Auto block IP in multi connections

Discussion in 'Site & Server Administration' started by blue_angel, Jan 21, 2008.

0
  1. #1
    Hi,

    There is any way to automate block an IP in case have mylti site access - connections?
    I want in case an IP have over 20 active connections then auto blocked in some way...

    There is any way to do that ?:confused:

    BR
     
    blue_angel, Jan 21, 2008 IP
  2. st1905

    st1905 Well-Known Member

    Messages:
    573
    Likes Received:
    23
    Best Answers:
    0
    Trophy Points:
    135
    #2
    Hi there

    If you want to block an ip when it reaches a limited number of connections then here is your solution.

    #!/bin/bash

#Collecting list of ip addresses connected to port 80

netstat -plan|grep :80|awk {'print $5'}|cut -d: -f 1|sort|uniq -c|sort -nk 1 > /root/iplist

#Limit the no of connections
LIMIT=100;

for ip in `cat /root/iplist |awk '{print $2}'`;do

if [ `grep $ip /root/iplist | awk '{print $1}'` -gt $LIMIT ]
then
echo "100 connection from $ip... `grep $ip /root/iplist | awk '{print $1}'` number of connections... Blocking $ip";

#Blocking the ip ...

/etc/rc.d/init.d/iptables save > /dev/null;
CHECK_IF_LOCALIP=0;
/sbin/ifconfig | grep $ip > /dev/null;
if [ $? -ne $CHECK_IF_LOCALIP ]
then
{
FLAG=0;
grep $ip /etc/sysconfig/iptables | grep DROP > /dev/null;
if [ $? -ne $FLAG ]
then
iptables -I INPUT -s $ip -j DROP;
else
echo " Ipaddress $ip is already blocked ";
fi
}
else
echo " Sorry, the ip $ip cannot be blocked since this is a local ip of the server ";
fi
fi
done
    Code (markup):
    This script limits to 100 connections and on port 80, you can change both of them and run this at cron on every 1 minute.

    Another solution is using csf firewall http://www.configserver.com/cp/csf.html

    And final (Probably the best) solution is DoS-Deflate http://deflate.medialayer.com/ Cpanel guide is here http://www.cpanelconfig.com/tag/dos-deflate/

    Best Regards
     
    st1905, Jan 22, 2008 IP
  3. Pathan

    Pathan Well-Known Member

    Messages:
    2,196
    Likes Received:
    218
    Best Answers:
    0
    Trophy Points:
    165
    #3
    I would also recommend DDos Deflate as recommended by st1905 so here is how you can install it.

    DDoS Deflate

    ## Get the latest source
    # cd /usr/src/utils
    # mkdir ddos
    # cd ddos
    # wget http://www.inetbase.com/scripts/ddos/install.sh
    # sh install.sh

    Edit the configuration file, /usr/local/ddos/ddos.conf, and start the ddos.

    # /usr/local/ddos/ddos.sh -c

    Make Sure you also install APF Firewall. I hope it will help you the default setting of DDoS Deflate is set to 150 as it will automatically block the IP after 150 connections. and the IP will be unbanned automatically after 600 seconds you can modify the settings just read above carefully.
    I hope it will help, still have problems just post it here.
     
    Pathan, Jan 22, 2008 IP
  4. blue_angel

    blue_angel Well-Known Member

    Messages:
    1,174
    Likes Received:
    8
    Best Answers:
    0
    Trophy Points:
    130
    #4
    Thanks a lot for your suggestions Are very helpfull
     
    blue_angel, Jan 26, 2008 IP
  5. Mitchell Abdullah

    Mitchell Abdullah Active Member

    Messages:
    260
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    73
    #5
    Uber usefullness
     
    Mitchell Abdullah, Jul 8, 2010 IP