Solve DoS attack production cases

    The requirements of this experiment are ： according to web Number of log or network connections , Monitor when a IP Number of concurrent connections or in a short time PV achieve 100, Call the firewall command to block the corresponding IP, Monitoring frequency every 5 minute . The firewall command is :iptables -A INPUT -s IP -j REJECT.

    Because the monitoring frequency is every 5 Minutes at a time , We can use scripts + Plan tasks to operate .

1. Create script

    First, create two files to store the ip Situation and forbidden ip Information , Then create the script dos.sh. Script ,ss -nt | awk -F" +|:" '/ESTAB/{print $6}' | sort | uniq -c The command can filter out the currently connected hosts Ip And number of connections , We input this information into dos.txt in , And then use it exec Command from the dos.txt The information is read from the file ; At the same time, we will single ip Number of connections and ip Set as variables respectively $nums and $ip, When reading line by line , If $nums achieve 100（ Greater than or equal to -ge）, Will ip Prohibition , At the same time dos_drop.txt write in $ip is dorpped（ Here's the picture ）.

    perform chmod +x dos.sh Command gives script execution permission , perform bash dos.sh Command view effect , Because of the problem of the author's experiment , So for the time being, there is only dos.txt There are records in the document （ Here's the picture ）.

    In order to see the effect as soon as possible , The author first sets the upper limit of the number of connections to 3, After execution ,dos_drop.txt There are also records in the document （ Here's the picture ）.

    * So in the above script , Better add “sleep 10” Or a longer time limit , Otherwise, it will be banned all the time ip Enter information into dos_drop.txt In file , It may cause the remote connection to crash .

2. Create a scheduled task

    The creation of planned tasks was mentioned in the homework of last week , I won't go into details here , perform crontab -e Command to create a scheduled task , In case of unclear , Write directly above PATH route , Because it's every 5 Once per minute , The first part of the planning task is */5（ Here's the picture ）.

    To this step , We can let the host check by itself according to the time ip Connection , And count the information into the corresponding file to view .