Ubuntu – I have massive attack on port in the server


i have Ubuntu 15.4 server i open a port with number 20000 i got massive ddos attack on this port i typed in terminal

netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

to catch the attacker ip and block it i found bazillion ip's with opened connection 55

i need to create automatic script using iptables to protect that port

so if ip have connection more than 5 iptable block it automatically using

iptables -A INPUT -s attacker ip address -j DROP

but i dont know how to do that script it will take forever to block the ips one by one 🙂

Best Answer

The following will detect the IPs and then drop them for more than a day.

# Dynamic Badguy List. Detect and DROP Bad IPs that try to access port 20000.
# Once they are on the BADGUY list then DROP all packets from them.

iptables -A INPUT -i eth0 -m recent --update --hitcount 5 --seconds 90000 --name BADGUY -j LOG --log-prefix "Port 20000 BAD:" --log-level info
iptables -A INPUT -i eth0 -m recent --update --hitcount 5 --seconds 90000 --name BADGUY -j DROP
iptables -A INPUT -i eth0 -p tcp -m tcp --dport 20000 -m recent --set --name BADGUY -j ACCEPT

Replace eth0 with your actual interface name.
Place these rules after your ESTABLISHED,RELATED by-pass rule. A typical example:

iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
Related Question