Analysis of DDoS you can make sure your scripts, parse the logs. But it is better to provide this apačevskomu mod_evasive.
Set mod_evasive, in write
DOSHashTableSize 3097
DOSPageCount 15
DOSSiteCount 15
DOSPageInterval 3
DOSSiteInterval 3
DOSBlockingPeriod 300
DOSSystemCommand “/usr/bin/sudo/usr/bin/fwban% s”
DOSPageInterval-interval for a specific page hits
DOSSiteInterval-interval for a particular vhost hits
DOSPageCount-the number of hits for a particular URI during the interval DOSPageInterval, the IP will be banned
DOSSiteCount-the number of hits for a particular vhost within the interval DOSSiteInterval, the IP will be banned
We need a script to the firewall “ban/usr/bin/fwban” (for Linux):
#!/bin/bash
If [“x $ 1” = “x”]; then
echo “USAGE: $ 0 IPADDR”
exit
fi
/sbin/iptables-A BAN-s $ 1-j DROP
He needs to put right 755.
So do we need sudo utility. It costs almost everywhere. In the “comment” option to visudo is:
#Defaults requiretty
And add the line
Apache ALL = NOPASSWD:/usr/bin/fwban
where the apache-user which Apache is running.
So do we want to BAN chain in iptables:
iptables-N BAN
iptables-I INPUT-j BAN
Keep the firewall rules
/etc/init.d/iptables save
Restartanem Apache. Now try to put your website (not from your IP!!!):
#ab-n 1000-c 20 http://yoursite.info/
The victim in the logs can be seen:
May 6 15:18:25 Server1 mod_evasive [26514]: Blacklisting address 1.2.3.4: possible DoS attack.
And in the firewall:
# iptables-save
——bukav the many
-A BAN-s 1.2.3.4-j DROP
——bukav the many
PS: and of course, Apache would better cover up outside nginx.
PS: and this method bans ajpišnegi permanently until it restartanet server, or chain to be reset of BAN. That’s such a brutal method)