防DDOS攻击解决方案

脚本方式

配置邮件：

#这里我们使用qq邮箱作为收件方
vim /etc/mail.rc
set bsdcompat
set from=xx@qq.com #收件名字
set smtp=smtp.qq.com  #smtp地址
set smtp-auth-user=xx@qq.com  #收件地址  
set smtp-auth-password=xxxxxxx  #smtp验证码,在qq邮箱操作，通过手机发送信息获取验证码
set smtp-auth=login


#测试
echo "邮件测试(测试内容)" | mail -s "测试结果(主题)" xx@qq.com

防ddos脚本：

#!/bin/bash
###############################################
#脚本思路
#1.获取主机连接ip,并进行排序放入文件
#2.判断ip连接数是否超过阈值
#3.超过就在iptables添加禁止连接策略
#4.判断iptables里是否存在该策略,存在就不执行,不存在就执行策略
###############################################
ddos(){
#连接成功主机客户端数量和ip
res=/server/scripts/ip_conn.txt
#添加白名单
white_list=/server/scripts/white_list.txt  
ifconfig=`ifconfig  eth0 | grep 'inet' | awk -F "[ ]+" '{print $3}'`
#取出ip覆盖ip_conn.txt 
awk -F "[ :]+" '/^tcp/ && /ESTABLISHED/{print $6}' /root/netstat.log  | sort | uniq -c | sort -rn > $res
while read cnt ip
do
    if [ $cnt -gt 2 ] && [ `iptables -nL | grep -wc "$ip"` -eq 0 ]
    then
        if grep $ip $white_list
        then
            echo ""
        else 
            iptables -D  INPUT -s $ip -j DROP
            iptables -I  INPUT -s $ip -j DROP
            echo "在 $ifconfig 主机中 iptables -D INPUT -s  $ip -j DROP 防ddos攻击策略被创建，请检查服务器" | mail -s "ddos攻击警告" 1354586675@qq.com
        fi
    fi
done<$res
}
while true
do
    sleep 10
    ddos
done

执行脚本：

#后台运行脚本
sh /server/scripts/netstat.sh &

#查看运行状态
jobs

DDOS dedlate

Installation 安装：

wget http://www.inetbase.com/scripts/ddos/install.sh
chmod 700 install.sh
./install.sh

Uninstallation 卸载：

wget http://www.inetbase.com/scripts/ddos/uninstall.ddos 
chmod 0700 uninstall.ddos 
./uninstall.ddos

DDoS deflate安装路径：

ls /usr/local/ddos/
配置文件：
ls /usr/local/ddos/ddos.conf
/usr/local/ddos/ddos.conf

#白名单
cat /usr/local/ddos/ignore.ip.list
127.0.0.1

vim /usr/local/ddos/ddos.conf
##### Paths of the script and other files
PROGDIR="/usr/local/ddos"
PROG="/usr/local/ddos/ddos.sh"
IGNORE_IP_LIST="/usr/local/ddos/ignore.ip.list"
CRON="/etc/cron.d/ddos.cron"
APF="/etc/apf/apf"
IPT="/sbin/iptables"

##### frequency in minutes for running the script
##### Caution: Every time this setting is changed, run the script with --cron
#####          option so that the new frequency takes effect
#检查时间间隔，默认一分钟
FREQ=1

##### How many connections define a bad IP? Indicate that below.
#最大连接数，超过这个数ip就会屏蔽掉，一般默认即可
NO_OF_CONNECTIONS=150

##### APF_BAN=1 (Make sure your APF version is atleast 0.96)
##### APF_BAN=0 (Uses iptables for banning ips instead of APF)
#使用APF还是iptables。推荐使用iptables，将APF_BAN的值改为0即可。
APF_BAN=1
#APF_BAN=0
##### KILL=0 (Bad IPs are'nt banned, good for interactive execution of script)
##### KILL=1 (Recommended setting)
#是否屏蔽ip，默认即可
KILL=1

##### An email is sent to the following address when an IP is banned.
##### Blank would suppress sending of mails
#当ip被屏蔽时给指定邮箱发送邮件报警，换成自己的邮箱
EMAIL_TO=xxxx@qq.com

##### Number of seconds the banned ip should remain in blacklist.
#禁用ip时间，默认600秒，可根据情况调整
BAN_PERIOD=600

开启防火墙：

systemctl start firewalld.service
#添加规则
firewall-cmd --zone=pubilc --query-prot=80/tcp
#刷新策略
firewall-cmd --reload
#检查是否生效
firewall-cmd --zone=public --query-port=80/tcp

测试：

#防ddos主机上安装nginx
yum install nginx -y
systemctl start nginx

#压测主机
yum install httpd-tools -y
ab -n 10000 -c 100 http://主机名/index.html