Closed maxpostal closed 8 years ago
Hello. At first, no need to reboot server after script installing.
I think you have a problem because script using not strict matching from ignoreip.list
Please try to use ddos-deflate with new patch https://github.com/Amet13/ddos-deflate/commit/c341f6d501051c7cce7e90d6f2bdace568521750
You can apply patch by console command:
wget -q -O /usr/local/ddos-deflate/ddos-deflate.sh https://raw.githubusercontent.com/Amet13/ddos-deflate/master/ddos-deflate.sh
or you can manually edit file /usr/local/ddos-deflate/ddos-deflate.sh
and change line 65 from
IGNORE_BAN=`grep -c $CURR_LINE_IP $IGNORE_IP_LIST`
to
IGNORE_BAN=`grep -cx $CURR_LINE_IP $IGNORE_IP_LIST`
Hello Amet, Thanks!
Today I received two emails, First:
From: maxim@my.domain.ru Title: IP addresses banned on 01/09/2016 [10:37:55]
Banned the following IP addresses on 01/09/2016 [10:37:55] From: localhost (::1 127.0.0.1 X.XXX.XX.XXX)
X.XXX.XX.XXX with 612 connections blocked on 600 seconds 23.27.244.12 with 127 connections blocked on 600 seconds
Second:
From: root@my.domain.ru Title: IP addresses banned on 01/09/2016 [10:38:01]
Banned the following IP addresses on 01/09/2016 [10:38:01] From: localhost (::1 127.0.0.1 X.XXX.XX.XXX)
23.27.244.12 with 127 connections blocked on 600 seconds
Where X.XXX.XX.XXX is my server's IP address. Could you please fix it?
p. s. Please explain my how can I test the script from another linux PC? I don't understand you example: user@192.168.0.100 ~ $ ab -n 200000 -c 100 http://server-ip/ what is 192.168.0.100 and http://server-ip/
p. p. s. Sometimes when I work in console as user I see a message:
iptables v1.4.21: can't initialize iptables table raw': Permission denied (you must be root) Perhaps iptables or your kernel needs to be upgraded. iptables v1.4.21: can't initialize iptables table
raw': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
grep: /usr/local/ddos-deflate/ignoreip.list: Permission denied
mv: replace ‘/usr/local/ddos-deflate/ignoreip.list’, overriding mode 0600 (rw-------)? mv: error closing file
What is it?
Thanks in advance!
BR, Max.
p. s. Please explain my how can I test the script from another linux PC? I don't understand you example
I'm using apache benchmark from my work PC (192.168.0.100) to virtual machine with ddos-deflate (server-ip, for your example X.X.X.X).
iptables v1.4.21: can't initialize iptables table raw': Permission denied (you must be root) Perhaps iptables or your kernel needs to be upgraded. iptables v1.4.21: can't initialize iptables tableraw':
Permission denied (you must be root) You can run script only by user with privileges for using iptables.
mv: replace ‘/usr/local/ddos-deflate/ignoreip.list’, overriding mode 0600 (rw-------)? mv: error closing file
This error is about privileges too.
Oops! I thought that user@192.168.0.100 ~ $ it's part of command... :) Sorry.
I installed this script as root and use default cron task /etc/cron.d/ddos-deflate
SHELL=/bin/bash
* * * * * root bash /usr/local/ddos-deflate/ddos-deflate.sh > /dev/null; sleep 20; bash /usr/local/ddos-deflate/ddos-deflate.sh > /dev/null 2>&1
It works and my test IP was block:
root@xxx:~# iptables -t raw -L PREROUTING Chain PREROUTING (policy ACCEPT) target prot opt source destination DROP all -- 216.185.39.121 anywhere DROP all -- XXX.XXX.XXX.XXX anywhere
but periodically I still receive emails with my server's IP:
Banned the following IP addresses on 01/09/2016 [13:40:30] From: localhost (::1 127.0.0.1 X.XXX.XX.XXX)
X.XXX.XX.XXX with 675 connections blocked on 600 seconds
Honestly I can't reproduce problem at my test workspace. Are you sure about your server's IP at ignoreip.list?
Yes, I'm sure. And I use nano /usr/local/ddos-deflate/ignoreip.list and Ctr + W for search server's IP address in this file. I found it.
I noticed this list contain two IP addresses that I didn't add:
127.0.0.1 192.168.0.1 X.XXX.XX.XXX 208.123.223.115
Could you please tell me, is it normal? Thanks.
I found bug with recording IP to ignore list (https://github.com/Amet13/ddos-deflate/commit/4669e13372fdcc02aaf6dd86b6f056a25859b5e6)
You can manually remove line 72 from /usr/local/ddos-deflate/ddos-deflate.sh
or
wget -q -O /usr/local/ddos-deflate/ddos-deflate.sh https://raw.githubusercontent.com/Amet13/ddos-deflate/master/ddos-deflate.sh
Thanks!
Здравствуйте!
