The so-called "chopping station" is to use Teleport, Gtright, etc. Offline reading software, a complete download of a certain station. This should be accepted for platforms that only use a static web page, but for those platforms that run a lot of CGI or need to call the backend database, once the number of connectors is too much or the CPU is not enough, it is easy to be "cut down" "... I believe that most of the website administrators don't welcome such behaviors. If you also use the Linux system, use the Linux system, and if you can execute the iptables program, the script or value value is trial. However, statement is first: 1) This Script is only tested on the Redhat Linux 7.x platform, and it is not guaranteed to be used for other system versions. 2) Script is not perfected, and it is inevitable. Please evaluate the risk yourself. 3) If the Script has any losses, the author is not responsible. The approximate working principle of Script is as follows: 1) Detection system connection number and CPU usage, if all are within acceptable range, no restriction processing. 2) If the limit value is exceeded, the blacklist is grasped from the connection. 3) The first capture does not work. If you caught a certain number of times (adjustable variable), enable the iptables' LIMIT rules to limit the connection to one packet per second. 4) If the wiring appears in the Limit list (adjustable variable), enable the IPTables DROP rules, temporarily block the source. 5) Script will update the blacklist each time. If the number of occurrences of the list falls below the limit value, the DROP or LIMIT rule for the connection is deleted. 6) If the wiring appears in the DROP list (adjustable variable), enable the permanent DROP rules for iptables and no longer delete its DROP rules. Script execution requirements: 1) You need root privileges to perform Script, Script will establish a Block subdirectory in the / root directory. 2) Script itself does not have a loop, set the crontab to determine the execution interval of Script. 3) If there are other iptables reform settings (such as portSentry, please resolve rule consistency. 4) The permanent DROP rule established by Script, please decide the time it will be deleted. (You can another Script and a crontab) 5) Script will restart detection processing for HTTPD. If it is inconvenient to web server, please annotate or delete the program code.
(Paragraph Tips: # - restart httpd if dead - #) Script code (Welcome to debug): #! / Bin / bash # purpose: to block httpd connection # Author: Netman (Netman@study-area.org) # Lisnce: GPL # Date: 2003/10/09 # Version: 1.19 # - Change log - # [deleted] Path = $ PATH: / SBIN: / USR / SBIN EXT_IF = Eth0 # EXTENAL Interface http_nu = 16 # connection number to be added to list LIMIT_NU = 2 # number to be limited DROP_NU = 5 # number to be dropped PERM_NU = 5 # number to be dropped permanently CL_S = 8 # CPU loading for system CL_U = 65 # CPU loading for user HC_N = 200 # HTTP connection number for session HC_U = 20 # HTTP connection number for source TW_N = 40 # TIME_WAIT number for session HTTP_PORT = 80 # HTTP port number UD_HTTP = 30 # minutes to update http list UD_LIMIT = 2 # hours to update limit list UD_DROP = 1 # days to update drop list http_script = / etc / rc.d / init.d / httpd http_user = apache http_cmd = httpd ipCRM_CMD = IPCRM IPCS_CMD = IPCS SAR_CMD = SAR NETSTAT_CMD = Netstat MAIL_CMD = mail AWK_CMD = awk IPT_CMD = iptables IPT_SAVE_CMD = iptables-save BASED_DIR = / root / BLOCK PID_FILE = $ {BASED_DIR} / $ {0 ## * /}. Pid HTTP_LIST = $ {BASED_DIR} /http.list HTTP_LIST_TMP = $ {HTTP_LIST} .tmp HTTP_TW_TMP = $ {HTTP_LIST} .tw LIMIT_LIST = $ {HTTP_LIST} .limit DROP_LIST = $ {HTTP_LIST} .drop PERM_LIST = $ {HTTP_LIST} .perm # NOTE: using '|' between each ip in a single line in the EXCP_LIST EXCP_LIST = $ {HTTP_LIST} .excp # - check programs - # for pgr in $ HTTP_CMD $ IPCRM_CMD $ SAR_CMD $ NETSTAT_CMD $ MAIL_CMD $ AWK_CMD $ IPT_CMD $ IPT_SAVE_CMD do which $ pgr &>
/ dev / null || {echo "$ {0 ## * /}: Error: $ PGR NOT Found or Not in the path." exit 1} done # - Create based Dir - # ix f [! -d $ Based_dir]; THEN MKDIR $ BASED_DIR || {Echo "$ {0 ## * /}: error: can not create Directory $ based_dir." EXIT 2} Fi # - Create File and set timestampt - # Touch --date = "$ UD_HTTP minutes ago" $ HTTP_LIST touch --date = "$ UD_LIMIT hours ago" $ LIMIT_LIST touch --date = "$ UD_DROP days ago" $ DROP_LIST touch $ EXCP_LIST touch $ PERM_LIST # - detect process - # if [-E $ pid_file]; the echo "$ {0 ## * /}: warning: there is a Running Copy of Script." Echo "EXITING ..." EXIT 3 Else Echo "$$"> $ PID_FILE FI # - RESTART HTTPD IF DEAD - # PS U -C $ http_cmd | grep -q -e -v '^ user | ^ root' || {$ HTTP_Script Stop Sleep 2 for i in $ ($ IPCS_CMD | SED '/ SEMID /, / ^ --- /! d '/ | awk' / ^ 0x / {print $ 2} '); do $ ipcrm_cmd SEM $ I DONE $ Http_script start date | $ mail_cmd -s "httpd restarted" Root Exit 3} # - Create Source List - # Touch $ http_list_tmp $ netstat_cmd -na | GREP ": $ http_port" | awk '{print $ 5}' | CUT -d: -f1 | sort / | $ http_list_tmp $ netstat_cmd -na | grep ": $ http_port" | GREP "TIME_WAIT" | awk '{print $ 5}' / | cut -d : -F1 | sort | sort | /0.0.0.0/d '> $ http_tw_tmp # - check loading - # cpuload = $ ($ sar_cmd -u 1 3 | tail -1 | awk' {printf ("% i: % I ", $ 3, $ 5)} ') CPUSR = $ {cpuload%: *} cpusys =
$ {cpuload # *:} http_cn = $ (CAT $ http_list_tmp | wc -l) http_un = $ (UNIQ $ http_list_tmp | wc) http_tw = $ (UNIQ $ http_tw_tmp | wc) echo "Limit Current" echo " Cl_u: $ cl_u $ CPUUSR "echo" cl_s: $ cl_s $ cpusys "echo" hc_n: $ hc_n $ {http_cn ## *} "echo" HC_U: $ HC_U $ {http_un ## *} "echo" tw_n: $ tw_n $ {http_tw ## *} "# - function update lists - # ud_list () {for i in $ @; do touch $ {i} .1 $ {i} .2 $ {i} .3 $ {i } .4 mv $ {i} .4 $ {i} .5 mv $ {i} .3 $ {i} .4 mv $ {i} .2 $ {i} .3 mv $ {i} .1 $ {i} .2 mv $ {i} $ {i} .1 sort $ {i}. [1-5]> $ {i} .new done} # - list is added? or nothing change in the PERIOD? - # i [$ http_list.new -ot $ http_list]; Then # - REMOVE OLD LIMIT RULES - # for i in $ l it $ ing; do echo remove $ I from limit $ IPT_CMD -D INPUT -P TCP - Dport $ HTTP_PORT / -S $ I -M LIMIT --LIMIT 1 / S -J ACCEPT $ ipt_cmd -d input -p tcp --dport $ http_port / -s $ I -J DROP DONE # - Update http list - # ud_list $ http_list Fi if [-s $ limited_list -o $ limited_list.new -ot $ limited_list]; the # - Remove Old Drop Rules - # for i in $ p _ _t; do echo remove $ I from Drop $ ipt_cmd - D INPUT -P TCP - Dport $ http_port / -s $ I-J DROP DONE # - Update Limit List - # ud_list $ limited_list Fi if [-s $ drop_list -o $ drop_list.new -ot $ drop_list];
Then # - Update Drop List - # ud_list $ drop_list # - Sort Perm List - # sort -u $ perm_list> $ drop_list.new cat $ drop_list.new> $ perm_list Fi # - limiting http connection - # IF [$ CPUSYS "-gt" $ cl_s "-o" $ CPUUSR "-gt" $ cl_u "-o" $ http_en "-gt" $ hc_n "/ -o" $ http_un "-gt" $ hc_u "- O "$ http_tw" -gt "$ tw_n"] Then # - function: create list - # cr_list () {address = "0.0.0.0" count = 1 for i in $ 1); do if [" $ address "! =" $ I "]; Then IF [" $ count "-ge" $ 2 "]; THEN Echo $ address >> $ 3 fi address = $ I count = 1 else count = $ ($ COUNT 1 )) Fi Done IF [$ count "-ge" $ 2 "]; THEN Echo $ Address >> $ 3 fi} # - collect high rate connection - # cr_list $ HTTP_LIST_TMP $ HTTP_NU $ HTTP_LIST # - create limit list - # if [-s $ HTTP_LIST]; then cr_list $ HTTP_LIST.new $ LIMIT_NU $ LIMIT_LIST # - make exception - - # ix [-s $ eXCP_LIST]; THEN GREP -V -E -F $ EXCP_LIST $ limited_LIST />
