/local/DDos/"
- LOGS_FILE="/usr/local/DDos/logs/running.log"
- TMP_DIR="/dev/shm/tmp"
- APF="/etc/apf/apf"
- IPT="/sbin/iptables"
- ### Module Library
- ### 加载lib模块
- SENDMAIL_EXE="/usr/local/DDos/lib/sendmail.so"
- CHECKIPTABLES="/usr/local/DDos/lib/check_iptables.so"
- ### Plans to remove(blacklist)
- ### 计划清理队列
- CROND_LIST="/usr/local/DDos/logs/crond_list.dat"
- ### White list
- ### 白名单
- IGNORE_IP="127.0.0.1|0.0.0.0"
- ### Monitor port
- ### 监控端口
- MONT_PORT="80|8080|443"
- ##### KILL=0 (Bad IPs are'nt banned, good for interactive execution of script)
- ##### KILL=1 (Recommended setting)
- ### 调和模式,0表示只监测,1表示主动防御并锁定IP
- KILL=1
- ##### APF_BAN=1 (Make sure your APF version is atleast 0.96)
- ##### APF_BAN=0 (Uses iptables for banning ips instead of APF)
- ### 是否启用APF防火墙,如使用iptables请设为0
- APF_BAN=0
- ### Executive frequency(s)
- ### 监控密度,单位为秒
- REXEC_TIME=10
- ##### How many connections define a bad IP? Indicate that below.
- ### 锁定连接数,该项能确定监控的敏感度,非常重要
- NO_OF_CONNECTIONS=100
- ##### An email is sent to the following address when an IP is banned.
- ##### Blank would suppress sending of mails,Sendmail Off/On,"1" is ON
- ### 管理员邮箱,空格隔开,EMAIL_ATTACH是否启用附件,0为Off
- SENDMAIL_ON=1
- EMAIL_ATTACH=0
- EMAIL_SIGE="4399运维团队"
- EMAIL_TO="xxxxxxxxx@qq.com"
- ### Lock time,used to lock blacklist in grep_list,
- ### Over this time, iptables will automatically delete.(s)
- ### 封锁时间
- BAN_PERIOD=600
相关截图:
DDoS-Defender-v2.0.0下载: