Block session requests with too many connections to the same IP 01/16 Update SLTechnology News&Howtos

Block session requests with too many connections to the same IP

2025-01-16 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >

Shulou(Shulou.com)06/01 Report--

Block session requests with too many connections to the same IP

System environment: Centos 6.5x64

To prevent Linux hosts from suffering from *, you need to check the number of session connections on the host on a regular basis. If the number of sessions in the same IP is too high, it must be judged to be abnormal. Abnormal IP can be added to the firewall periodically through the shell script to DROP it.

[root@host ssh] # vi / etc/ssh/blockip

#! / bin/bash

# auto drop IP, IP address greater than 10

# by authors evanli 2017-6-15

Ip_regex= "[[: digit:]] {1 digit 3}\. [[: digit:]] {1 digit 3}\. [[: digit:]] {1 digit 3}\. [: digit:]

Netstat-na-- tcp | grep ESTABLISHED | awk'{if (index ($4, ":"'"$port_num"'"") print $5}'| awk-F':'{print $1}'| sort > / var/log/IPLIST

IP_ADDR= `tail-n 100 / var/log/IPLIST | egrep-o $ip_regex | sort-nr | uniq-c | awk'$1 > = 10 {print $2}'`

IPTABLES_CONF=/etc/sysconfig/iptables

For i in `echo $IP_ ADDR`

Cat $IPTABLES_CONF | grep $I > / dev/null

[$?-ne 0]; then

Sed-I "5a-An INPUT-s $iUnix 32-j DROP" $IPTABLES_CONF

Else

Echo "This is $i is exist in iptables,please exit."

Done

Give executable permissions to the script

[root@host ssh] # chmod + x / etc/ssh/blockip

Add to scheduled tasks, executed every 30 minutes

[root@host ssh] # vi / etc/crontab

* / 30 * root / etc/ssh/blockip

Script description:

1. First generate the file / var/log/IPLIST of all connections IP

2. The IP greater than 10 appears several times in the IPLIST file. Awk'$1 > = 10 (this 10 number can be modified to the number you need)

3. Add the IP that appears more than 10 times to the firewall DROP.

4. Judge whether the IP exists in the firewall, and if so, prompt This is IP is exist in iptables,please exit.

5. Vi / etc/sysconfig/iptables to see if the IP dropped by DROP has joined.

6, check no problem, finally need to restart the firewall, the setting will take effect.

The attachment is a script, which can be run directly

The above script test was completed on June 15, 2017 by evan.li.

Attachment: http://down.51cto.com/data/2366755

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.