На одном сервере приходят подряд несколько писем об одном и том же заблокированном ip адресе:
Banned the following IP addresses on 05/09/2016 [12:31:01] From: localhost (::1 127.0.0.1 X.XXX.XX.XXX) 69.31.50.128 with 67 connections blocked on 86400 seconds
Banned the following IP addresses on 05/09/2016 [12:31:21] From: localhost (::1 127.0.0.1 X.XXX.XX.XXX) 69.31.50.128 with 68 connections blocked on 86400 seconds
На другом тоже самое:
Banned the following IP addresses on 05/09/2016 [12:19:21] From: domain.ru (XX.XXX.XX.XXX) 188.32.23.240 with 75 connections blocked on 600 seconds
Banned the following IP addresses on 05/09/2016 [12:20:01] From: domain.ru (XX.XXX.XX.XXX) 188.32.23.240 with 74 connections blocked on 600 seconds
Banned the following IP addresses on 05/09/2016 [12:20:01] From: domain.ru (XX.XXX.XX.XXX) 188.32.23.240 with 74 connections blocked on 600 seconds
Banned the following IP addresses on 05/09/2016 [12:21:01] From: domain.ru (XX.XXX.XX.XXX) 188.32.23.240 with 74 connections blocked on 600 seconds
Banned the following IP addresses on 05/09/2016 [12:21:21] From: domain.ru (XX.XXX.XX.XXX) 188.32.23.240 with 74 connections blocked on 600 seconds
Banned the following IP addresses on 05/09/2016 [12:21:21] From: domain.ru (XX.XXX.XX.XXX) 188.32.23.240 with 74 connections blocked on 600 seconds
Banned the following IP addresses on 05/09/2016 [12:22:21] From: domain.ru (XX.XXX.XX.XXX) 188.32.23.240 with 45 connections blocked on 600 seconds
Подскажите пожалуйста, как исключить дублирование писем?
С уважением, Макс.
Здравствуйте.
Попробуйте строку 80 из файла /usr/local/ddos-deflate/ddos-deflate.sh
:
cat $BANNED_IP_MAIL | mail -s "IP addresses banned on $DATE" $EMAIL_TO
переместить после строки:
$IPT -t raw -I PREROUTING -s $CURR_LINE_IP -j DROP
P.S. В этом скрипте очень много косяков, которые периодически будут всплывать, я его форкнул больше для истории, т.к. по оригинальному адресу он недоступен. Рекомендую посмотреть в сторону ipset и fail2ban, там все гораздо проще и лучше.
Спасибо, что поддерживаете данный скрипт! Судя по результатам тестирования он полезный. Fail2ban установлен, но еще не разбирался, как с его помощью защититься от досеров.
Перенес строку, но это не помогло, дубли продолжают сыпаться :(
Banned the following IP addresses on 06/09/2016 [08:42:01] From: localhost (::1 127.0.0.1 XX.XXX.XX.XXX) 95.221.203.80 with 58 connections blocked on 3600 seconds
Banned the following IP addresses on 06/09/2016 [08:41:21] From: localhost (::1 127.0.0.1 XX.XXX.XX.XXX) 95.221.203.80 with 58 connections blocked on 3600 seconds
Banned the following IP addresses on 06/09/2016 [08:39:01] From: localhost (::1 127.0.0.1 XX.XXX.XX.XXX) 95.221.254.143 with 66 connections blocked on 3600 seconds
Banned the following IP addresses on 06/09/2016 [08:38:21] From: localhost (::1 127.0.0.1 XX.XXX.XX.XXX) 95.221.254.143 with 66 connections blocked on 3600 seconds
Banned the following IP addresses on 06/09/2016 [08:38:21] From: localhost (::1 127.0.0.1 XX.XXX.XX.XXX) 95.221.254.143 with 66 connections blocked on 3600 seconds 109.173.53.213 with 63 connections blocked on 3600 seconds
Banned the following IP addresses on 06/09/2016 [08:38:01] From: localhost (::1 127.0.0.1 XX.XXX.XX.XXX) 109.173.53.213 with 63 connections blocked on 3600 seconds
Если у вас получиться разобраться с этим косяком, то будет замечательно. Заранее спасибо! p.s. Спасибо за ipset, попробую.
Hi,
I faced with new issue today. The script is blocking server on which it is installed:
# tail -1 /var/log/ddos-deflate.log
20/09/2016 [14:40:01] -- 3.XXX.XX.XXX blocked on 3600 seconds
where 3.XXX.XX.XXX is server IP-adress.
I don't know why it happened. It worked normal many days before. Any ideas? Thanks.
Hi. Try to add an IP to ignore list.
It already added.
Еще один баг обнаружил: добавляю в игнор лист айпишник и спустя несколько минут этот айпишник самоудаляется из списка. Предварительно этот айпишник был забанен и было удалено правило с этим айпишником.
Еще раз повторилась самоблокировка сервера, теперь по hostname, добавил в ignoreip.list hostname. Похоже нужно использовать что-то другое...
Hi! Thanks for the script!
I just installed it and rebooted the server. I got email in 20:05 Banned the following IP addresses on 31/08/2016 [20:05:36] From: localhost (::1 127.0.0.1 X.XXX.XX.XXX) X.XXX.XX.XXX with 586 connections blocked on 600 seconds
But this IP is server's IP. It added in /usr/local/ddos-deflate/ignoreip.list: nano /usr/local/ddos-deflate/ignoreip.list 127.0.0.1 192.168.0.1 X.XXX.XX.XXX
root@XXX:~# iptables -t raw -L PREROUTING Chain PREROUTING (policy ACCEPT) target prot opt source destination root@XXX:~# tail -1 /var/log/ddos-deflate.log 31/08/2016 [19:41:21] -- X.XXX.XX.XXX blocked on 600 seconds
Server work properly. Debian 8.5.
Thank you in advance!
BR, Maxim.