So I always have used some dos deflate features to monitor dos in my servers, just the netstat command. This one:
netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
Today, got a syn flood coming through, low bandwidth, etc. Each ip connecting under the tracking limit for csf. So I tweaked the netstat command a lil bit and I was able to see what ips were sending syn and how many times. Like this:
netstat -ntu | grep SYN_RECV | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr
So I figured it would be very handy to ban ips sending over so many SYN_RECV connections at once. So I took dos deflate and tweaked it a lil. Made this to work with csf. Only problem on csf is there is no unban command, only whitelist so I just had it do csf -d again on the unban command, This would give an error and would not unban the ip but you really dont need to unban it so soon.
With apf it works perfectly on unbanning. Works just like dos deflate but bans syn flooders not connection flooders. You could even use this along with dos deflate. I am using it along side of csf and the connection tracking feature no problem.
- For the CSF version:
To install:
wget http://nix101.com/synd/install.sh ; sh install.sh
To uninstall
wget http://nix101.com/synd/uninstall.synd ; chmod 755 uninstall.synd ; ./uninstall.synd
For the Apf and Generic Iptables version:
wget http://nix101.com/synd-apf/install.sh ; sh install.sh
To uninstall
wget http://nix101.com/synd-apf/uninstall.synd ; chmod 755 uninstall.synd ; ./uninstall.synd
Now as far as lisence, copywrite and how medialayer will react for me basically copying their script and adding a few features I dont know. But lets hope they dont care too much.
Ideal usage is to leave the limit on 10 for syn connections.
On apf, do whatever ban time you want. On the csf version it doesnt matter as it will not unban anyway. Still working on that. But with syn floods it isnt a good ideal to do timed bans plus the likelihood of legit users getting banned is pretty slim but it can happen.
Hope this helps someone.
Related Articles
No user responded in this post