CentOS下防止syn攻击,端口扫描和死亡之ping shell脚本
防止syn攻击(DDOOS攻击的一种)
iptables -I INPUT -p tcp –syn -m limit –limit 1/s -j ACCEPT
iptables -I FORWARD -p tcp –syn -m limit –limit 1/s -j ACCEPT
防止各种端口扫描
iptables -A FORWARD -p tcp –tcp-flags SYN,ACK,FIN,RST RST -m limit –limit 1/s -j ACCEPT
Ping洪水攻击(Ping of Death)
iptables -A FORWARD -p icmp –icmp-type echo-request -m limit –limit 1/s -j ACCEPT
iptables -A FORWARD -p tcp –tcp-flags SYN,ACK,FIN,RST RST -m limit –limit 1/s -j ACCEPT
Ping洪水攻击(Ping of Death)
iptables -A FORWARD -p icmp –icmp-type echo-request -m limit –limit 1/s -j ACCEPT
复制代码一次性执行iptables设置脚本iptables.sh,执行此脚本:
CXYBJ=”/sbin/iptables”
$CXYBJ –delete-chain
$CXYBJ –flush
#Default Policy
$CXYBJ -P INPUT DROP
$CXYBJ -P FORWARD DROP
$CXYBJ -P OUTPUT DROP
#INPUT Chain
$CXYBJ -A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT
$CXYBJ -A INPUT -p tcp -m tcp –dport 80 -j ACCEPT
$CXYBJ -A INPUT -p tcp -m tcp –dport 22 -j ACCEPT
$CXYBJ -A INPUT -i lo -j ACCEPT
$CXYBJ -A INPUT -p icmp -m icmp –icmp-type 8 -j ACCEPT
$CXYBJ -A INPUT -p icmp -m icmp –icmp-type 11 -j ACCEPT
$CXYBJ -A INPUT -p tcp –syn -m recent –name portscan –rcheck –seconds 60 –hitcount 10 -j LOG
$CXYBJ -A INPUT -p tcp –syn -m recent –name portscan –set -j DROP
#OUTPUT Chain
$CXYBJ -A OUTPUT -m state –state RELATED,ESTABLISHED -j ACCEPT
$CXYBJ -A OUTPUT -p udp -m udp –dport 53 -j ACCEPT
$CXYBJ -A OUTPUT -o lo -j ACCEPT
$CXYBJ -A OUTPUT -p icmp -m icmp –icmp-type 8 -j ACCEPT
$CXYBJ -A OUTPUT -p icmp -m icmp –icmp-type 11 -j ACCEPT
#iptables save
service iptables save
service iptables restart
$CXYBJ –delete-chain
$CXYBJ –flush
#Default Policy
$CXYBJ -P INPUT DROP
$CXYBJ -P FORWARD DROP
$CXYBJ -P OUTPUT DROP
#INPUT Chain
$CXYBJ -A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT
$CXYBJ -A INPUT -p tcp -m tcp –dport 80 -j ACCEPT
$CXYBJ -A INPUT -p tcp -m tcp –dport 22 -j ACCEPT
$CXYBJ -A INPUT -i lo -j ACCEPT
$CXYBJ -A INPUT -p icmp -m icmp –icmp-type 8 -j ACCEPT
$CXYBJ -A INPUT -p icmp -m icmp –icmp-type 11 -j ACCEPT
$CXYBJ -A INPUT -p tcp –syn -m recent –name portscan –rcheck –seconds 60 –hitcount 10 -j LOG
$CXYBJ -A INPUT -p tcp –syn -m recent –name portscan –set -j DROP
#OUTPUT Chain
$CXYBJ -A OUTPUT -m state –state RELATED,ESTABLISHED -j ACCEPT
$CXYBJ -A OUTPUT -p udp -m udp –dport 53 -j ACCEPT
$CXYBJ -A OUTPUT -o lo -j ACCEPT
$CXYBJ -A OUTPUT -p icmp -m icmp –icmp-type 8 -j ACCEPT
$CXYBJ -A OUTPUT -p icmp -m icmp –icmp-type 11 -j ACCEPT
#iptables save
service iptables save
service iptables restart
下载此脚本:iptables.tar.gz
centos 解压命令
tar -zxvf iptables.tar.gz
2、iptables日志位置更改编辑/etc/syslog.conf,添加:
kern.warning /var/log/iptables.log
重启syslog
/etc/init.d/syslog restart
3、防端口扫描shell脚本首先安装inotify:
yum install inotify-tools
保存以下代码为ban-portscan.sh
btime=600 #封ip的时间
while true;do
while inotifywait -q -q -e modify /var/log/iptables.log;do
ip=tail -1 /var/log/iptables.log | awk -F"[ =]" '{print $13}' | grep '\([0-9]\{1,3\}\.\)\{3\}[0-9]\{1,3\}'
if test -z “/sbin/iptables -nL | grep $ip“;then
/sbin/iptables -I INPUT -s $ip -j DROP
{
sleep $btime && /sbin/iptables -D INPUT -s $ip -j DROP
} &
fi
done
done
执行命令开始启用端口防扫描
nohup ./ban-portscan.sh &