寻觅生命中的那一片浅草......

每月存档 十一月, 2010

DDoS deflate – Linux下防御/减轻DDOS攻击

前言

互联网如同现实社会一样充满钩心斗角,网站被DDOS也成为站长最头疼的事。在没有硬防的情况下,寻找软件代替是最直接的方法,比如用iptables,但是iptables不能在自动屏蔽,只能手动屏蔽。今天要说的就是一款能够自动屏蔽DDOS攻击者IP的软件:DDoS deflate。

DDoS deflate介绍

DDoS deflate是一款免费的用来防御和减轻DDoS攻击的脚本。它通过netstat监测跟踪创建大量网络连接的IP地址,在检测到某个结点超过预设的限 制时,该程序会通过APF或IPTABLES禁止或阻挡这些IP.

DDoS deflate官方网站:http://deflate.medialayer.com/

如何确认是否受到DDOS攻击?

执行:

netstat -ntu | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -n执行后,将会显示服务器上所有的每个IP多少个连接数。

以下是我自己用VPS测试的结果:

li88-99:~# netstat -ntu | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -n
1 114.226.9.132
1 174.129.237.157
1 58.60.118.142
1 Address
1 servers)
2 118.26.131.78
3 123.125.1.202
3 220.248.43.119
4 117.36.231.253
4 119.162.46.124
6 219.140.232.128
8 220.181.61.31 VPS侦探 http://www.vpser.net/
2311 67.215.242.196每个IP几个、十几个或几十个连接数都还算比较正常,如果像上面成百上千肯定就不正常了。

1、安装DDoS deflate

wget http://www.inetbase.com/scripts/ddos/install.sh //下载DDoS deflate
chmod 0700 install.sh //添加权限
./install.sh //执行2、配置DDoS deflate

下面是DDoS deflate的默认配置位于/usr/local/ddos/ddos.conf ,内容如下:

##### Paths of the script and other files
PROGDIR=”/usr/local/ddos”
PROG=”/usr/local/ddos/ddos.sh”
IGNORE_IP_LIST=”/usr/local/ddos/ignore.ip.list” //IP地址白名单
CRON=”/etc/cron.d/ddos.cron” //定时执行程序
APF=”/etc/apf/apf”
IPT=”/sbin/iptables”

##### frequency in minutes for running the script
##### Caution: Every time this setting is changed, run the script with –cron
##### option so that the new frequency takes effect
FREQ=1 //检查时间间隔,默认1分钟

##### How many connections define a bad IP? Indicate that below.
NO_OF_CONNECTIONS=150 //最大连接数,超过这个数IP就会被屏蔽,一般默认即可

##### APF_BAN=1 (Make sure your APF version is atleast 0.96)
##### APF_BAN=0 (Uses iptables for banning ips instead of APF)
APF_BAN=1 //使用APF还是iptables。推荐使用iptables,将APF_BAN的值改为0即可。

##### KILL=0 (Bad IPs are’nt banned, good for interactive execution of script)
##### KILL=1 (Recommended setting)
KILL=1 //是否屏蔽IP,默认即可

##### An email is sent to the following address when an IP is banned.
##### Blank would suppress sending of mails
EMAIL_TO=”root” //当IP被屏蔽时给指定邮箱发送邮件,推荐使用,换成自己的邮箱即可

##### Number of seconds the banned ip should remain in blacklist.
BAN_PERIOD=600 //禁用IP时间,默认600秒,可根据情况调整用户可根据给默认配置文件加上的注释提示内容,修改配置文件。

喜欢折腾的可以用Web压力测试软件测试一下效果,相信DDoS deflate还是能给你的VPS或服务器抵御一部分DDOS攻击,给你的网站更多的保护。

转载自:VPS侦探 http://www.VPSer.Net

在XP下编译OpenVPN2.1.4

为什么要编译OpenVPN
OpenVPN官方提供的Windows二进制文件默认是不包含从文件读取用户名密码功能的。
服务器端可以推送更大的路由表给客户端

安装步骤
注意:以下提到的安装路径皆为示例,如无特殊说明,皆可根据实际情况作更改。

安装NSIS–用于将编译好的文件打包成安装文件
下载链接:http://sourceforge.net/projects/nsis/files/NSIS 2/2.46/nsis-2.46-setup.exe/download
默认安装即可。

安装MinGW–编译环境
下载链接:http://sourceforge.net/projects/mingw/files/Automated MinGW Installer
下载这个mingw-get-inst-20101030.exe
现在好像没有完整安装包下载了,只能下载mingw-get-inst-20101030.exe来进行在线安装,在自定义安装哪里,我吧c++也选上了

等MinGW安装好后,安装MSYS
下载链接:http://downloads.sourceforge.net/mingw/MSYS-1.0.11.exe
默认安装,安装过程会问一些问题,前面2个输入y
第三个问题输入MinGW的安装路径

C:\msys\1.0\postinstall>..\bin\sh.exe pi.sh

This is a post install process that will try to normalize between
your MinGW install if any as well as your previous MSYS installs
if any. I don’t have any traps as aborts will not hurt anything.
Do you wish to continue with the post install? [yn ] y

Do you have MinGW installed? [yn ] y

Please answer the following in the form of c:/foo/bar.
Where is your MinGW installation? C:/MinGW

安装msysDTK
下载链接:http://downloads.sourceforge.net/mingw/msysDTK-1.0.1.exe
默认安装

配置环境变量
我的电脑,右键->属性->高级->环境变量,观察窗口上部”XXX的用户环境变量”,看是否有PATH这个环境变量。
如果有,双击修改,在最后加上C:\MinGW\bin;C:\msys\1.0\bin

完成操作后,开始->运行,打开cmd窗口,输入bash。如果出现”bash-3.1$”字样,说明环境变量修改成功。输入exit退出bash。
下载OpenVPN预编译文件
这里的预编译文件不是openvpn本身的预编译文件,而是例如openssl,tap驱动等等openvpn编译过程中需要的二进制文件
下载链接:http://openvpn.net/prebuilt/2.1_rc22-prebuilt.tbz
版本不是2.1.1没有关系,因为2.1_rc22到2.1.0的代码变化不多,而2.1.0到2.1.1只是修正了一下内置的rpm打包用的spec文件而已
将2.1_rc22-prebuilt.tbz解压到c:\,获得目录C:\2.1_rc22-prebuilt\,目录下的内容是
gen-prebuilt
lzo-2.02
openssl-0.9.8l
pkcs11-helper

加入OpenVPN GUI二进制文件
这里有2个选择
1、下载OpenVPN GUI二进制文件,这个是英文版
下载链接:http://openvpn.se/files/binary/openvpn-gui-1.0.3.exe

2、中文版,从其他人制作的安装包中提取出openvpn-gui-1.0.3.exe,中文版

如果想深度定制自己的OpenVPN安装程序,可以自行编译安装OpenVPN GUI,修改源码中的rc文件得到自定义效果。具体就不在这里介绍了
同样将openvpn-gui-1.0.3.exe放到C:\2.1_rc22-prebuilt\目录下
下载OpenVPN 2.1.4源码
下载链接:http://swupdate.openvpn.net/community/releases/openvpn-2.1.4.tar.gz
下载解压,获得openvpn-2.1.4目录,C:\2.1_rc22-prebuilt\
至此,C:\2.1_rc22-prebuilt\目录下有如下文件和文件夹:
openvpn-2.1.4
openvpn-gui
gen-prebuilt
lzo-2.02
openssl-0.9.8l
pkcs11-helper
openvpn-gui-1.0.3.exe
如果有缺少目录,请返回前面步骤检查:-)

修改编译配置文件
注意:下面提到的所有修改文件操作,请一律用”写字板”或其他专业文本编辑器,如gvim,notepad++等打开。
到openvpn-2.1.4文件夹,修改version.m4文件
将define(PRODUCT_VERSION,[2.1.4])中方括号的内容做自定义修改。
例如修改为define(PRODUCT_VERSION,[2.1.4-johncan])。这个字符串会出现在OpenVPN安装程序中。
到openvpn-2.1.4\install-win32文件夹,修改settings.in文件
找到;!define ENABLE_PASSWORD_SAVE一行,去掉行首的分号。
注意:根据官方的manual,在settings里反注释掉 !define ENABLE_PASSWORD_SAVE 之后就可以保存密码了,
但是实际编译的时候并没有生效。请直接修改openvpn-2.1.4\misc.c文件
在 #if undef ENABLE_PASSWORD_SAVE
一行前面加上#define ENABLE_PASSWORD_SAVE

最后一个修改比较复杂。
为了减少编译安装的复杂度,就不自己编译tap-win32驱动了,用openvpn提供的prebuilt包里的tapinstall目录来代替。没有找到特别好的办法做这个hack,所以只能这么dirty了。

修改C:\2.1_rc22-prebuilt\openvpn-2.1.4\install-win32\openvpn.nsi文件,找到以下代码:
; tap-64bit:
DetailPrint “We are running on a 64-bit system.”
SetOutPath “$INSTDIR\bin”
File “${GEN}\tapinstall\amd64\tapinstall.exe”
SetOutPath “$INSTDIR\driver”
File “${GEN}\driver\amd64\OemWin2k.inf”
File “${GEN}\driver\amd64\${PRODUCT_TAP_ID}.cat”
File “${GEN}\driver\amd64\${TAPDRV}”
goto tapend
tap-32bit:
DetailPrint “We are running on a 32-bit system.”
SetOutPath “$INSTDIR\bin”
File “${GEN}\tapinstall\i386\tapinstall.exe”
SetOutPath “$INSTDIR\driver”
File “${GEN}\driver\i386\OemWin2k.inf”
File “${GEN}\driver\i386\${PRODUCT_TAP_ID}.cat”
File “${GEN}\driver\i386\${TAPDRV}”
tapend:
SectionEnd
在这段代码第一行前插入:
!undef GEN
!define GEN “C:\2.1_rc22-prebuilt\gen-prebuilt\”
在这段代码最后一行后面插入一行:
!undef GEN
!define GEN “..”

修改后的效果

; tap-64bit:
!undef GEN
!define GEN “C:\2.1_rc22-prebuilt\gen-prebuilt\”
DetailPrint “We are running on a 64-bit system.”

SetOutPath “$INSTDIR\bin”

File “${GEN}\tapinstall\amd64\tapinstall.exe”

SetOutPath “$INSTDIR\driver”

File “${GEN}\driver\amd64\OemWin2k.inf”
File “${GEN}\driver\amd64\${PRODUCT_TAP_ID}.cat”
File “${GEN}\driver\amd64\${TAPDRV}”

goto tapend

tap-32bit:

DetailPrint “We are running on a 32-bit system.”

SetOutPath “$INSTDIR\bin”
File “${GEN}\tapinstall\i386\tapinstall.exe”

SetOutPath “$INSTDIR\driver”
File “${GEN}\driver\i386\OemWin2k.inf”
File “${GEN}\driver\i386\${PRODUCT_TAP_ID}.cat”
File “${GEN}\driver\i386\${TAPDRV}”

tapend:

SectionEnd
!undef GEN
!define GEN “..”

修改openssl、lzo等的路径

修改C:\2.1_rc22-prebuilt\openvpn-2.1.4\install-win32\settings.in
找到
# Include the OpenVPN GUI exe in the installer.
# May be undefined.
!define OPENVPN_GUI_DIR “../openvpn-gui”
!define OPENVPN_GUI “openvpn-gui-1.0.3.exe”

# Include the OpenVPN XML-based GUI exe in the installer.
# May be undefined.
;!define OPENVPN_XGUI_DIR “../ovpnxml”

# Prebuilt libraries. DMALLOC is optional.
!define OPENSSL_DIR “../openssl.mingw/openssl-0.9.8o”
!define LZO_DIR “../lzo-2.02”
!define PKCS11_HELPER_DIR “../pkcs11-helper”
;!define DMALLOC_DIR “../dmalloc-5.4.2”

将对应内容修改成
# Include the OpenVPN GUI exe in the installer.
# May be undefined.
!define OPENVPN_GUI_DIR “../../2.1_rc22-prebuilt”
!define OPENVPN_GUI “openvpn-gui-1.0.3.exe”

# Include the OpenVPN XML-based GUI exe in the installer.
# May be undefined.
;!define OPENVPN_XGUI_DIR “../ovpnxml”

# Prebuilt libraries. DMALLOC is optional.
!define OPENSSL_DIR “../../2.1_rc22-prebuilt/openssl-0.9.8l”
!define LZO_DIR “../../2.1_rc22-prebuilt/lzo-2.02”
!define PKCS11_HELPER_DIR “../../2.1_rc22-prebuilt/pkcs11-helper”

加大路由表的容量
修改C:\2.1_rc22-prebuilt\openvpn-2.1.4\common.h


#define TLS_CHANNEL_BUF_SIZE 2048
改成
#define TLS_CHANNEL_BUF_SIZE 81920


#define PUSH_BUNDLE_SIZE 1024
改为
#define PUSH_BUNDLE_SIZE 81919

可选
修改安装文件默认图标,用提供的ico图片,把C:\2.1_rc22-prebuilt\openvpn-2.1.4\images下的icon.ico替换掉

给openvpn打补丁
如果需要给openvpn打上特殊的补丁,例如openvpn ipv6补丁,可以在这个时候完成。
编译安装
开始->运行,运行cmd,依次输入以下命令:
d:
cd openvpn-2.1.4
bash domake-win
OK,openvpn开始编译了:-)

编译好之后
大概会有如下输出
Using lzma compression.

EXE header size: 38912 / 34304 bytes
Install code: 14908 / 73462 bytes
Install data: 1566849 / 4212428 bytes
Uninstall code+data: 20748 / 24114 bytes
CRC (0xC82A76EA): 4 / 4 bytes

Total size: 1641421 / 4344312 bytes (37.7%)

3 warnings:
install function “GetWindowsVersion” not referenced – zeroing code (125-174) out

label “fileass” not used
label “tryaddtap” not used

安装文件将出现在C:\2.1_rc22-prebuilt\openvpn-2.1.4\gen\文件夹下。

主要参考文章
http://yegle.net/2010/05/19/compile-openvpn-2-1-1-in-windows/

How to: Linux / UNIX Delete or Remove Files With Inode Number

An inode identifies the file and its attributes such as file size, owner, and so on. A unique inode number within the file system identifies each inode. But, why to delete file by an inode number? Sure, you can use rm command to delete file. Sometime accidentally you creates filename with control characters or characters which are unable to be input on a keyboard or special character such as ?, * ^ etc. Removing such special character filenames can be problem. Use following method to delete a file with strange characters in its name:

Please note that the procedure outlined below works with Solaris, FreeBSD, Linux, or any other Unixish oses out there:

Find out file inode
First find out file inode number with any one of the following command:

stat {file-name}

OR

ls -il {file-name}

Use find command to remove file:
Use find command as follows to find and remove a file:

find . -inum [inode-number] -exec rm -i {} \;

When prompted for confirmation, press Y to confirm removal of the file.

Delete or remove files with inode number
Let us try to delete file using inode number.

(a) Create a hard to delete file name:
$ cd /tmp
$ touch “\+Xy \+\8”
$ ls
(b) Try to remove this file with rm command:
$ rm \+Xy \+\8

(c) Remove file by an inode number, but first find out the file inode number:
$ ls -ilOutput:

781956 drwx—— 3 viv viv 4096 2006-01-27 15:05 gconfd-viv
781964 drwx—— 2 viv viv 4096 2006-01-27 15:05 keyring-pKracm
782049 srwxr-xr-x 1 viv viv 0 2006-01-27 15:05 mapping-viv
781939 drwx—— 2 viv viv 4096 2006-01-27 15:31 orbit-viv
781922 drwx—— 2 viv viv 4096 2006-01-27 15:05 ssh-cnaOtj4013
781882 drwx—— 2 viv viv 4096 2006-01-27 15:05 ssh-SsCkUW4013
782263 -rw-r–r– 1 viv viv 0 2006-01-27 15:49 \+Xy \+\8Note: 782263 is inode number.

(d) Use find command to delete file by inode:
Find and remove file using find command, type the command as follows:
$ find . -inum 782263 -exec rm -i {} \;
Note you can also use add \ character before special character in filename to remove it directly so the command would be:
$ rm “\+Xy \+\8”
If you have file like name like name “2005/12/31” then no UNIX or Linux command can delete this file by name. Only method to delete such file is delete file by an inode number. Linux or UNIX never allows creating filename like 2005/12/31 but if you are using NFS from MAC OS or Windows then it is possible to create a such file.

转载自:http://www.cyberciti.biz/tips/delete-remove-files-with-inode-number.html

Linux : How to delete file securely

Recently we had lot of discussion regarding this issue. How to remove files securely so that it cannot be undeleted. Peter Gutmann paper “Secure Deletion of Data from Magnetic and Solid-State Memory” has very good information. Here are some commands/tools available under Debian GNU/Linux (it should work with other Linux distributions) to delete file securely.

srm: Securely remove files or directories
This command is a replacement for rm command. It works under Linux/BSD/UNIX-like OSes. It removes each specified file by overwriting, renaming, and truncating it before unlinking. This prevents other people from undelete or recovering any information about the file from the command line. Because it does lots of operation on file/directory for secure deletion, it also takes lot of time to remove it. Download srm from http://sourceforge.net/projects/srm (RPM file is also available for RPM based Linux distributions)

i) Untar and install the srm:

# ./configure
# make
# make install ii) How to use srm?
srm syntax is like rm command. Read man srm. Here is simple example:

$ srm privateinfo.docwipe: It is a secure file wiping utility
Download wipe from http://wipe.sourceforge.net/
i) Untar and install the wipe

# ./configure
# make
# make installii) How to use wipe?

$ wipe filenameRead man page of wipe for information.

shred: Delete a file securely, first overwriting it to hide its contents.
It is available on most of Linux distributions including Debian GNU/Linux. To remove file called personalinfo.tar.gz :

$ shred -n 200 -z -u personalinfo.tar.gzWhere,

-n: Overwrite N (200) times instead of the default (25)
-z: Add a final overwrite with zeros to hide shreddin
-u: Truncate and remove file after overwriting
Read the man page of shred(1) for more information. Most of these utilities are not effective (read as useless) only if :

File system is log-structured or journaled filesystems, such as JFS, ReiserFS, XFS, Ext3 etc
Your filesystems is RAID-based, compressed filesystem etc
In addition, file system backups and remote mirrors may contain copies of the file that cannot be removed by these utilities.
See also:

Delete (remove) files with inode number – to remove special character filename

转载自:http://www.cyberciti.biz/tips/linux-how-to-delete-file-securely.html

让OpenVZ 更加好支持iptables

在硬件节点内修改iptables挂载模组

vim /etc/sysconfig/iptables-config

IPTABLES_MODULES=”ipt_REJECT ipt_tos ipt_TOS ipt_LOG ip_conntrack ipt_limit ipt_multiport iptable_filter iptable_mangle ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_length ipt_state iptable_nat ip_nat_ftp”

vim /etc/sysconfig/vz

IPTABLES=”ipt_REJECT ipt_tos ipt_TOS ipt_LOG ip_conntrack ipt_limit ipt_multiport iptable_filter iptable_mangle ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_length ipt_state iptable_nat ip_nat_ftp”

重新启动VZ服务

service vz restart

放行更加多的iptables 条目

# vzctl set $CTID –numiptent 400 –save

vzctl enter $CTID

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -I INPUT -j ACCEPT -m state –state ESTABLISHED,RELATED
iptables -I FORWARD -j ACCEPT -m state –state ESTABLISHED,RELATED
iptables -I INPUT -j ACCEPT -i lo
iptables -I INPUT -p tcp –dport 25 -j ACCEPT
iptables -I INPUT -p tcp –dport 110 -j ACCEPT
iptables -I INPUT -p tcp –dport 995 -j ACCEPTiptables -I INPUT -p tcp –dport 80 -j ACCEPT
iptables -I INPUT -p tcp –dport 53 -j ACCRPTiptables -I INPUT -p udp –dport 53 -j ACCEPT
service iptables save
service iptables restart

转载自:
http://hi.baidu.com/enjoyunix/blog/item/09cc631bd1cec1dcac6e7573.html

2010年十一月
« 10月   12月 »
1234567
891011121314
15161718192021
22232425262728
2930