blob: c1fbb248cbeca3d3116c0062235eb2d16dac8dae (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
|
These are tools I use for managing things on servers.
block - Block an IPv4 address.
unblock - Unblock an IPv4 address.
theDrain - Watch, log, and help mitigate SYN floods.
theDrain must not be your first line of defence against a SYN flood. There are
much better mitigations such as SYN cookies and various other sysctl settings.
theDrain is intended for watching, logging and IP blocking large offenders to
lighten the load and stop the sending of wasted SYN_ACKS. Blocking only happens
if run ar root.
Care must be taken to set the $max_ho variable to a value that is sane for
your server and will not catch too many innocents making heavy but normal use
of the system. The current default is one that worked well on the more used of
the 2 servers that this was written for,
theDrain is also not good at catching highly distributed attacks. Again it must
not be you firstline of defense. It is however very good at letting you see the
IP addresses involved and then manually blocking them should you choose to
using the net block retrieved from whois in CIDR format.
For example if you saw a lot of 117.221.1x.xx numbers you could do a whois on
one of them,
Lets say 117.221.14.131.
when you run: whois 117.221.14.131
You can see from the: % Information related to '117.221.0.0/20AS9829'
that the net block in question is: 117.221.0.0/20. Often
there is a CIDR: line with this info instead/also.
Running:
--------
Block and unblock are fairly self explanitory so I wont talk about them
theDrain has several ways it can be run.
Executing it as a non-privledged user take a quick look and print out stats on
half open connections.
Executing it as root will do the same as above but blacklist any IPs with more
then $max_ho Half Open connections.
I find using something like:
watch -n 5 theDrain
as eiter root or nonpriv. depending on the desire to monitor or monitor and block
works very well.
theDrain also logs to a file drain.txt. So you can leave it running via watch and
come back later to see what was blocked.
It will also fire off e-mail alerts if it sees more then $alert_level Half Open
connections. sending the alert to the address specified in $alert_to
Definitely take a look at the source and set the variable in a way that is sane for your use.
|
