Block DoS/DDoS attacks using IPTables in SSH

[DXS]

Alright. For starts, 1 to 14 connections is a basic connection for most users. 15 to 29 is asking for it but with the whole firefox max.connections tweat, users put 20 or 25 to load pages faster, which really makes the site slower on a small server. So, 1 to 29 connections you can keep unless you know it's a DoS/DDoS attack.

Alrighty. Before you being, you must login your SSH. Personally, I use terminal via Ubuntu. Login styles may vary upon the tool you are using whether it's a third-party SSH client such as Putty, cPanel, HyperVM, etc.

Alright, once logged in, put in the following command:

Code: 

netstat -atun | awk '{print $5}' | cut -d: -f1 | sed -e '/^$/d' |sort | uniq -c | sort -n

You should get a whole list with a number infront of an ipaddress.

Example list:
1 1.3.3.7
4 69.0.0.69
13 55.55.55.55
88 41.99.0.0

The 1 1.3.3.7 means, 1 connection, ip: 1.3.3.7
Same goes for the rest, number connections, then IP address.

Please note: It will only show connections within the last minute I believe. Not within the past few minutes. But most attackers attack for as long as possible so you can hopefully catch them.

You see the 88 connections on 41.99.0.0 so that would be our attacker.
Now, to ban the IP, type in the following command into SSH

Code: 

iptables -A INPUT -s 41.99.0.0 -j DROP

Obviously, replace 41.99.0.0 with whatever IP Address is that attack.

Now, I'd suggest you save the this into iptables by doing the following command:

Code: 

service iptables save

and then restart the iptables service:

Code: 

service iptables restart

=================================
What if you ban the wrong IP?

You can unban an IP by logging into your SSH. Now, let's say we banned 41.99.0.0 on accident.

Type in the following 2 commands in SSH (one, submit, then the other).

Code: 

iptables -D INPUT -p all -s 41.99.0.0 -j DROP

Code: 

iptables -D OUTPUT -p all -s 41.99.0.0 -j DROP

Of course, replace 41.99.0.0 with the IP you want to unban.

Then again, save and restart the iptables service with the 2 commands below:

Code: 

service iptables save

Code: 

service iptables restart

=============================

I hope this helps anyone that would need this to stop DoS/DDoS attacks the easy way.

=============================
=============================
EDIT: I forgot to add how to ban by port.

To ban an IP by a specific port number, like for instance, you don't want to let 41.99.0.0 on port 80 (by default it's http then put in the following command:

Code: 

iptables -A INPUT -p tcp -s 41.99.0.0 --dport 80 -j DROP

Of course, replace 41.99.0.0 with the IP you want blocked.

Save and restart service.

To unban, it's the same way as the unban method above.

To ban on a different port, replace 80 with the port number.

DXS Reviewed by DXS on 10th Aug 2010. Block DoS/DDoS attacks using IPTables in SSH Alright. For starts, 1 to 14 connections is a basic connection for most users. 15 to 29 is asking for it but with the whole firefox max.connections tweat, users put 20 or 25 to load pages faster, which really makes the site slower on a small server. So, 1 to 29 connections you can keep unless you know it's a DoS/DDoS attack. Alrighty. Before you being, you must login your SSH. Personally, I use terminal via Ubuntu. Login styles may vary upon the tool you are using whether it's a third-party Rating: 5

[chems]

nice share

[?eXXed]

thanks

The message you have entered is too short. Please lengthen your message to at least 8 characters.

[Gavo]

You can just install ddosdeflate to do it for you

PHP Code: 

wget http://www.inetbase.com/scripts/ddos/install.sh
chmod 0700 install.sh
./install.sh 


[Daniel]

thanks for sharing

[DXS]

I forgot how to add the ban by port. Added at the end of the post.

And thanks everyone for the replies.

[immortalxx]

nice post

[DXS]

Thanks.

[Sponge Bob]

Nice share.

Works preety well. You can also add all those ips on the cpanel csf if you have it installed.

Thanks & regards

[grazar]

Very helpful, thanks.