LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Non-*NIX Forums > Programming
User Name
Password
Programming This forum is for all programming questions.
The question does not have to be directly related to Linux and any language is fair game.

Notices


Reply
  Search this Thread
Old 04-14-2009, 06:17 PM   #1
yah0m
Member
 
Registered: Jul 2008
Posts: 38

Rep: Reputation: 15
optimizing this bash script


Basically, the script uses netstat to scan for SYN_RECV and then bans them. However, the script can lag/hang up the server due to using netstat. Is there a better way to do this?


Code:
#!/bin/sh
load_conf()
{
    CONF="/usr/local/synd/synd.conf"
    if [ -f "$CONF" ] && [ ! "$CONF" ==    "" ]; then
        source $CONF
    else
        head
        echo "\$CONF not found."
        exit 1
    fi
}

head()
{
    echo
}

showhelp()
{
    head
    echo 'Usage: synd.sh [OPTIONS] [N]'
    echo 'N : number of SYN_RECV connections (default 10)'
    echo 'OPTIONS:'
    echo '-h | --help: Show    this help screen'
    echo '-c | --cron: Create cron job to run this script regularly (default 1 mins)'
    echo '-k | --kill: Block the offending ip making more than N SYN_RECV connections'
    echo 'syndc | Commmand to edit the configuration file with nano'
}

add_to_cron()
{
    rm -f $CRON
    sleep 1
    service crond restart
    sleep 1
    echo "SHELL=/bin/sh" > $CRON
    if [ $FREQ -le 2 ]; then
        echo "0-59/$FREQ * * * * root /usr/local/synd/synd.sh >/dev/null 2>&1" >> $CRON
    else
        let "START_MINUTE = $RANDOM % ($FREQ - 1)"
        let "START_MINUTE = $START_MINUTE + 1"
        let "END_MINUTE = 60 - $FREQ + $START_MINUTE"
        echo "$START_MINUTE-$END_MINUTE/$FREQ * * * * root /usr/local/synd/synd.sh >/dev/null 2>&1" >> $CRON
    fi
    service crond restart
}


load_conf
while [ $1 ]; do
    case $1 in
        '-h' | '--help' | '?' )
            showhelp
            exit
        ;;
        '--cron' | '-c' )
            add_to_cron
            exit
        ;;
        '--kill' | '-k' )
            KILL=1
        ;;
         *[0-9]* )
            NO_OF_CONNECTIONS=$1
        ;;
        * )
            showhelp
            exit
        ;;
    esac
    shift
done

TMP_PREFIX='/tmp/synd'
TMP_FILE="mktemp $TMP_PREFIX.XXXXXXXX"
BANNED_IP_MAIL=`$TMP_FILE`
BANNED_IP_LIST=`$TMP_FILE`
echo "Banned the following ip addresses on `date`" > $BANNED_IP_MAIL
echo >>    $BANNED_IP_MAIL
BAD_IP_LIST=`$TMP_FILE`
netstat -ntu | grep SYN_RECV | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr > $BAD_IP_LIST
cat $BAD_IP_LIST
if [ $KILL -eq 1 ]; then
    IP_BAN_NOW=0
    while read line; do
        CURR_LINE_CONN=$(echo $line | cut -d" " -f1)
        CURR_LINE_IP=$(echo $line | cut -d" " -f2)
        if [ $CURR_LINE_CONN -lt $NO_OF_CONNECTIONS ]; then
            break
        fi
        IGNORE_BAN=`grep -c $CURR_LINE_IP $IGNORE_IP_LIST`
        if [ $IGNORE_BAN -ge 1 ]; then
            continue
        fi
        IP_BAN_NOW=1
        echo "$CURR_LINE_IP with $CURR_LINE_CONN SYN_RECV connections" >> $BANNED_IP_MAIL
        echo $CURR_LINE_IP >> $BANNED_IP_LIST
        echo $CURR_LINE_IP >> $IGNORE_IP_LIST
        if [ $CSF_BAN -eq 1 ]; then
            $CSF -d $CURR_LINE_IP
        else
            $IPT -I INPUT -s $CURR_LINE_IP -j DROP
        fi
    done < $BAD_IP_LIST
    if [ $IP_BAN_NOW -eq 1 ]; then
        dt=`date`
                hn=`hostname`
        if [ $EMAIL_TO != "" ]; then
            cat $BANNED_IP_MAIL | mail -s "IP addresses banned on $dt $hn" $EMAIL_TO
        fi
    fi
fi
rm -f $TMP_PREFIX.*
 
Old 04-15-2009, 01:14 AM   #2
1337
Member
 
Registered: Apr 2009
Distribution: Slackware-12.2
Posts: 75

Rep: Reputation: 18
I'm not entirely sure, but netcat might be a better option.
 
Old 04-17-2009, 11:53 AM   #3
yah0m
Member
 
Registered: Jul 2008
Posts: 38

Original Poster
Rep: Reputation: 15
I guess I could look into how CSF does it... all I know is when I get hit by a major syn flood (some ips opening over 30k connections each), the server totally locks up for about a minute and this is an 8core machine.
 
Old 04-17-2009, 12:07 PM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Why are you using something interpreted instead of compiled? Are you sure there's no OTS solution? Ever tried iptables?
 
Old 04-17-2009, 01:27 PM   #5
yah0m
Member
 
Registered: Jul 2008
Posts: 38

Original Poster
Rep: Reputation: 15
OTS?
 
Old 04-17-2009, 06:14 PM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Uh. Sorry. Off The Shelf. Ready-made. Available.
 
Old 04-17-2009, 07:42 PM   #7
yah0m
Member
 
Registered: Jul 2008
Posts: 38

Original Poster
Rep: Reputation: 15
CSF actually worked fine, but for some reason these big SYN Floods crap it out(blocks everyone from accessing the server when you view top), so I've been running this script on the side of CSF along with some custom IPTable rules.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
passing variable from bash to perl in a bash script quadmore Programming 6 02-21-2011 04:11 AM
Strange if statement behaviour when using bash/bash script freeindy Programming 7 08-04-2008 06:00 AM
Bash script to create bash script jag7720 Programming 10 09-10-2007 07:01 PM
need help performance optimizing this perl script hedpe Programming 10 09-07-2006 06:06 AM
need help fixing and optimizing AWK script hedpe Programming 5 08-29-2006 08:30 AM

LinuxQuestions.org > Forums > Non-*NIX Forums > Programming

All times are GMT -5. The time now is 04:05 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration