我已尽一切努力来阻止此类 DDoS 攻击。
我已经将 sysctl 设置如下:
# IP Spoofing protection
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
# Ignore ICMP broadcast requests
net.ipv4.icmp_echo_ignore_broadcasts = 1
# Disable source packet routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv6.conf.default.accept_source_route = 0
# Ignore send redirects
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
# Block SYN attacks
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 2048
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syn_retries = 5
# Log Martians
net.ipv4.conf.all.log_martians = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
# Ignore ICMP redirects
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0
但我的服务器仍然收到大量 syn 请求,导致服务器崩溃
我检查了我的 grep sync 并且它看起来像下面这样
tcp 0 0 myserver 23.254.132.23:41094 SYN_RECV
tcp 0 0 myserver 219.94.128.69:41382 SYN_RECV
tcp 0 0 myserver 54.244.247.155:43522 SYN_RECV
tcp 0 0 myserver 82.77.0.73:48462 SYN_RECV
tcp 0 0 myserver 213.251.182.115:48376 SYN_RECV
tcp 0 0 myserver 77.93.211.208:34071 SYN_RECV
tcp 0 0 myserver 178.250.74.17:57235 SYN_RECV
tcp 0 0 myserver 5.153.9.51:58119 SYN_RECV
tcp 0 0 myserver 156.17.100.82:37296 SYN_RECV
tcp 0 0 myserver 91.109.17.102:50753 SYN_RECV
tcp 0 0 myserver 5.101.156.83:26098 SYN_RECV
tcp 0 0 myserver 77.120.80.6:18506 SYN_RECV
服务器日志
Jan 7 21:50:17 dede kernel: [ 2459.224731] CONNLIMIT_ADD:IN=ens3 OUT= MAC=fa:16:3e:b4:79:c4:ae:8d:2b:51:5d:cc:08:00 SRC=89.143.11.210 DST=myserverip LEN=60 TOS=0x04 PREC=0x00 TTL=45 ID=10938 DF PROTO=TCP SPT=49272 DPT=20000 WINDOW=5840 RES=0x00 SYN URGP=0
Jan 7 21:50:17 dede kernel: [ 2459.224747] CONNLIMIT_ADD:IN=ens3 OUT= MAC=fa:16:3e:b4:79:c4:ae:8d:2b:51:5d:cc:08:00 SRC=217.170.198.12 DST=myserverip LEN=60 TOS=0x04 PREC=0x00 TTL=45 ID=46501 DF PROTO=TCP SPT=39203 DPT=20000 WINDOW=29200 RES=0x00 SYN URGP=0
Jan 7 21:50:17 dede kernel: [ 2459.224762] CONNLIMIT_ADD:IN=ens3 OUT= MAC=fa:16:3e:b4:79:c4:ae:8d:2b:51:5d:cc:08:00 SRC=63.143.35.163 DST=myserverip LEN=52 TOS=0x06 PREC=0x00 TTL=107 ID=12115 DF PROTO=TCP SPT=52420 DPT=20000 WINDOW=8192 RES=0x00 CWR ECE SYN URGP=0
Jan 7 21:50:17 dede kernel: [ 2459.225473] CONNLIMIT_ADD:IN=ens3 OUT= MAC=fa:16:3e:b4:79:c4:ae:8d:2b:51:5d:cc:08:00 SRC=199.115.113.161 DST=myserverip LEN=60 TOS=0x04 PREC=0x00 TTL=47 ID=24895 DF PROTO=TCP SPT=49528 DPT=20000 WINDOW=14600 RES=0x00 SYN URGP=0
Jan 7 21:50:17 dede kernel: [ 2459.226873] CONNLIMIT_ADD:IN=ens3 OUT= MAC=fa:16:3e:b4:79:c4:ae:8d:2b:51:5d:cc:08:00 SRC=207.150.204.204 DST=myserverip LEN=60 TOS=0x04 PREC=0x00 TTL=36 ID=32241 DF PROTO=TCP SPT=38958 DPT=20000 WINDOW=14600 RES=0x00 SYN URGP=0
Jan 7 21:50:17 dede kernel: [ 2459.227007] CONNLIMIT_ADD:IN=ens3 OUT= MAC=fa:16:3e:b4:79:c4:ae:8d:2b:51:5d:cc:08:00 SRC=94.23.201.35 DST=myserverip LEN=60 TOS=0x00 PREC=0x00 TTL=57 ID=5044 DF PROTO=TCP SPT=57313 DPT=20000 WINDOW=14600 RES=0x00 SYN URGP=0
Jan 7 21:50:17 dede kernel: [ 2459.228844] CONNLIMIT_ADD:IN=ens3 OUT= MAC=fa:16:3e:b4:79:c4:ae:8d:2b:51:5d:cc:08:00 SRC=89.143.11.210 DST=myserverip LEN=60 TOS=0x04 PREC=0x00 TTL=45 ID=29438 DF PROTO=TCP SPT=49274 DPT=20000 WINDOW=5840 RES=0x00 SYN URGP=0
Jan 7 21:50:17 dede kernel: [ 2459.229255] CONNLIMIT_ADD:IN=ens3 OUT= MAC=fa:16:3e:b4:79:c4:ae:8d:2b:51:5d:cc:08:00 SRC=89.143.11.210 DST=myserverip LEN=60 TOS=0x04 PREC=0x00 TTL=45 ID=45902 DF PROTO=TCP SPT=49273 DPT=20000 WINDOW=5840 RES=0x00 SYN URGP=0
Jan 7 21:50:17 dede kernel: [ 2459.229443] CONNLIMIT_ADD:IN=ens3 OUT= MAC=fa:16:3e:b4:79:c4:ae:8d:2b:51:5d:cc:08:00 SRC=219.94.232.125 DST=myserverip LEN=60 TOS=0x04 PREC=0x00 TTL=43 ID=27172 DF PROTO=TCP SPT=58504 DPT=20000 WINDOW=14600 RES=0x00 SYN URGP=0
Jan 7 21:50:17 dede kernel: [ 2459.229546] CONNLIMIT_ADD:IN=ens3 OUT= MAC=fa:16:3e:b4:79:c4:ae:8d:2b:51:5d:cc:08:00 SRC=178.162.214.68 DST=myserverip LEN=48 TOS=0x04 PREC=0x00 TTL=47 ID=3245 DF PROTO=TCP SPT=44514 DPT=20000 WINDOW=14600 RES=0x00 SYN URGP=0
Jan 7 21:50:17 dede kernel: [ 2459.229835] CONNLIMIT_ADD:IN=ens3 OUT= MAC=fa:16:3e:b4:79:c4:ae:8d:2b:51:5d:cc:08:00 SRC=217.27.220.88 DST=myserverip LEN=60 TOS=0x04 PREC=0x00 TTL=48 ID=1603 DF PROTO=TCP SPT=47383 DPT=20000 WINDOW=14600 RES=0x00 SYN URGP=0
Jan 7 21:50:17 dede kernel: [ 2459.229936] CONNLIMIT_ADD:IN=ens3 OUT= MAC=fa:16:3e:b4:79:c4:ae:8d:2b:51:5d:cc:08:00 SRC=153.126.166.38 DST=myserverip LEN=60 TOS=0x04 PREC=0x00 TTL=41 ID=11932 DF PROTO=TCP SPT=35208 DPT=20000 WINDOW=29200 RES=0x00 SYN URGP=0
Jan 7 21:50:17 dede kernel: [ 2459.230959] CONNLIMIT_ADD:IN=ens3 OUT= MAC=fa:16:3e:b4:79:c4:ae:8d:2b:51:5d:cc:08:00 SRC=136.243.82.67 DST=myserverip LEN=60 TOS=0x04 PREC=0x00 TTL=50 ID=62498 DF PROTO=TCP SPT=42850 DPT=20000 WINDOW=29200 RES=0x00 SYN URGP=0
Jan 7 21:50:17 dede kernel: [ 2459.231661] CONNLIMIT_ADD:IN=ens3 OUT= MAC=fa:16:3e:b4:79:c4:ae:8d:2b:51:5d:cc:08:00 SRC=108.171.182.6 DST=myserverip LEN=60 TOS=0x04 PREC=0x00 TTL=42 ID=46276 DF PROTO=TCP SPT=35885 DPT=20000 WINDOW=5840 RES=0x00 SYN URGP=0
Jan 7 21:50:17 dede kernel: [ 2459.231818] CONNLIMIT_ADD:IN=ens3 OUT= MAC=fa:16:3e:b4:79:c4:ae:8d:2b:51:5d:cc:08:00 SRC=216.55.73.41 DST=myserverip LEN=48 TOS=0x04 PREC=0x00 TTL=104 ID=31292 DF PROTO=TCP SPT=63952 DPT=20000 WINDOW=64240 RES=0x00 SYN URGP=0
Jan 7 21:50:17 dede kernel: [ 2459.232131] CONNLIMIT_ADD:IN=ens3 OUT= MAC=fa:16:3e:b4:79:c4:ae:8d:2b:51:5d:cc:08:00 SRC=91.121.171.14 DST=myserverip LEN=60 TOS=0x00 PREC=0x00 TTL=57 ID=40245 DF PROTO=TCP SPT=59286 DPT=20000 WINDOW=14600 RES=0x00 SYN URGP=0
Jan 7 21:50:17 dede kernel: [ 2459.233300] CONNLIMIT_ADD:IN=ens3 OUT= MAC=fa:16:3e:b4:79:c4:ae:8d:2b:51:5d:cc:08:00 SRC=89.143.11.210 DST=myserverip LEN=60 TOS=0x04 PREC=0x00 TTL=45 ID=5891 DF PROTO=TCP SPT=49275 DPT=20000 WINDOW=5840 RES=0x00 SYN URGP=0
Jan 7 21:50:17 dede kernel: [ 2459.233440] CONNLIMIT_ADD:IN=ens3 OUT= MAC=fa:16:3e:b4:79:c4:ae:8d:2b:51:5d:cc:08:00 SRC=89.143.11.210 DST=myserverip LEN=60 TOS=0x04 PREC=0x00 TTL=45 ID=62305 DF PROTO=TCP SPT=49276 DPT=20000 WINDOW=5840 RES=0x00 SYN URGP=0
Jan 7 21:50:17 dede kernel: [ 2459.234031] CONNLIMIT_ADD:IN=ens3 OUT= MAC=fa:16:3e:b4:79:c4:ae:8d:2b:51:5d:cc:08:00 SRC=87.197.66.202 DST=myserverip LEN=60 TOS=0x04 PREC=0x00 TTL=41 ID=842 DF PROTO=TCP SPT=35866 DPT=20000 WINDOW=14600 RES=0x00 SYN URGP=0
Jan 7 21:50:17 dede kernel: [ 2459.234051] CONNLIMIT_ADD:IN=ens3 OUT= MAC=fa:16:3e:b4:79:c4:ae:8d:2b:51:5d:cc:08:00 SRC=95.110.226.239 DST=myserverip LEN=60 TOS=0x04 PREC=0x00 TTL=45 ID=48043 DF PROTO=TCP SPT=57222 DPT=20000 WINDOW=14600 RES=0x00 SYN URGP=0
Jan 7 21:50:17 dede kernel: [ 2459.235446] CONNLIMIT_ADD:IN=ens3 OUT= MAC=fa:16:3e:b4:79:c4:ae:8d:2b:51:5d:cc:08:00 SRC=199.115.113.161 DST=myserverip LEN=60 TOS=0x04 PREC=0x00 TTL=47 ID=26056 DF PROTO=TCP SPT=49644 DPT=20000 WINDOW=14600 RES=0x00 SYN URGP=0
Jan 7 21:50:17 dede kernel: [ 2459.236044] CONNLIMIT_ADD:IN=ens3 OUT= MAC=fa:16:3e:b4:79:c4:ae:8d:2b:51:5d:cc:08:00 SRC=188.213.163.181 DST=myserverip LEN=60 TOS=0x04 PREC=0x00 TTL=45 ID=30320 DF PROTO=TCP SPT=45924 DPT=20000 WINDOW=14600 RES=0x00 SYN URGP=0
我真的无法解决这个问题,这是 udp 攻击吗?还是 tcp?我的服务器崩溃得很厉害
的结果
cat /var/log/kern.log.1 /var/log/kern.log | grep CONNLIMIT_ADD | sed 's/ /\n/g' | grep "SRC=" | sort | uniq -c | sort -g | tail -100
1 SRC=117.20.96.13
1 SRC=119.245.150.2
1 SRC=1.202.251.178
1 SRC=121.127.236.1
1 SRC=122.117.47.65
1 SRC=122.200.208.11
1 SRC=12.250.148.174
1 SRC=128.36.245.203
1 SRC=133.242.128.218
1 SRC=133.50.175.88
1 SRC=134.119.247.84
1 SRC=139.91.151.40
1 SRC=140.177.205.35
1 SRC=143.225.212.120
1 SRC=14.63.166.224
1 SRC=148.235.89.21
1 SRC=150.101.205.223
1 SRC=150.60.4.10
1 SRC=151.80.185.237
1 SRC=157.7.188.216
1 SRC=158.102.4.50
1 SRC=166.78.22.118
1 SRC=167.205.25.194
1 SRC=188.116.19.96
1 SRC=192.254.215.51
1 SRC=192.254.216.66
1 SRC=194.28.87.58
1 SRC=202.218.49.12
1 SRC=205.186.141.197
1 SRC=209.239.37.120
1 SRC=209.68.59.213
1 SRC=213.251.182.102
1 SRC=213.251.182.110
1 SRC=213.251.182.112
1 SRC=31.170.160.104
1 SRC=37.187.88.149
1 SRC=37.230.106.33
1 SRC=46.229.170.155
1 SRC=46.242.145.23
1 SRC=46.252.18.189
1 SRC=46.252.18.59
1 SRC=46.252.18.79
1 SRC=5.101.156.104
1 SRC=60.206.66.110
1 SRC=65.75.154.216
1 SRC=67.55.117.123
1 SRC=77.222.61.126
1 SRC=79.133.53.16
1 SRC=79.96.130.161
1 SRC=81.177.135.81
1 SRC=82.210.30.209
1 SRC=87.236.20.10
1 SRC=88.231.31.66
1 SRC=91.142.255.142
1 SRC=91.201.153.37
1 SRC=92.48.101.119
的结果
cat /var/log/kern.log.1 /var/log/kern.log | grep "CONNLIMIT:" | sed 's/ /\n/g' | grep "SRC=" | sort | uniq -c | sort -g | tail -100
5653 SRC=148.251.1.16
5686 SRC=5.39.126.34
5716 SRC=61.221.242.34
5721 SRC=103.27.120.101
5746 SRC=119.9.93.157
5819 SRC=185.84.180.90
5819 SRC=203.189.105.140
5928 SRC=31.210.68.2
5988 SRC=217.119.54.143
6082 SRC=195.225.106.105
6118 SRC=89.200.172.224
6147 SRC=212.71.251.65
6326 SRC=213.238.178.189
6326 SRC=64.68.50.128
6437 SRC=136.243.130.221
6538 SRC=72.14.185.201
6676 SRC=74.50.57.192
6835 SRC=134.119.225.88
6910 SRC=50.116.48.248
6912 SRC=176.9.147.121
7014 SRC=91.221.70.17
7066 SRC=202.172.28.99
7138 SRC=175.138.64.74
7172 SRC=89.111.177.28
7197 SRC=52.2.232.226
7223 SRC=94.23.208.114
7421 SRC=180.150.140.211
7528 SRC=178.254.50.81
7610 SRC=203.121.118.2
7751 SRC=210.57.208.12
7844 SRC=213.128.72.74
7917 SRC=94.23.68.50
8019 SRC=89.107.187.181
8139 SRC=169.227.254.67
8256 SRC=202.172.28.129
8422 SRC=195.140.221.90
8497 SRC=213.185.87.30
8553 SRC=94.23.201.35
8660 SRC=212.87.168.158
8726 SRC=185.12.95.166
8916 SRC=82.208.46.109
8965 SRC=195.222.141.71
9238 SRC=108.171.182.6
9289 SRC=176.58.122.93
9388 SRC=195.128.234.184
9414 SRC=216.55.73.41
9704 SRC=50.97.132.8
9964 SRC=54.154.166.245
10804 SRC=50.31.101.38
10824 SRC=207.150.204.204
11341 SRC=177.73.0.60
11377 SRC=41.0.5.101
11651 SRC=87.197.66.202
11695 SRC=188.40.67.8
11764 SRC=54.175.72.26
11860 SRC=200.1.19.9
12794 SRC=63.134.242.136
12906 SRC=64.62.202.2
13374 SRC=209.20.76.89
13440 SRC=210.171.128.44
13712 SRC=195.128.49.154
13792 SRC=91.121.171.14
13860 SRC=69.41.160.74
14114 SRC=124.219.27.20
14262 SRC=101.100.185.182
14420 SRC=91.226.231.20
14455 SRC=106.186.118.36
14534 SRC=185.67.207.42
14749 SRC=64.119.0.29
14788 SRC=88.87.217.142
14810 SRC=54.248.84.249
14982 SRC=194.204.54.100
15004 SRC=199.97.121.28
16042 SRC=206.214.216.234
16481 SRC=37.59.4.25
16525 SRC=63.134.215.127
17802 SRC=219.94.232.125
19060 SRC=178.162.214.68
19093 SRC=63.246.2.84
19439 SRC=188.165.218.200
19706 SRC=85.18.111.134
20057 SRC=178.250.74.17
20399 SRC=174.122.206.146
21701 SRC=178.162.201.165
21894 SRC=62.75.181.103
23622 SRC=41.220.16.236
24073 SRC=178.162.214.71
24090 SRC=94.23.47.66
25418 SRC=66.212.19.28
27045 SRC=62.75.245.243
27793 SRC=108.163.195.170
27953 SRC=193.189.99.15
28113 SRC=87.236.221.243
31644 SRC=193.254.184.49
32474 SRC=46.4.60.68
32902 SRC=217.27.220.88
35946 SRC=37.235.1.92
40613 SRC=54.164.238.200
42753 SRC=92.222.216.23
45604 SRC=82.201.140.123
我正在使用此脚本来限制对我的开放端口的连接,但我的服务器仍然受到太多点击。
答案1
虽然最初iptables 脚本似乎足以满足您的应用程序的需要,但现在您的服务器却因攻击量的大幅增加而无法承受。建议的解决方案是recent通过将最严重的违规者添加到早期直接 DROP 列表中并严格限制剩余和新攻击者的日志条目速率来避免耗费 CPU 的内容(例如表操作和日志记录)。
#!/bin/sh
FWVER=0.05
#
# Vlark.Lopin rule set. Smythies 2017.01.13 Ver:0.05
# Add a backup method for identiying bad guys
# that never hit the connection limit.
# Legitimate users would only connect
# and disconnect a maximum of 20 times per day.
# With lots of some margin, we need a bigger than default
# number of packets to remember.
# Extend rate limited logging to all logging.
#
# Vlark.Lopin rule set. Smythies 2017.01.10 Ver:0.04
# Rate limit logging.
# It seems a table size of 5000 is being used.
# Change from a default of ICMP allowed to not.
#
# Vlark.Lopin rule set. Smythies 2017.01.09 Ver:0.03
# In an attempt to reduce server load with time
# spent manipulating the recent tables and logging,
# direct DROP the worst offenders.
# If the direct DROP list gets very long then
# consider to use ipset instead as it is much faster.
# If maintenance of the list is too labour intensive
# then consider automation with fail2ban.
#
# Vlark.Lopin rule set. Smythies 2016.11.05 Ver:0.02
# Interface name change from eth0 to ens3.
#
# Vlark.Lopin rule set. Smythies 2016.09.18 Ver:0.01
# Attempt to manage severe DDOS attack.
# Port 20000 should only ever have 2 open
# connections at a time. If more, ban them.
#
# If too many SSH attempts, ban them.
# DROP all other unsolicited input.
# If ssh port has been moved, adjust rules
# accordingly.
#
# Requires a larger (5000 X 64) than default (100 X 20)
# Note: 64 was chosen, becuase it goes to 64 with lower numbers anyhow.
# xt_recent table size.
#
# See also:
# https://askubuntu.com/questions/869205/i-dont-know-what-to-do-to-stop-the-synattack
# https://askubuntu.com/questions/818524/correctly-limit-ip-connections
# https://askubuntu.com/questions/808297/i-have-massive-attack-on-port-in-my-server
# https://askubuntu.com/questions/817478/ip-tables-limit-connetion-per-ip-address-can-be-bypassed
#
# run as sudo
#
echo "Loading Vlark.Lopin rule set version $FWVER..\n"
# The location of the iptables program
#
IPTABLES=/sbin/iptables
#Setting the EXTERNAL and INTERNAL interfaces and addresses for the network
#
# Vlark.Lopin
EXTIF="ens3"
# Smythies
# EXTIF="enp9s0"
UNIVERSE="0.0.0.0/0"
#Clearing any previous configuration
#
echo " Clearing any existing rules and setting default policies.."
$IPTABLES -P INPUT DROP
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -F FORWARD
# Otherwise, I can not seem to delete it later on
$IPTABLES -F add-to-connlimit-list
# Delete user defined chains
$IPTABLES -X
# Reset all IPTABLES counters
$IPTABLES -Z
echo "...1..."
# We want to force load the xt_recent module, so that we override the
# default maximum table size. We want 5000 whereas the default is 100.
# Note: It is unlikely that it needs to be 5000 forever. Once the
# bad guys give up, the attempts will become much less frequent, and
# the table size can probably be reduced to default.
# i.e. this force load segment can be commented out, and then it will
# autoload as required.
# V0.04: It seems the bad guys actually increased their efforts.
# V0.05: We also need more remembered packets then the default.
# I do not know the extra CPU burden of such a large table.
# Note: The table length seems to go to 64 anyhow, so just use that.
#
modprobe xt_recent ip_list_tot=5000 ip_pkt_list_tot=64
echo "...2..."
#######################################################################
# USER DEFINED CHAIN SUBROUTINES:
#
# add-to-connlimit-list
# To many connections from an IP address has been detected.
# Add the IP address to the bad guy list, and DROP the packet.
# If desired, comment out the log rule.
# V0.04: Rate limit the logging.
$IPTABLES -N add-to-connlimit-list
#$IPTABLES -A add-to-connlimit-list -m recent --update --hitcount 1 --seconds 90000 --name BADGUY_CONN
$IPTABLES -A add-to-connlimit-list -m recent --set --name BADGUY_CONN
$IPTABLES -A add-to-connlimit-list -m limit --limit 1/s --limit-burst 2 -j LOG --log-prefix "CONNLIMIT_ADD:" --log-level info
$IPTABLES -A add-to-connlimit-list -j DROP
echo "...3..."
#######################################################################
# INPUT: Incoming traffic from various interfaces. All rulesets are
# already flushed and set to a default policy of DROP.
#
# loopback interfaces are valid.
#
$IPTABLES -A INPUT -i lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT
# A NEW TCP connection requires SYN bit set and FIN,RST,ACK reset.
# More importantly, this check might prevent lingering packets from
# a forgotten legitimite connection from getting a valid user on the
# bad guy list
#
$IPTABLES -A INPUT -m limit --limit 1/s --limit-burst 2 -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "NEW TCP no SYN:" --log-level info
$IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j REJECT
# Just DROP invalid packets.
#
$IPTABLES -A INPUT -i $EXTIF -m limit --limit 1/s --limit-burst 2 -p tcp -m state --state INVALID -j LOG --log-prefix "IINVALID:" --log-level info
$IPTABLES -A INPUT -i $EXTIF -p tcp -m state --state INVALID -j DROP
# direct drops. I do not like you.
#
$IPTABLES -A INPUT -i $EXTIF -s 5.39.126.34 -j DROP
# ... Vlark manages this list ...
$IPTABLES -A INPUT -i $EXTIF -s 219.94.232.125 -j DROP
# Allow any related traffic coming back to the server in.
#
$IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -m state --state ESTABLISHED,RELATED -j ACCEPT
# external interface, from any source, for any remaining ICMP traffic is valid
# Note: consider to not allow, as this is often how bad guys find you
# V0.04: Default to commented out.
#
# $IPTABLES -A INPUT -i $EXTIF -p ICMP -s $UNIVERSE -j ACCEPT
# Secure Shell on port 22 (Change to whatever port you moved SSH to).
#
# Sometimes I uncomment the next line to simply disable external SSH access.
# Particulalry useful when I am rebooting often, thereby losing my current BADGUY table.
#$IPTABLES -A INPUT -i $EXTIF -m state --state NEW -p tcp -s $UNIVERSE --dport 22 -j DROP
# Dynamic Badguy List. Detect and DROP Bad IPs that do password attacks on SSH.
# Once they are on the BADGUY list then DROP all packets from them.
# Sometimes make the lock time very long. Typically to try to get rid of coordinated attacks from China.
$IPTABLES -A INPUT -i $EXTIF -m limit --limit 1/s --limit-burst 2 -m recent --update --hitcount 5 --seconds 90000 --name BADGUY_SSH -j LOG --log-prefix "SSH BAD:" --log-level info
$IPTABLES -A INPUT -i $EXTIF -m recent --update --hitcount 5 --seconds 90000 --name BADGUY_SSH -j DROP
$IPTABLES -A INPUT -i $EXTIF -p tcp -m tcp --dport 22 -m recent --set --name BADGUY_SSH -j ACCEPT
echo "...5..."
# Port 20000 part 1 of 2: Limit to 3 simultanious connections per IP address.
# Otherwise ban them.
# Note: The logging is useful for debugging, but might overwhelm the log files. Comment out the logging rule as required.
# V0.04: Rate limit the logging.
#
$IPTABLES -A INPUT -i $EXTIF -m limit --limit 1/s --limit-burst 2 -m recent --update --hitcount 1 --seconds 90000 --name BADGUY_CONN -j LOG --log-prefix "CONNLIMIT:" --log-level info
$IPTABLES -A INPUT -i $EXTIF -m recent --update --hitcount 1 --seconds 90000 --name BADGUY_CONN -j DROP
$IPTABLES -A INPUT -p tcp --dport 20000 -m connlimit --connlimit-above 2 -j add-to-connlimit-list
# $IPTABLES -A INPUT -m limit --limit 1/s --limit-burst 2 -m state --state NEW -p tcp --dport 20000 -j LOG --log-prefix "CONNALLOW:" --log-level info
# Port 20000 part 2 of 2: Limit to 55 attempts to connect per IP address per day.
# Otherwise ban them.
#
$IPTABLES -A INPUT -i $EXTIF -m limit --limit 1/s --limit-burst 2 -m recent --update --hitcount 55 --seconds 86400 --name BADGUY_MANY -j LOG --log-prefix "MANY:" --log-level info
$IPTABLES -A INPUT -i $EXTIF -m recent --update --hitcount 55 --seconds 90000 --name BADGUY_MANY -j DROP
$IPTABLES -A INPUT -p tcp --dport 20000 -m recent --set --name BADGUY_MANY -j ACCEPT
echo "...6..."
# O.K. at this point, we will DROP the packet, however some will be dropped without logging just to make the log file
# less cluttered.
#
$IPTABLES -A INPUT -i $EXTIF -p udp -m multiport --dport 33434:33448 -j DROP
$IPTABLES -A INPUT -i $EXTIF -p tcp -m multiport --dport 23,2323 -j DROP
# If your log file is too cluttered, consider to comment out this log rule.
# It is useful for debugging, but might overwhelm your log files.
# V0.04: Rate limit the logging.
#
$IPTABLES -A INPUT -s $UNIVERSE -d $UNIVERSE -m limit --limit 1/s --limit-burst 2 -j LOG --log-prefix "ICATCH:" --log-level info
# With a default policy of DROP, the following rule isn't actually neeeded.
$IPTABLES -A INPUT -s $UNIVERSE -d $UNIVERSE -j DROP
echo Vlark.Lopin rule set version $FWVER done.
观察 IP 地址的趋势,例如来自 178.162.???.??? 的坏人,如果您获得更多此类地址,则只需 DROP 整个段,即 178.162.0.0/16,或查找段分配(在本例中为德国)并根据分配掩码 DROP。
我假设这里的源 IP 地址不是假的,因为该规则仅在一次良好的连接后触发,但我可能是错的(在这种情况下这个答案是无用的)。
如果您继续遇到麻烦,那么可以尝试通用速率限制,但您的真正合法客户也会受到影响。
我还假设您不了解所有客户,因此白名单方法不是一个可行的选择。