An useful and useful command for checking if a server is under ddos?:
netstat -anp |grep ‘tcp\|udp’ | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -n
This command will list the IPs checking the most amounts of connections to a server, it’s important to note that the ddos is becoming more and more planned and hackers are using most sophisticated method. If this is the case you will still get low number of connections even while you are under a DDOS.
Another vital thing to look at is how many active connections your server is processing at the most.
netstat -n | grep :80 |wc -l
netstat -n | grep :80 | grep SYN |wc -l
The first command will show the number of active connections which are open to your server, most of the attacks typically starting a connection to the server and then not sending any reply making the server wait for longer time. The number of active connections from the first command is going to differ in large amount but if you are much above 500 you are probably having problems. If the second command is over 100 you are having trouble with a syn attack.
To Block a certain IP address that on server, you can use following commands
—————–command——————————
route add ipaddress reject
for example route add 192.168.0.168 reject
You can check whether given IP is blocked on server by using following command
route -n |grep IPaddress
—————–command——————————
OR
use follwoing command to block a ip with iptables on server
—————–command——————————
iptables -A INPUT 1 -s IPADRESS -j DROP/REJECT
service iptables restart
service iptables save
—————–command——————————
Then KILL all httpd connection and restarted httpd service by using following command
killall -KILL httpd
service httpd startssl
Hope this help!
0 komentar:
Posting Komentar