DDoS-Defender-v2.0.0版的改進以下:
===============================================
1. 重新改寫v1.0的低級代碼
2. 全新的運行架構,審計流程
3. 優化運行進程的優先級,增強CPU親和性
4. 將臨時數據加載到內存虛擬交換區裏,降低磁盤IO
5. 新增APF防火牆支持(暫不支持自動解鎖)
6. 新增郵件通知功能
下一版,將修復對APF防火牆的完美支持,部份不完美的BUG。
===============================================
程序安裝:
# tar zxvf DDoS-Defender-v2.0.0.tar.gz
# cd DDoS-Defender-v2.0.0
# ./autoinstall.sh
# /usr/local/DDos/sbin/ddosDer start #啓動程序
安裝完成後,重新Login終端可直接使用 “ ddosDer start” 命令啓動和關閉。
查看監控狀態:
# ddosDer status
程序主要目錄介紹:
/usr/local/DDos/sbin #主要程序運行文件夾
/usr/local/DDos/logs #事件記錄
/usr/local/DDos/conf #配置文件
/usr/local/DDos/lib #功能模塊庫
《系統結構圖》
SHELL源碼開放:
主進程“ddos_daemon”(守護):
- #!/bin/sh
- ##############################################################################
- # DDoS-Defender version 2.0.0 Author: Sunshine <[email protected]> #
- ##############################################################################
- # This program is distributed under the "Artistic License" Agreement #
- # The LICENSE file is located in the same directory as this program. Please #
- # read the LICENSE file before you make copies or distribute this program #
- ##############################################################################
- PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:~/bin:/usr/local/DDos/sbin
- export PATH
- CONF_FILE="/usr/local/DDos/conf/ddos.conf"
- # Print Header infomation.
- header()
- {
- echo "DDoS-Defender version 2.0.0"
- echo "Copyright (C) 2011,Sunshine <[email protected]>"
- echo
- }
- # Check if user is root.
- if [ $(id -u) != "0" ]; then
- header
- echo "Error: You must be root to run!"
- exit 1
- fi
- # Clean tmp.
- clean_tmp() {
- if [ -d $TMP_DIR ];then
- rm -f $TMP_DIR/*
- else
- mkdir $TMP_DIR
- fi
- }
- load_conf()
- {
- if [ -f "$CONF_FILE" ] && [ ! "$CONF_FILE" == "" ]; then
- source $CONF_FILE
- clean_tmp
- else
- header >> $LOGS_FILE
- echo "\$CONF_FILE not found." |tee -a $LOGS_FILE
- exit 1
- fi
- }
- # send email for admins.
- send_mail() {
- if [ $1 -eq 1 ]; then
- dt=`date +"%y-%m-%d %H:%M:%S"`
- if [ `expr length "$EMAIL_TO"` -ne 0 ]; then
- for Addrs in $EMAIL_TO
- do
- cat $BANNED_IP_MAIL | mail -s "IP addresses banned on $dt" $Addrs
- if [ $? -eq 0 ];then
- echo "IP addresses banned on $dt,MailTo $Addrs Success."
- else
- echo "Sendmail error..."
- fi
- done
- rm -f $TMP_DIR$BANNED_IP_MAIL
- fi
- fi
- }
- ################################################################################################
- active_exec() {
- load_conf
- header >> $LOGS_FILE
- echo "ddos_daemon Running OK. $(date +"%y-%m-%d %H:%M:%S")" >> $LOGS_FILE
- DDOS_PID="$PROC_DIR"logs/ddos_daemon.SOCK
- echo "$$" > $DDOS_PID
- BLACK_LIST=`mktemp $TMP_DIR/ddos_backlist.XXXXXXXX`
- BANNED_IP_MAIL=`mktemp $TMP_DIR/ddos_PREFIX.XXXXXXXX`
- echo "Banned the following ip addresses on `date`" > $BANNED_IP_MAIL
- echo >> $BANNED_IP_MAIL
- >> $CROND_LIST
- while true
- do
- #根據連接數反應惡意連接,格式化數據,去掉重IP
- netstat -ntu |grep -E $MONT_PORT|awk '{print $5}'|cut -f 1 -d :|sort|uniq -c|sort -rn|grep -v -E $IGNORE_IP > $BLACK_LIST
- if [ $KILL -eq 1 ]; then
- while read line; do
- CURR_LINE_CONN=$(echo $line | cut -d" " -f1) #連接數
- CURR_LINE_IP=$(echo $line | cut -d" " -f2) #連接IP
- #判斷IP是否已超過連接警戒數
- if [ $CURR_LINE_CONN -lt $NO_OF_CONNECTIONS ]; then
- break
- else
- if [ $APF_BAN -eq 1 ]; then
- $APF -d $CURR_LINE_IP
- else
- #iptables沒有重複條目
- if [ `iptables --list|grep $CURR_LINE_IP|wc -l` -eq 0 ];then
- $IPT -I INPUT -s $CURR_LINE_IP -j DROP
- echo "$CURR_LINE_IP with $CURR_LINE_CONN connections,Lock Now!" >> $BANNED_IP_MAIL
- #crond_file裏沒有重複條目
- if [ `grep '$CURR_LINE_IP' $CROND_LIST|wc -l` -eq 0 ];then
- echo "$CURR_LINE_IP with $CURR_LINE_CONN connections,Lock Now!,$(date +"%y-%m-%d %H:%M:%S")" >> $LOGS_FILE
- echo "$CURR_LINE_IP `date +%Y/%m/%d` `date +%H:%M:%S` `date +%s` LOCK" >> $CROND_LIST
- fi
- # 發送郵件通知
- if [ $SENDMAIL_ON -eq 1 ];then
- $SENDMAIL_EXE $CURR_LINE_IP"_banned_On_" $BANNED_IP_MAIL >> $LOGS_FILE
- rm -f "$TMP_DIR"/"$BANNED_IP_MAIL"
- fi
- else
- continue
- fi
- fi
- fi
- done < $BLACK_LIST
- fi
- sleep $REXEC_TIME
- done
- }
- active_exec | tee -a $LOGS_FILE
計劃任務進程“ddos_flush”(守護):
- #!/bin/sh
- ##############################################################################
- # DDoS-Defender version 2.0.0 Author: Sunshine <[email protected]> #
- ##############################################################################
- # This program is distributed under the "Artistic License" Agreement #
- # The LICENSE file is located in the same directory as this program. Please #
- # read the LICENSE file before you make copies or distribute this program #
- ##############################################################################
- PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:~/bin:/usr/local/DDos/sbin
- export PATH
- CONF_FILE="/usr/local/DDos/conf/ddos.conf"
- # Print Header infomation.
- header()
- {
- echo "DDoS-Defender version 2.0.0"
- echo "Copyright (C) 2011,Sunshine <[email protected]>"
- echo
- }
- # Check if user is root.
- if [ $(id -u) != "0" ]; then
- header
- echo "Error: You must be root to run!"
