Block DoS/DDoS attacks using IPTables in SSH

[DXS]

Alright. For starts, 1 to 14 connections is a basic connection for most users. 15 to 29 is asking for it but with the whole firefox max.connections tweat, users put 20 or 25 to load pages faster, which really makes the site slower on a small server. So, 1 to 29 connections you can keep unless you know it's a DoS/DDoS attack.

Alrighty. Before you being, you must login your SSH. Personally, I use terminal via Ubuntu. Login styles may vary upon the tool you are using whether it's a third-party SSH client such as Putty, cPanel, HyperVM, etc.

Alright, once logged in, put in the following command:

netstat -atun | awk '{print $5}' | cut -d: -f1 | sed -e '/^$/d' |sort | uniq -c | sort -n

You should get a whole list with a number infront of an ipaddress.

Example list:
1 1.3.3.7
4 69.0.0.69
13 55.55.55.55
88 41.99.0.0

The 1 1.3.3.7 means, 1 connection, ip: 1.3.3.7
Same goes for the rest, number connections, then IP address.

Please note: It will only show connections within the last minute I believe. Not within the past few minutes. But most attackers attack for as long as possible so you can hopefully catch them.

You see the 88 connections on 41.99.0.0 so that would be our attacker.
Now, to ban the IP, type in the following command into SSH

iptables -A INPUT -s 41.99.0.0 -j DROP

Obviously, replace 41.99.0.0 with whatever IP Address is that attack.

Now, I'd suggest you save the this into iptables by doing the following command:

service iptables save

and then restart the iptables service:

service iptables restart

=================================
What if you ban the wrong IP?

You can unban an IP by logging into your SSH. Now, let's say we banned 41.99.0.0 on accident.

Type in the following 2 commands in SSH (one, submit, then the other).

iptables -D INPUT -p all -s 41.99.0.0 -j DROP

iptables -D OUTPUT -p all -s 41.99.0.0 -j DROP

Of course, replace 41.99.0.0 with the IP you want to unban.

Then again, save and restart the iptables service with the 2 commands below:

service iptables save

service iptables restart

=============================

I hope this helps anyone that would need this to stop DoS/DDoS attacks the easy way.

=============================
=============================
EDIT: I forgot to add how to ban by port.

To ban an IP by a specific port number, like for instance, you don't want to let 41.99.0.0 on port 80 (by default it's http then put in the following command:

iptables -A INPUT -p tcp -s 41.99.0.0 --dport 80 -j DROP

Of course, replace 41.99.0.0 with the IP you want blocked.

Save and restart service.

To unban, it's the same way as the unban method above.

To ban on a different port, replace 80 with the port number.

 

[chems]

nice share

 

[eXXed]

thanks

The message you have entered is too short. Please lengthen your message to at least 8 characters.

 

[Tango]

You can just install ddosdeflate to do it for you

wget http://www.inetbase.com/scripts/ddos/install.sh
chmod 0700 install.sh
./install.sh

 

[Daniel]

thanks for sharing

 

[DXS]

I forgot how to add the ban by port. Added at the end of the post.

And thanks everyone for the replies.

 

[immortalxx]

nice post

 

[DXS]

Thanks.

 

[Sponge Bob]

Nice share.

Works preety well. You can also add all those ips on the cpanel csf if you have it installed.

Thanks & regards

 

[grazar]

Very helpful, thanks.

 

[drlove]

Also missing, how to ban a whole range of IPs

iptables -I INPUT -s 110.0.0.0/255.0.0.0 -j DROP

This would ban all IPs in the 110 IP range ...

Often it's very difficult which IPs to ban. For myself, as a Rapidleech provider, I get a lot of 1 connection IPs.

It's often difficult to see if these are really 'Brute Force Attacks' or being used by file hosts either by multifetch and/or regular down/upload.

A handy tool to check where IPs come from:

http://geotool.servehttp.com

/

 

[Royal King]

Wow man. This will surely help. Thanks for this.

 

[Pr0nZtrA]

1 lame question: how do i ssh?

more lame questions to come <3<3<3

 

[Tango]

isn't it a bad idea to save the blocks to iptables, ddos attacks are usually temporary and after some time your going to have huge tables running and slowing things down.
Also you may be permanently banning a legit ip by mistake.

That's why i like ddosDeflate as it temporary bans IP's

 

[DXS]

You don't have to save it, but you can.. :P

Also, that's why theres the unban option.... :P

 

[scuba_steve]

Thanks will have to use this soon. =D

 

[gmaister22]

thanks m8

 

[m107]

nice tips, thank you.

 

[soum111]

very usefull

 

[omgtfl]

For DDoS this is useless, you can ban the ip, but the packet will still saturate your connection, there is no way to stop DDoS only with Iptables....