Skip to main content

Stop DDOS. Shell script to find IPs with connections higher than 80 and block in firewall & Also send notification mails with the blocked IP(s).


#!/bin/bash

###################################################
# Script Name : StopDdosAttack
# Created By : Jino Joseph
# Created Date : 20-Mar-2013
# Last Modified : 21-Mar-2013
# Purpose : Finds the IPs with connections higher than 80 and block in firewall &
# Also send notification mails with the blocked IP(s).
###################################################

netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr | head -5 | sed -e 's/^[ \t]*//' | sed -e 's/ /#/g' > result.txt
CSF=/usr/sbin/csf
FIREWALL=0
IPCOUNT=`cat result.txt | wc -l`
ITERATION=0 # Key to check if the loop is finished for restarting the firewall
for i in `cat result.txt`;
do
echo $i > temp.txt;
No=$(cat temp.txt | gawk -F '#' '{print $1}');
IP=$(cat temp.txt | gawk -F '#' '{print $2}');
Num=${No/\.*}
if [ $Num -gt 80 ] && [ $IP != '127.0.0.1' ]
then

$CSF -d $IP # Adding the ip in firewall rule.
FIREWALL=1 # This is a key to confirm that the firewall rule is added.
echo -e " $IP : $Num \n " >> /tmp/ips.txt
else
echo "Normal connections : $Num";
fi
ITERATION=`expr $ITERATION + 1`
# Check whether rule is added in the firewall && also check all the ips are checked for exceeding threshold.
if [ $FIREWALL == 1 ] && [ $ITERATION == $IPCOUNT ]
then
$CSF -r # Restart Firewall
echo "Restart Firewall & Sending Mail";

#######################
# Mail Sending Section
#######################

# email subject
SUBJECT="IPs are Blocked in Server!!"
# Email To ?
EMAIL="example@example.com"
# Email text/message
BLOCKEDIPS="`cat /tmp/ips.txt`"
EMAILMESSAGE="/tmp/emailmessage.txt"
echo "Hi Team, " > $EMAILMESSAGE
echo " " >> $EMAILMESSAGE
echo " " >> $EMAILMESSAGE
echo -e "The Blocked IPs are \n \n$BLOCKEDIPS">> $EMAILMESSAGE
echo -e "\n This is a notification. Please close it." >>$EMAILMESSAGE
echo " " >> $EMAILMESSAGE
echo " " >> $EMAILMESSAGE
echo "Regards," >> $EMAILMESSAGE
echo "System Admin" >> $EMAILMESSAGE
# send an email using /bin/mail
/bin/mail -s "$SUBJECT" "$EMAIL" < $EMAILMESSAGE
cat /dev/null > /tmp/ips.txt

## End of Mail###
fi
done



If you want to send the mail with smtp auth , use the below command:

echo $EMAILMESSAGE | mailx -s "DDOS Attack IP Blocked" -S smtp=smtp://xyz.net:587 -S smtp-auth=login -S smtp-auth-user=alerts@xyz.net -S smtp-auth-password=9879ljouhkh888 -S from="DDOS Attack IP Blocked " admin@xyz.net
Here we are using the smtp login details of the email id alerts@xyz.net.

Comments

Post a Comment

Popular posts from this blog

Password reset too simplistic/systematic issue

Some time when we try to reset the password of our user in linux it will show as simple and systematic as below: BAD PASSWORD: it is too simplistic/systematic no matter how hard password you give it will show the same. Solution: ######### Check if your password is Ok with the below command, jino@ndz~$ echo 'D7y8HK#56r89lj&8*&^%&^%#56rlKJ!789l' | cracklib-check D7y8HK#56r89lj&8*&^%&^%#56rlKJ!789l: it is too simplistic/systematic Now Create a password with the below command : jino@ndz~$ echo $(tr -dc '[:graph:]' 7\xi%!W[y*S}g-H7W~gbEB4cv,9:E:K; You can see that this password will be ok with the cracklib-check. jino@ndz~$ echo '7\xi%!W[y*S}g-H7W~gbEB4cv,9:E:K;' | cracklib-check                 7\xi%!W[y*S}g-H7W~gbEB4cv,9:E:K;: OK Thats all, Thanks.
Post a Comment
Read more

Nginx Ingress controller setup in K8S MultiNode Cluster with HA-Proxy as External LB

https://github.com/nginxinc/kubernetes-ingress/blob/master/docs/installation.md Pre-requisites: ############### >> K8s cluster setup with 1 Master and 2 Worker nodes. >> Deployed an application with Deployment name "client-sb" >> Also you need to create an HA-proxy server by spinning an Ec2 instance. After login the Ha-proxy server. # yum install haproxy # vi /etc/haproxy/haproxy.cfg delete everything after the global and defaults starting from "Main front-end which proxys to the backend" paste the below code in the end of the file: --------------------- frontend http_front   bind *:80   stats uri /haproxy?stats   default_backend http_back backend http_back   balance roundrobin   server kube 10.0.1.14:80   server kube 10.0.1.12:80 --------------------- # systemctl status haproxy # systemctl enable haproxy # systemctl start haproxy 1. Create a Namespace, a SA, the Default Secret, the Customization Confi...
Post a Comment
Read more

Running K8s cluster service kubelet with Swap Memory Enabled

For enabling swap memory check the below link : https://jinojoseph.blogspot.com/2019/10/enable-swap-memory-using-swapfile-in.html # sudo vi /etc/systemd/system/kubelet.service.d/10-kubeadm.conf Add the KUBELET_EXTRA_ARGS line as below: ---------------------------------------- Environment="KUBELET_EXTRA_ARGS=--fail-swap-on=false" ExecStart= ExecStart=/usr/bin/kubelet $KUBELET_KUBECONFIG_ARGS $KUBELET_CONFIG_ARGS $KUBELET_KUBEADM_ARGS $KUBELET_EXTRA_ARGS Now kubelet.service changed on disk. Run 'systemctl daemon-reload' to reload units # sudo systemctl daemon-reload # sudo systemctl restart kubelet # sudo systemctl status kubelet That is all cheers :p
Post a Comment
Read more