Ubuntu – I have massive attack on port in the server

15.04firewalliptablesSecurityserver

i have Ubuntu 15.4 server i open a port with number 20000 i got massive ddos attack on this port i typed in terminal

netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

to catch the attacker ip and block it i found bazillion ip's with opened connection 55

i need to create automatic script using iptables to protect that port

so if ip have connection more than 5 iptable block it automatically using

iptables -A INPUT -s attacker ip address -j DROP

but i dont know how to do that script it will take forever to block the ips one by one 🙂

Best Answer

The following will detect the IPs and then drop them for more than a day.

# Dynamic Badguy List. Detect and DROP Bad IPs that try to access port 20000.
# Once they are on the BADGUY list then DROP all packets from them.

iptables -A INPUT -i eth0 -m recent --update --hitcount 5 --seconds 90000 --name BADGUY -j LOG --log-prefix "Port 20000 BAD:" --log-level info
iptables -A INPUT -i eth0 -m recent --update --hitcount 5 --seconds 90000 --name BADGUY -j DROP
iptables -A INPUT -i eth0 -p tcp -m tcp --dport 20000 -m recent --set --name BADGUY -j ACCEPT

Replace eth0 with your actual interface name.
Place these rules after your ESTABLISHED,RELATED by-pass rule. A typical example:

iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

Related Solutions

Ubuntu – Open port 80 on Ubuntu server

There is no program listening on port 80 so it's closed and you can't connect to it.

You can use

sudo python -m SimpleHTTPServer 80

to start a simple web server listening on port 80, or install something like Apache (package apache2) if you want a full blown web server.

Ubuntu – Shell script to ban an IP

First of all, don't reinvent the wheel. That's precisely what denyhosts is for:

   DenyHosts  is a python program that automatically blocks ssh attacks by
   adding entries to /etc/hosts.deny.  DenyHosts will  also  inform  Linux
   administrators  about  offending  hosts,  attacked users and suspicious
   logins.

As far as I know, denyhosts is only for ssh connections but there's also fail2ban that deals with pretty much anything:

   Fail2Ban consists of a client, server and configuration files to  limit
   brute force authentication attempts.

   The  server  program  fail2ban-server is responsible for monitoring log
   files and issuing ban/unban commands.  It  gets  configured  through  a
   simple  protocol  by fail2ban-client, which can also read configuration
   files and issue corresponding configuration commands to the server.

Both are available in the repositories:

sudo apt-get install denyhosts fail2ban

You could also script this, if you like. Something like:

#!/usr/bin/env sh
netstat -an | 
    awk -vmax=100 '/tcp/{split($5,a,":"); if(a[1] > 0 && a[1]!="0.0.0.0"){c[a[1]]++}}
    END{for(ip in c){if(c[ip]>max){print ip}}}' |
        while read ip; do iptables -I INPUT 1 -s "$ip" -j DROP; done

The awk will extract the IPs and count them and only print those that appear more than max times (here, -vmax=100, change it accordingly). The IPs are then fed to a while loop that runs the relevant iptables rule.

To run this 24/7, I would make a cronjob that runs the command above every minute or so. Add this line to /etc/crontab

* * * * * root /path/to/script.sh

Best Answer

Related Solutions

Ubuntu – Open port 80 on Ubuntu server

Ubuntu – Shell script to ban an IP

Related Question