Firstly i want to say that i was in latest time a bit attacked by ddos attackers (probably script kiddies ) and i have find some exit with that situation and now i want to share it with u guys .!
OK LETS GO !
changethisforyourip = change for your ip but only if ur ip isn't changing into other ...
this is almost sample configuration of iptables in tutorial of ovh i just some edited it to fit better here<>
and edit it by yourself if u want add for example port of another otserv which is on 7173 and 7174 add this
after
u have to be root to make changes everywhere here
insert this script into /etc/init.d/ name this script firewall
give this script chmod 700
to start firewall u have to do
if u want to start this script at start of the system WARNING first test with
to see if it will be working because in other way u can block ur server !
then ubuntu/debian users do
other distros of linux
installed everything that u have just wrote and i'm still attacked ...
ok let's try to drop ddosers
it's checking which ips and how much count of them are connected to ur server
if for example is something like that
this mean that the ip 88.156.28.45 have 100 connections to ur server which isn't normal.
if u want to drop him from your server then do (droping is something like not allowing him to do any action to ur internet like see web or play tibia)
go to ur /home directory of normal user and create a file name this file attack.sh and insert there this script
and give this script chmod
when ur server is under ddos inbound =100 mb for example
run this script by command
and see if the ddos ips are banished by type
However this script isn't the best and can drop normal players also so i don't recommending u this way to drop script kiddies ...
OK LETS GO !
Code:
#!/bin/sh
#1. chkconfig: 3 21 91
#2. description: Firewall
IPT=/sbin/iptables
case "$1" in
start)
$IPT -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -i eth0 -p tcp --dport 25 -j ACCEPT
$IPT -A INPUT -i eth0 -p tcp --dport 53 -j ACCEPT
$IPT -A INPUT -i eth0 -p tcp --dport 465 -j ACCEPT
$IPT -A INPUT -i eth0 -p udp --dport 53 -j ACCEPT
$IPT -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT
$IPT -A INPUT -i eth0 -p tcp --dport 3785 -j ACCEPT
$IPT -A INPUT -i eth0 -p tcp --dport 465 -j ACCEPT
$IPT -A INPUT -i eth0 -p tcp --dport 7172 -j ACCEPT
$IPT -A INPUT -i eth0 -p tcp --dport 7171 -j ACCEPT
$IPT -A INPUT -i eth0 -p tcp --dport 3783 -j ACCEPT
$IPT -A INPUT -i eth0 -p tcp --dport 110 -j ACCEPT
$IPT -A INPUT -i eth0 -p tcp --dport 3784 -j ACCEPT #ventrilo port
$IPT -A INPUT -i eth0 -p tcp --dport 443 -j ACCEPT
$IPT -A INPUT -i eth0 -p tcp --dport 10000 -j ACCEPT
$IPT -A INPUT -i eth0 -p tcp --dport 21 --source changethisforyourip -j ACCEPT
$IPT -A INPUT -i eth0 -p tcp --dport 22 --source cache.ovh.net -j ACCEPT
$IPT -A INPUT -i eth0 -p tcp --dport 22 --source changethisforyourip -j ACCEPT
$IPT -A INPUT -i eth0 -p icmp --source proxy.ovh.net -j ACCEPT
$IPT -A INPUT -i eth0 -p icmp --source proxy.p19.ovh.net -j ACCEPT
$IPT -A INPUT -i eth0 -p icmp --source proxy.rbx.ovh.net -j ACCEPT
$IPT -A INPUT -i eth0 -p icmp --source ping.ovh.net -j ACCEPT
$IPT -A INPUT -i eth0 -p icmp --source uripfromovh.250 -j ACCEPT # IP = aaa.bbb.ccc
$IPT -A INPUT -i eth0 -p tcp --source 192.168.0.0/16 -j ACCEPT
$IPT -A INPUT -i eth0 -p udp --source 192.168.0.0/16 -j ACCEPT
$IPT -A INPUT -i eth0 -p tcp --dport 79 -j ACCEPT
$IPT -A INPUT -i eth0 -j DROP
exit 0
;;
stop)
$IPT -F INPUT
exit 0
;;
*)
echo "Usage: /etc/init.d/firewall {start|stop}"
exit 1
;;
esac
~
~
this is almost sample configuration of iptables in tutorial of ovh i just some edited it to fit better here<>
and edit it by yourself if u want add for example port of another otserv which is on 7173 and 7174 add this
Code:
$IPT -A INPUT -i eth0 -p tcp --dport 7173-j ACCEPT
$IPT -A INPUT -i eth0 -p tcp --dport 7174-j ACCEPT
Code:
$IPT -A INPUT -i eth0 -p tcp --dport 25 -j ACCEPT
u have to be root to make changes everywhere here
insert this script into /etc/init.d/ name this script firewall
give this script chmod 700
Code:
chmod 700 firewall
to start firewall u have to do
Code:
/etc/init.d/firewall start
Code:
/etc/init.d/firewall start
then ubuntu/debian users do
Code:
update-rc.d firewall defaults 90
Code:
chkconfig --level 3 firewall on
installed everything that u have just wrote and i'm still attacked ...
ok let's try to drop ddosers
Code:
netstat -plan | grep : | awk {'print $5'} | cut -d: -f 1 | sort | uniq -c | sort -nk 1
if for example is something like that
Code:
ks201247:~# netstat -plan | grep :80 | awk {'print $5'} | cut -d: -f 1 | sort | uniq -c | sort -nk 1
1 0.0.0.0
100 88.156.28.45
if u want to drop him from your server then do (droping is something like not allowing him to do any action to ur internet like see web or play tibia)
Code:
iptables -A INPUT -s 88.156.28.45 -j DROP
Code:
#!/bin/sh
#Block DFind
for ip in `netstat -tanpu |grep FIN_WAIT | awk '{print $5}' | cut -d ':' -f1 | sort | uniq` ; do
countoff=$[$countoff+1]
countwoot=$[$countwoot+1]
iptables -I INPUT -s $ip -j DROP
done
Code:
chmod +x attack.sh
run this script by command
Code:
sh attack.sh
Code:
iptables -L
Last edited: