|
|
本帖最后由 xiaoxiao 于 2016-11-14 22:19 编辑
VPS虽然自由度高,但也因为需要自己做些安全设置对不少人来说比较难,而且的确会有无聊的人DDOS,这两天SS连接都超慢,网上搜索了下,找了个脚本,目前看来与AMH面板还是兼容的,装上没坏处,有需要的都试试吧!
安装及卸载方法
安装:
- wget http://www.inetbase.com/scripts/ddos/install.sh
- 或 wget http://dl.aixiaoxiao.cn/vps/ddos/install.sh
- chmod +x install.sh
- ./install.sh
卸载:
- wget http://www.inetbase.com/scripts/ddos/uninstall.ddos
- 或 wget http://dl.aixiaoxiao.cn/vps/ddos/uninstall.ddos
- chmod +x uninstall.ddos
- ./uninstall.ddos
配置使用方法
安装好后默认的目录在 /usr/local/ddos 里面,主要修改文件ddos.conf
##### Paths of the script and other files
PROGDIR="/usr/local/ddos/ddos.conf" #脚本存放位置
PROG="/usr/local/ddos/ddos.sh" #主程序脚本
IGNORE_IP_LIST="/usr/local/ddos/ignore.ip.list" #白名单IP设置
CRON="/etc/cron.d/ddos.cron" #定时任务脚本路径
APF="/etc/apf/apf" #APF路径
IPT="/sbin/iptables" #iptables路径
##### frequency in minutes for running the script
##### Caution: Every time this setting is changed, run the script with --cron
##### option so that the new frequency takes effect
FREQ=1 #检查周期时间,默认为1分钟
##### How many connections define a bad IP? Indicate that below.
NO_OF_CONNECTIONS=150 #允许客户端与服务器的最大连接数,超过就会被屏蔽,保持默认
##### APF_BAN=1 (Make sure your APF version is atleast 0.96)
##### APF_BAN=0 (Uses iptables for banning ips instead of APF)
APF_BAN=0 #数字1为使用APF,数字0为使用iptables,因为配合AMH推荐用iptables
##### KILL=0 (Bad IPs are'nt banned, good for interactive execution of script)
##### KILL=1 (Recommended setting)
KILL=1 #是否屏蔽IP,默认
##### An email is sent to the following address when an IP is banned.
##### Blank would suppress sending of mails
EMAIL_TO="system@xxx.com" #指定你要接收警告的邮箱
##### Number of seconds the banned ip should remain in blacklist.
BAN_PERIOD=600 #屏蔽违规IP多少秒,我是3600
在实际使用中出现了将白名单中ip地址也加入了防火墙策略的现象。经过测试发现需要修改2个地方(此处借鉴http://blog.chinaunix.net/uid-10449864-id-3300661.html)
vi /usr/local/ddos/ddos.sh
1,ip地址过滤的不够细致,把117行,更换为此段代码:
netstat -ntu | awk '{print $5}' | egrep -o "[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}" | sort | uniq -c | sort -nr > $BAD_IP_LIST
2,注释掉134行(前面加 # 即可):
# echo $CURR_LINE_IP >> $IGNORE_IP_LIST
|
|
收藏