Amet13 / ddos-deflate

Shell script blocking DDoS attacks. Not maintained since 2016
11 stars 13 forks source link

Wrong emails #2

Closed maxpostal closed 8 years ago

maxpostal commented 8 years ago

Hi! Thanks for the script!

I just installed it and rebooted the server. I got email in 20:05 Banned the following IP addresses on 31/08/2016 [20:05:36] From: localhost (::1 127.0.0.1 X.XXX.XX.XXX) X.XXX.XX.XXX with 586 connections blocked on 600 seconds

But this IP is server's IP. It added in /usr/local/ddos-deflate/ignoreip.list: nano /usr/local/ddos-deflate/ignoreip.list 127.0.0.1 192.168.0.1 X.XXX.XX.XXX

root@XXX:~# iptables -t raw -L PREROUTING Chain PREROUTING (policy ACCEPT) target prot opt source destination root@XXX:~# tail -1 /var/log/ddos-deflate.log 31/08/2016 [19:41:21] -- X.XXX.XX.XXX blocked on 600 seconds

Server work properly. Debian 8.5.

Thank you in advance!

BR, Maxim.

Amet13 commented 8 years ago

Hello. At first, no need to reboot server after script installing.

I think you have a problem because script using not strict matching from ignoreip.list Please try to use ddos-deflate with new patch https://github.com/Amet13/ddos-deflate/commit/c341f6d501051c7cce7e90d6f2bdace568521750 You can apply patch by console command:

wget -q -O /usr/local/ddos-deflate/ddos-deflate.sh https://raw.githubusercontent.com/Amet13/ddos-deflate/master/ddos-deflate.sh

or you can manually edit file /usr/local/ddos-deflate/ddos-deflate.sh and change line 65 from

    IGNORE_BAN=`grep -c $CURR_LINE_IP $IGNORE_IP_LIST`

to

    IGNORE_BAN=`grep -cx $CURR_LINE_IP $IGNORE_IP_LIST`
maxpostal commented 8 years ago

Hello Amet, Thanks!

Today I received two emails, First:

From: maxim@my.domain.ru Title: IP addresses banned on 01/09/2016 [10:37:55]

Banned the following IP addresses on 01/09/2016 [10:37:55] From: localhost (::1 127.0.0.1 X.XXX.XX.XXX)

X.XXX.XX.XXX with 612 connections blocked on 600 seconds 23.27.244.12 with 127 connections blocked on 600 seconds

Second:

From: root@my.domain.ru Title: IP addresses banned on 01/09/2016 [10:38:01]

Banned the following IP addresses on 01/09/2016 [10:38:01] From: localhost (::1 127.0.0.1 X.XXX.XX.XXX)

23.27.244.12 with 127 connections blocked on 600 seconds

Where X.XXX.XX.XXX is my server's IP address. Could you please fix it?

p. s. Please explain my how can I test the script from another linux PC? I don't understand you example: user@192.168.0.100 ~ $ ab -n 200000 -c 100 http://server-ip/ what is 192.168.0.100 and http://server-ip/

p. p. s. Sometimes when I work in console as user I see a message: iptables v1.4.21: can't initialize iptables table raw': Permission denied (you must be root) Perhaps iptables or your kernel needs to be upgraded. iptables v1.4.21: can't initialize iptables tableraw': Permission denied (you must be root) Perhaps iptables or your kernel needs to be upgraded. grep: /usr/local/ddos-deflate/ignoreip.list: Permission denied mv: replace ‘/usr/local/ddos-deflate/ignoreip.list’, overriding mode 0600 (rw-------)? mv: error closing file What is it?

Thanks in advance!

BR, Max.

Amet13 commented 8 years ago

p. s. Please explain my how can I test the script from another linux PC? I don't understand you example

I'm using apache benchmark from my work PC (192.168.0.100) to virtual machine with ddos-deflate (server-ip, for your example X.X.X.X).

iptables v1.4.21: can't initialize iptables table raw': Permission denied (you must be root) Perhaps iptables or your kernel needs to be upgraded. iptables v1.4.21: can't initialize iptables tableraw':

Permission denied (you must be root) You can run script only by user with privileges for using iptables.

mv: replace ‘/usr/local/ddos-deflate/ignoreip.list’, overriding mode 0600 (rw-------)? mv: error closing file

This error is about privileges too.

maxpostal commented 8 years ago

Oops! I thought that user@192.168.0.100 ~ $ it's part of command... :) Sorry.

I installed this script as root and use default cron task /etc/cron.d/ddos-deflate SHELL=/bin/bash * * * * * root bash /usr/local/ddos-deflate/ddos-deflate.sh > /dev/null; sleep 20; bash /usr/local/ddos-deflate/ddos-deflate.sh > /dev/null 2>&1

It works and my test IP was block:

root@xxx:~# iptables -t raw -L PREROUTING Chain PREROUTING (policy ACCEPT) target prot opt source destination DROP all -- 216.185.39.121 anywhere DROP all -- XXX.XXX.XXX.XXX anywhere

but periodically I still receive emails with my server's IP:

Banned the following IP addresses on 01/09/2016 [13:40:30] From: localhost (::1 127.0.0.1 X.XXX.XX.XXX)

X.XXX.XX.XXX with 675 connections blocked on 600 seconds

Amet13 commented 8 years ago

Honestly I can't reproduce problem at my test workspace. Are you sure about your server's IP at ignoreip.list?

maxpostal commented 8 years ago

Yes, I'm sure. And I use nano /usr/local/ddos-deflate/ignoreip.list and Ctr + W for search server's IP address in this file. I found it.

I noticed this list contain two IP addresses that I didn't add:

127.0.0.1 192.168.0.1 X.XXX.XX.XXX 208.123.223.115

Could you please tell me, is it normal? Thanks.

Amet13 commented 8 years ago

I found bug with recording IP to ignore list (https://github.com/Amet13/ddos-deflate/commit/4669e13372fdcc02aaf6dd86b6f056a25859b5e6) You can manually remove line 72 from /usr/local/ddos-deflate/ddos-deflate.sh or

wget -q -O /usr/local/ddos-deflate/ddos-deflate.sh https://raw.githubusercontent.com/Amet13/ddos-deflate/master/ddos-deflate.sh
maxpostal commented 8 years ago

Thanks!

maxpostal commented 8 years ago

Здравствуйте!

На одном сервере приходят подряд несколько писем об одном и том же заблокированном ip адресе:

Banned the following IP addresses on 05/09/2016 [12:31:01] From: localhost (::1 127.0.0.1 X.XXX.XX.XXX) 69.31.50.128 with 67 connections blocked on 86400 seconds

Banned the following IP addresses on 05/09/2016 [12:31:21] From: localhost (::1 127.0.0.1 X.XXX.XX.XXX) 69.31.50.128 with 68 connections blocked on 86400 seconds

На другом тоже самое:

Banned the following IP addresses on 05/09/2016 [12:19:21] From: domain.ru (XX.XXX.XX.XXX) 188.32.23.240 with 75 connections blocked on 600 seconds

Banned the following IP addresses on 05/09/2016 [12:20:01] From: domain.ru (XX.XXX.XX.XXX) 188.32.23.240 with 74 connections blocked on 600 seconds

Banned the following IP addresses on 05/09/2016 [12:20:01] From: domain.ru (XX.XXX.XX.XXX) 188.32.23.240 with 74 connections blocked on 600 seconds

Banned the following IP addresses on 05/09/2016 [12:21:01] From: domain.ru (XX.XXX.XX.XXX) 188.32.23.240 with 74 connections blocked on 600 seconds

Banned the following IP addresses on 05/09/2016 [12:21:21] From: domain.ru (XX.XXX.XX.XXX) 188.32.23.240 with 74 connections blocked on 600 seconds

Banned the following IP addresses on 05/09/2016 [12:21:21] From: domain.ru (XX.XXX.XX.XXX) 188.32.23.240 with 74 connections blocked on 600 seconds

Banned the following IP addresses on 05/09/2016 [12:22:21] From: domain.ru (XX.XXX.XX.XXX) 188.32.23.240 with 45 connections blocked on 600 seconds

Подскажите пожалуйста, как исключить дублирование писем?

