Optimal DDoS protection with netstat and iptables

Good day!

Most recently, faced with such a problem as DDoS. I’ll say right away that I’m never a Linux user at all, but a little programmer, so everything below is based purely on logic, not on facts, plus rewritten with some additions from what’s already known.

Having dug over the hordes of articles and tested a lot of options, I did not find what would help with the protection. Based on the article A simple and effective method to reflect http DDoS from 50mbit using nginx and iptables and (D) DoS Deflate decided to write my own script. Well, rather, I did not decide, but he turned out himself by the method of poking and corrections.
')
I should note that the article from Alexey Kuzmin is not perfect, because it is not enough to dig into the nginx logs, and processing logs may require a lot of resources. Namely, in my case, logs of more than 50 Gig were created, plus the requests were not “GET / HTTP / 1.1”, but “GET / HTTP / 1.0”, plus, as it turned out, my server received redirects from itself (127.0.0.1), which were not displayed in the logs that were displayed in the request

netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n 

The essence of the script is such that after a certain time, the crown runs the script and checks all connections to the server, ip and the number of their connections that are written to the file. Then another script is launched that looks if the connections exceed the specified number (I have 20), then a script is created with these IPs blocked via iptables.

I created separate files to track the whole course of work separately, and by my incompetence, it was easy to find out where and what did not work.

Now to practice:
create a directory where the script will be

 mkdir /usr/local/ddos 

in it we create the ddos.sh file and change its rights:

 chmod 0755 /usr/local/ddos/ddos.sh 

write to it:

 #!/bin/sh #          ddos.iplist   tmp netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n > /tmp/ddos.iplist #     cat /dev/null > /tmp/iptables_ban.sh #  DROP   50    awk '{if ($1 > 20) {print "/sbin/iptables -I INPUT -p tcp --dport 80 -s " $2 " -j DROP" }}' /tmp/ddos.iplist >> /tmp/iptables_ban.sh #      ,        iptables echo "/sbin/iptables -L INPUT -v -n > /tmp/iptables.log" >> /tmp/iptables_ban.sh #     bash /tmp/iptables_ban.sh #    cat /dev/null > /var/log/ddos/error.log [ ! -f /var/run/nginx.pid ] || kill -USR1 `cat /var/run/nginx.pid` 

That's basically it. Now we start the crontab, I prefer the command:

 EDITOR=mcedit crontab -e 

well or just

 crontab -e 

and add a new task to it that runs every 10 minutes:

 */10 * * * * /bin/sh /usr/local/ddos/ddos.sh 

I also changed the rotation of the logs in the /etc/logrotate.d/nginx file from nginx`a so that multi-gig files are not created

 /var/log/nginx/*.log { daily size 20M missingok rotate 150 compress delaycompress notifempty create 640 root adm sharedscripts postrotate [ ! -f /var/run/nginx.pid ] || kill -USR1 `cat /var/run/nginx.pid` endscript } 

and wrote another task in crowns, running every hour

 0 * * * * /usr/sbin/logrotate /etc/logrotate.conf 

Well, for more comfort, I decided to reboot the server once a day, again through Cron:

 0 4 * * * /sbin/reboot 

general list of tasks output via crontab -l :

 */10 * * * * /bin/sh /usr/local/ddos/ddos.sh 0 * * * * /usr/sbin/logrotate /etc/logrotate.conf 0 4 * * * /sbin/reboot 

I wrote everything under the root user , so if you are not under this user, before each command you should add root , like:

 */10 * * * * root /bin/sh /usr/local/ddos/ddos.sh 

All paths made absolute, because Not all teams without a full path worked.

I hope someone will find this article useful. Please do not judge strictly by the code itself, since I did something for the first time myself on a server)