最近我的服务器遭到了中国防火墙的DDoS攻击。
根据http-host头部的mod_security阻止请求中的回复中的build议,以及https://mattwilcox.net/web-development/unexpected-ddos-blocking-china-with-ipset-and-iptables中的build议/我一直在试图使用IPTables阻止来自中国防火墙的redirectDDoSstream量,通过阻止来自“Bittorrent”string的请求,并通过使用最新的IP列表阻止来自中国的所有IP :http:// www.ipdeny.com/ipblocks/data/countries/cn.zone 。
我的防火墙看起来像这样。
*filter # Allow all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0 -A INPUT -i lo -j ACCEPT -A INPUT -d 127.0.0.0/8 -j REJECT # Accept all established inbound connections -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Block anything from China # These rules are pulled from ipset's china list # The source file is at /etc/cn.zone (which in turn is generated by a shell script at /etc/block-china.sh ) -A INPUT -p tcp -m set --match-set china src -j DROP # Block bittorent -A INPUT -p tcp --dport 80 -m string --algo bm --string "Bittorrent" --to 1000 -j DROP -A INPUT -p tcp --dport 80 -m string --algo bm --string "GET /announce" --to 1000 -j DROP # Limit connection speed to avoid DDOS -A INPUT -p tcp --dport 80 -m state --state NEW -m limit --limit 50/minute --limit-burst 200 -j ACCEPT # Allow all outbound traffic - you can modify this to only allow certain traffic -A OUTPUT -j ACCEPT # Allow HTTP and HTTPS connections from anywhere (the normal ports for websites and SSL). -A INPUT -p tcp --dport 80 -j ACCEPT -A INPUT -p tcp --dport 443 -j ACCEPT # Allow SSH connections # # The -dport number should be the same port number you set in sshd_config # -A INPUT -p tcp -m state --state NEW --dport 2222 -j ACCEPT # Allow ping -A INPUT -p icmp -j ACCEPT # Log iptables denied calls -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7 # Drop all other inbound - default deny unless explicitly allowed policy -A INPUT -j DROP -A FORWARD -j DROP COMMIT 但是,防火墙似乎并没有工作。 中国的IP仍然泛滥Apache的日志,并且“Bittorrent”string仍然显示在Apache日志中。 我似乎被不在禁止列表中的IP所淹没(ipdeny的列表有多准确?),并且IPtablesstring正则expression式似乎根本不起作用,因为以下日志仍然通过。
110.255.172.42 - - [26/Apr/2015:18:05:41 +1200] "GET /announce.php?info_hash=M%3A%89%E1%86%9D%60%A7I%23%D6%99r%04%D7t%06%5F%A6%CC&peer_id=%2DSD0100%2D%E9%B1%EF%11A%CC%FB%94%EDl%23%8A&ip=101.28.113.60&port=8644&uploaded=1503508047&downloaded=1503508047&left=0&numwant=200&key=9253&compact=1 HTTP/1.0" 410 225 "-" "Bittorrent"
此外, http://www.blockedinchina.net/仍然显示我的网站在中国境内可访问。
运行sudo iptables -L给我:
Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere REJECT all -- anywhere 127.0.0.0/8 reject-with icmp-port-unreachable ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED DROP tcp -- anywhere anywhere match-set china src DROP tcp -- anywhere anywhere tcp dpt:http STRING match "Bittorrent" ALGO name bm TO 1000 DROP tcp -- anywhere anywhere tcp dpt:http STRING match "GET /announce" ALGO name bm TO 1000 ACCEPT tcp -- anywhere anywhere tcp dpt:http state NEW limit: avg 50/min burst 200 ACCEPT tcp -- anywhere anywhere tcp dpt:http ACCEPT tcp -- anywhere anywhere tcp dpt:https ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:2222 ACCEPT icmp -- anywhere anywhere LOG all -- anywhere anywhere limit: avg 5/min burst 5 LOG level debug prefix "iptables denied: " DROP all -- anywhere anywhere Chain FORWARD (policy ACCEPT) target prot opt source destination DROP all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere
任何人都知道为什么我的防火墙可能不工作?
我面临同样的问题,所以这在我的networking服务器上工作:
iptables -I INPUT -m string --string "announce.php" --algo kmp --to 65535 -j TARPIT
我已经在顶部添加了这条规则。 你猫使用DROP而不是TARPIT(是的,我是一个坏的,被迫中文遭受: – D)。