If you suspect, that your server is flooded, the first thing you need to do is to issue the following command:
netstat -ntu | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -nr
This will show you IP addresses (second column) and the total number of connections from each (first one). If you see, that you have too many connections from some IP address, you can block it by issueing the following command:
iptables -I INPUT -s 45.165.30.20 -j DROP
where 45.165.30.20 is the IP address you want to block. If you need to block the whole subnet, you can use the following:
- 45.165.30.0/24 will block the whole 45.165.30.x subnet
- 45.165.0.0/16 will block the whole 45.165.x.x subnet
- 45.0.0.0/8 will block the whole 45.x.x.x subnet
So the command will look like
iptables -I INPUT -s 45.165.0.0/16 -j DROP
You can unblacklist address by
iptables -D INPUT -s 45.165.0.0/16 -j DROP
Also you must ensure if iptables is up and running using
service iptables status
If you will see, that iptables is stopped, you can start it by
service iptables start
You may look at your current iptables entries using
iptables -L -n
You can also clear all iptables rules by issuing a series of commands
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -F
iptables -X
After you added all entries you want to blacklist to iptables, you need to save iptables data so that iptables would load it on next server startup. It can be done using the following command:
service iptables save
You may also want to autostart iptables whenever your system starts by the following command:
chkconfig iptables on
February 2nd, 2009 2:24 am
[...] List iptables to prevent ddos Prevent and Stop DoS or DDoS Attacks on Web Server (D)DOS-Deflate Using netstat and iptables to manually detect and blacklist DOSers Prevent DoS attack in Linux using IPTABLES Defend Your Web Server Against Distributed Denial of [...]
July 1st, 2009 1:22 pm
[...] is just an addition to my this article with some corrections needed if you use [...]