diff options
author | Freemor <freemor@freemor.ca> | 2019-09-02 21:26:00 -0300 |
---|---|---|
committer | Freemor <freemor@freemor.ca> | 2019-09-02 21:26:00 -0300 |
commit | bdc9d5f0a8f951c9484beddbc6dfff4cae50d784 (patch) | |
tree | 587248c9cf0e0908e2bb76f62ecedf5e06be8911 | |
parent | ac561bf48b81db461e9085eeaca4e0a858ff8ea5 (diff) |
Added README.txt
-rw-r--r-- | README.txt | 30 |
1 files changed, 30 insertions, 0 deletions
diff --git a/README.txt b/README.txt new file mode 100644 index 0000000..30e52ed --- /dev/null +++ b/README.txt @@ -0,0 +1,30 @@ +These are tools I use for managing things on servers. + +block - Block an IPv4 address. +unblock - Unblock an IPv4 address. +theDrain - Watch, log, and help mitigate SYN floods. + +theDrain must not be your first line of defence against a SYN flood. There are +much better mitigations such as SYN cookies and various other sysctl settings. +theDrain is intended for watching, logging and IP blocking large offenders to +lighten the load and stop the sending of wasted SYN_ACKS. Blocking only happens +if run ar root. + +Care must be taken to set the $max_ho variable to a value that is sane for +your server and will not catch too many innocents making heavy but normal use +of the system. The current default is one that worked well on the more used of +the 2 servers that this was written for, + +theDrain is also not good at catching highly distributed attacks. Again it must +not be you firstline of defense. It is however very good at letting you see the +IP addresses involved and then manually blocking them should you choose to +using the net block retrieved from whois in CIDR format. +For example if you saw a lot of 117.221.1x.xx numbers you could do a whois on +one of them, + +Lets say 117.221.14.131. + +You can see from the: % Information related to '117.221.0.0/20AS9829' +that the net block in question is: 117.221.0.0/20. Often +there is a CIDR: line with this info also. + |