Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
I want to write a Script, it use to ati DDoS but i'm a newbie i can't do it.
I have a log file www.mediafire.com/?yz2njlm0kzj . I want to read a DDos's IP address from log file, after that i want to add that IP to Firewall . I can do it by handicraft but i want a script, it can autorun every 5 min on my server.
I believe Iptable+Ipchains can do this on its own if properly configured. The only true way to negate DDos attacks are to have an external firewall to filter to stop the packets before reaching the target machine.
That's not SYN flood protection. In fact, that rule just makes you even more vulnerable. You might wanna look into TCP SYN cookies and the iptables recent module. That said, even though I haven't seen the log file yet, nothing in the OP mentions a SYN flood (which BTW uses IP spoofing, making DDoS unnecessary).
I'm not familiar with SIP, but Fail2ban can be made to deal with all kinds of authentication failures. Could you provide a brief description of what exactly is happening here? What service is being denied?
It would be simple to write a script that would go through a log file in the format of the snippet you posted, and extract the IP in order to execute an iptables blocking command. Is that what you're asking for? If so, are you sure that this wouldn't cause problems for your users? BTW, you still haven't answered any of the questions you've been asked.
I want to write a script to filter attacked ip. Attacked ip is ip which request more 5 times per second. Every failed request, it will be store in message log as log_dos.txt which is attached. In log_dos file attached, ip attack is 220.127.116.11. After filter the ips, the script also ask iptables to drop all packets from them and also unlock all ips are no dos at this time. This script will be set up as schedule which run every 5 minute.
Can everyone help me make this script or give me another way to do?
Thanks for all
I have not try sshblack tool yet. I will try it soon and get back to all.
It would be simple to write a script that would go through a log file in the format of the snippet you posted, and extract the IP in order to execute an iptables blocking command. Is that what you're asking for?
Well that log file looks like SIP is in use, or attempted use, and that it is failing to be authorised by radius. (I'm assuming that the fragment posted by win32sux is from the OP's link; I won't follow these except under very limited circumstances, for security reasons, so thanks to win32sux for solving that problem for me.)
Superficially, that doesn't look like a DDoS attack, but may be someone attempting to use VoiP (calling SIP...the Session Initiation Protocol, so presumably in an attempt to initiate a session) internally, maybe in an unauthorised manner. (So, it looks to me as if the problem is not that you have someone externally attempting to mount a DDoS attack, but you do have someone internal trying to use something like a Voip/SIP device, without facilities for that being set up on your network. If the OP does get someone to write an anti-DDoS script, and that interpretation is correct, then the script will do no good whatsoever....but then I am guessing because the OP has said nothing about the address ranges in use, or given useful information on any of the subjects that would help people understand what is going on. The OP should note that it is the OP's responsibility to provide helpful information so that people who want to help can succeed in their aim.)
BTW, you still haven't answered any of the questions you've been asked.
An excellent point; if the OP wants to write a script themselves, they can just ask a few questions and get on with it. On the other hand, if the OP wants someone else to write a script for them -for example:
can you write a script for me,please ?
then the OP is going to have to start answering questions, otherwise this is just a waste of time.
In addition, it would be nice if the OP were to give a clear statement of the reasons that this is thought to be a DDoS attack, because there are some reasons for thinking that this is a misinterpretation.
Sorry, missed OP's latest, but, even so
ip attack is 18.104.22.168
is completely ambiguous. When making such statements you should be careful to distinguish between the attacking IP and the attacked IP. Looking at the log snippet, I interpret that as the attacked IP, but does the OP share that interpretation? Is that an IP that the OP knows to be in the range that is used on the network in question?
If the real issue is that someone else's Voip-type device is using the OP's network to try to get through to worldphone, that would be a different problem and warrant a completely different solution.
Last edited by salasi; 11-29-2009 at 07:41 AM.
Reason: additional information
I agree with the above, it would be simple to do but make sure that in blocking the DDoS you are not also blocking legitimate traffic on the network in question. I also agree that it doesn't look like much of a DDoS attack.
Well, having thought about this a little more, it doesn't seem, from the fragment above, to be distributed, it does not try to deny service, and its probably not an attack (it might just be a brute force on your radius server, but that seems unlikely as it looks like a legitimate attempt to auth with that). So it seems the OP was wrong on either two and a half, or three, out of three.
My bet is, while there is a possibility that person or persons unknown have tried to connect something that uses SIP (either a phone or something like a whiteboarding/'net meeting' style application)...or, maybe, a person known.
To the OP; there is a large stack of personal embarrassment points available if you have recently plugged in a Voip phone or installed a net meeting conferencing app, to the network, and you must have known that you were doing this. There is a smaller pile of embarrassment points available if you have had a WiFi equipped phone in and it has automagically tried to connect to the wireless network and there is no way that you would have known, necessarily, or you can blame someone else for this.
If I am right, there is no point in a script to block a DDoS attack if there isn't a DDoS. Even if it is a different attack, understand what it is before blocking things at random.