- exit 1
- fi
- load_conf()
- {
- if [ -f "$CONF_FILE" ] && [ ! "$CONF_FILE" == "" ]; then
- source $CONF_FILE
- else
- header >> $LOGS_FILE
- echo "\$CONF_FILE not found." |tee -a $LOGS_FILE
- exit 1
- fi
- }
- ################################################################################################
- flush_exec() {
- load_conf
- echo "flush_daemon Running OK. $(date +"%y-%m-%d %H:%M:%S")" >> $LOGS_FILE
- FLUSH_PID="$PROC_DIR"logs/ddos_flush.SOCK
- TEMP_FILE=`mktemp $TMP_DIR/CROND_IP.XXXXXXXX`
- echo "$$" > $FLUSH_PID
- while true
- do
- #取得當前時間
- DT=`date +%s`
- #文件是否存在
- if [ -e $CROND_LIST ];then
- #遍歷所有條目
- for i in `awk '{print $1}' $CROND_LIST`
- do
- #內容不爲空
- if [ `cat $CROND_LIST|wc -l` -ne 0 ];then
- #單次最多取出一條,排除重複條目
- GET_KTIME=`grep $i $CROND_LIST|awk '{print $4}'|head -1`
- let "EXPR_KOUT=$DT - $GET_KTIME"
- #判斷是否超規定時間
- if [[ $EXPR_KOUT -gt $BAN_PERIOD ]];then
- #iptables裏存在條目
- if [ `iptables --list|grep $i|wc -l` -ne 0 ];then
- /sbin/iptables -D INPUT -s $i -j DROP
- echo "Clean $i OK. $(date +"%y-%m-%d %H:%M:%S")" >> $LOGS_FILE
- fi
- #清除crond_list的當前條目
- cp $CROND_LIST $TEMP_FILE
- sed -e "/$i/d" $TEMP_FILE > $CROND_LIST
- rm -f $TEMP_FILE
- fi
- fi
- done
- fi
- sleep $REXEC_TIME
- done
- }
- flush_exec | tee -a $LOGS_FILE
主控制進程“ddosDer”:
- #!/bin/sh
- ##############################################################################
- # DDoS-Defender version 2.0.0 Author: Sunshine <[email protected]> #
- ##############################################################################
- # This program is distributed under the "Artistic License" Agreement #
- # The LICENSE file is located in the same directory as this program. Please #
- # read the LICENSE file before you make copies or distribute this program #
- ##############################################################################
- PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:~/bin:/usr/local/DDos
- export PATH
- CONF_FILE="/usr/local/DDos/conf/ddos.conf"
- if [ -f "$CONF_FILE" ] && [ ! "$CONF_FILE" == "" ]; then
- source $CONF_FILE
- else
- header >> $LOGS_FILE
- echo "\$CONF_FILE not found." |tee -a $LOGS_FILE
- exit 1
- fi
- DDOS_DAEMON="/usr/local/DDos/sbin/ddos_daemon"
- FLUSH_DAEMON="/usr/local/DDos/sbin/ddos_flush"
- DDOS_PID="$PROC_DIR"logs/ddos_daemon.SOCK
- FLUSH_PID="$PROC_DIR"logs/ddos_flush.SOCK
- header()
- {
- echo "DDoS-Defender version 2.0.0"
- echo "Copyright (C) 2011,Sunshine <[email protected]>"
- }
- do_start() {
- $CHECKIPTABLES 1>/dev/null
- if [ `pgrep -f 'ddos_daemon'|wc -l` -eq 0 ];then
- nice -n -4 $DDOS_DAEMON &
- nice -n -4 $FLUSH_DAEMON &
- else
- echo -e "ddos_daemon already running!"
- exit 1
- fi
- }
- do_stop() {
- if [ `pgrep -f 'ddos_daemon'|wc -l` -eq 0 ];then
- echo -e "ddos_daemon not running!"
- else
- #kill -9 `cat $DDOS_PID`
- killall ddos_daemon
- fi
- if [ `pgrep -f 'ddos_flush'|wc -l` -eq 0 ];then
- echo -e "ddos_flush not running!"
- else
- #kill -9 `cat $FLUSH_PID`
- killall ddos_flush
- fi
- if [ `pgrep -f 'ddos_flush'|wc -l` -ne 0 ]&&[ `pgrep -f 'ddos_daemon'|wc -l` -ne 0 ];then
- #kill -9 `cat $DDOS_PID`
- #kill -9 `cat $FLUSH_PID`
- killall ddos_daemon
- killall ddos_flush
- rm -rf $DDOS_PID $FLUSH_PID
- fi
- }
- do_restart() {
- do_stop
- do_start
- }
- do_status() {
- header
- echo "------------------------------DROP LIST---------------------------------"
- echo "IP Y/m/d H:M:S Unix/time Active"
- if [ -e $CROND_LIST ];then
- column -t $CROND_LIST
- fi
- echo "------------------------------IPTABLES LIST-----------------------------"
- echo "target prot opt source destination"
- iptables --list|grep 'DROP'|awk {'printf "%-10s%-5s%-4s%-20s%-11s\n",$1,$2,$3,$4,$5'}
- echo "------------------------------NETSTAT TOP20----------------------------"
- echo "Num Proto Recv-Q Send-Q Local Address Foreign Address State"
- netstat -ntu |grep -E $MONT_PORT|grep -v -E $IGNORE_IP|sed 's/:/ /g'|awk '{print $1,$2,$3,$4,$6,$8}'|sort|uniq -c|sort -rn|awk '{printf "%-6s%-06s%-07s%-07s%-20s%-20s%-10s\n",$1,$2,$3,$4,$5,$6,$7}'|head -20
- #netstat -ntu |grep -E $MONT_PORT|awk '{print $5}'|cut -f 1 -d sort|uniq -c|sort -rn|grep -v -E $IGNORE_IP
- echo "------------------------------------------------------------------------"
- if [ `pgrep -f 'ddos_daemon'|wc -l` -ne 0 ];then
- echo -n ">>> ddos_daemon already running! "
- else
- echo -n ">>> ddos_daemon not running! "
- fi
- if [ `pgrep -f 'ddos_flush'|wc -l` -ne 0 ];then
- echo " ddos_flush already running! <<<"
- else
- echo " ddos_flush not running! <<<"
- fi
- }
- case "$1" in
- start)
- echo -e "Starting ddos_daemon ..."
- do_start
- echo "Done."
- ;;
- stop)
- echo -e "Stopping ddos_daemon ..."
- do_stop
- echo "Done."
- ;;
- restart)
- echo -e "Restarting ddos_daemon ..."
- do_restart
- echo "Done."
- ;;
- status)
- while true
- do
- clear
- do_status
- sleep 5
- done
- ;;
- *)
- echo $"Usage: $prog {start|stop|restart|status}"
- exit 1
- esac
配置文件實例:
- ##### Paths of the script and other files
- PROC_DIR="/usr/local/DDos/"
- LOGS_FILE="/usr/local/DDos/logs/running.log"
- TMP_DIR="/dev/shm/tmp"
- APF="/etc/apf/apf"
- IPT="/sbin/iptables"
- ### Module Library
- ### 加載lib模塊
- SENDMAIL_EXE="/usr/local/DDos/lib/sendmail.so"
- CHECKIPTABLES="/usr/local/DDos/lib/check_iptables.so"
- ### Plans to remove(blacklist)
- ### 計劃清理隊列
- CROND_LIST="/usr/local/DDos/logs/crond_list.dat"
- ### White list
- ### 白名單
- IGNORE_IP="127.0.0.1|0.0.0.0"
- ### Monitor port
- ### 監控端口
- MONT_PORT="80|8080|443"
- ##### KILL=0 (Bad IPs are'nt banned, good for interactive execution of script)
- ##### KILL=1 (Recommended setting)
- ### 調和模式,0表示只監測,1表示主動防禦並鎖定IP
- KILL=1
- ##### APF_BAN=1 (Make sure your APF version is atleast 0.96)
- ##### APF_BAN=0 (Uses iptables for banning ips instead of APF)
- ### 是否啓用APF防火牆,如使用iptables請設爲0
- APF_BAN=0
- ### Executive frequency(s)
- ### 監控密度,單位爲秒
- REXEC_TIME=10
- ##### How many connections define a bad IP? Indicate that below.
- ### 鎖定連接數,該項能確定監控的敏感度,非常重要
- NO_OF_CONNECTIONS=100
- ##### An email is sent to the following address when an IP is banned.
- ##### Blank would suppress sending of mails,Sendmail Off/On,"1" is ON
- ### 管理員郵箱,空格隔開,EMAIL_ATTACH是否啓用附件,0爲Off
- SENDMAIL_ON=1
- EMAIL_ATTACH=0
- EMAIL_SIGE="4399運維團隊"
- EMAIL_TO="[email protected]"
- ### Lock time,used to lock blacklist in grep_list,
- ### Over this time, iptables will automatically delete.(s)
- ### 封鎖時間
- BAN_PERIOD=600
相關截圖:
DDoS-Defender-v2.0.0下載:http://www.ywjt.org/index/archives/338.html