С уважением, Макс.

Amet13 commented 8 years ago

Здравствуйте. Попробуйте строку 80 из файла /usr/local/ddos-deflate/ddos-deflate.sh:

cat $BANNED_IP_MAIL | mail -s "IP addresses banned on $DATE" $EMAIL_TO

переместить после строки:

$IPT -t raw -I PREROUTING -s $CURR_LINE_IP -j DROP

P.S. В этом скрипте очень много косяков, которые периодически будут всплывать, я его форкнул больше для истории, т.к. по оригинальному адресу он недоступен. Рекомендую посмотреть в сторону ipset и fail2ban, там все гораздо проще и лучше.

maxpostal commented 8 years ago

Спасибо, что поддерживаете данный скрипт! Судя по результатам тестирования он полезный. Fail2ban установлен, но еще не разбирался, как с его помощью защититься от досеров.

Перенес строку, но это не помогло, дубли продолжают сыпаться :(

Banned the following IP addresses on 06/09/2016 [08:42:01] From: localhost (::1 127.0.0.1 XX.XXX.XX.XXX) 95.221.203.80 with 58 connections blocked on 3600 seconds

Banned the following IP addresses on 06/09/2016 [08:41:21] From: localhost (::1 127.0.0.1 XX.XXX.XX.XXX) 95.221.203.80 with 58 connections blocked on 3600 seconds

Banned the following IP addresses on 06/09/2016 [08:39:01] From: localhost (::1 127.0.0.1 XX.XXX.XX.XXX) 95.221.254.143 with 66 connections blocked on 3600 seconds

Banned the following IP addresses on 06/09/2016 [08:38:21] From: localhost (::1 127.0.0.1 XX.XXX.XX.XXX) 95.221.254.143 with 66 connections blocked on 3600 seconds

Banned the following IP addresses on 06/09/2016 [08:38:21] From: localhost (::1 127.0.0.1 XX.XXX.XX.XXX) 95.221.254.143 with 66 connections blocked on 3600 seconds 109.173.53.213 with 63 connections blocked on 3600 seconds

Banned the following IP addresses on 06/09/2016 [08:38:01] From: localhost (::1 127.0.0.1 XX.XXX.XX.XXX) 109.173.53.213 with 63 connections blocked on 3600 seconds

Если у вас получиться разобраться с этим косяком, то будет замечательно. Заранее спасибо! p.s. Спасибо за ipset, попробую.

maxpostal commented 8 years ago

Hi,

I faced with new issue today. The script is blocking server on which it is installed:

# tail -1 /var/log/ddos-deflate.log
20/09/2016 [14:40:01] -- 3.XXX.XX.XXX blocked on 3600 seconds

where 3.XXX.XX.XXX is server IP-adress.

I don't know why it happened. It worked normal many days before. Any ideas? Thanks.

Amet13 commented 8 years ago

Hi. Try to add an IP to ignore list.

maxpostal commented 8 years ago

It already added.

maxpostal commented 8 years ago

Еще один баг обнаружил: добавляю в игнор лист айпишник и спустя несколько минут этот айпишник самоудаляется из списка. Предварительно этот айпишник был забанен и было удалено правило с этим айпишником.

maxpostal commented 8 years ago

Еще раз повторилась самоблокировка сервера, теперь по hostname, добавил в ignoreip.list hostname. Похоже нужно использовать что-то другое...