Shell Programming and Scripting

Hello,

I'm using a commando to check wich IPS are openning a large amount of connections to my server and kill them (to reduce synflood attack effects).

The command is the following one:

Code:

netstat -an | grep ^tcp | awk '{ print $5 }' | egrep -v '^(172\.16|192\.168|127\.0)' | cut -f1-4 -d\. | awk '{ a[$1]++ } END { for (i in a) { if (a[i] > 70) { print i; } } }' | xargs -n1 -I % sh -c 'sockstat -c | grep %' | awk '{ print $6 " " $7 }' | sed -e 's/:/ /g' -e 's/^/ tcpdrop /' | sh

It works when I run ./tcpdrop.sh, but when I try to add it to crontab it gives me the following error:

Code:

tcpdrop: not found
tcpdrop: not found
tcpdrop: not found

I have tried already to add an alias tcpdrop=/usr/sbin/tcpdrop, but had no success.

I think a way to make it work is, instead of outputing "tcpdrop", it would output /usr/sbin/tcpdrop, but I don't know how to change the "sed" command to add the whole path of tcpdrop.

Another question I need to solve is how to ignore certain IP addresses, like 67.43.2.1. I tried to include the IP on the egrep -v '^(172\.16|192\.168|127\.0)' command, like egrep -v '^(172\.16|192\.168|127\.0|67.43.2.1)'but didn't work.

I apreciatte your help.

Thank you.

The sed command would be:

Code:

sed 's|:||g; s|^| /usr/sbin/tcpdrop |'

For grep you could try:

Code:

egrep -v '^(172\.16|192\.168|127\.0|67\.43\.2\.1\.)'

Thanks for the reply.

In fact, related to the "sed" problem, I have found a way to do it:

Code:

sed -e 's/:/ /g' -e 's/^/ tcpdrop /' -e 's/tcpdrop/\/usr\/sbin\/tcpdrop/'

Thank you.

I think it's better to block the IP's with iptables (or the ufw front end to iptables) then just killing the connections. Presumably someone that's trying to attack your system would just reconnect, probably automatically since the attack is almost certainly scripted. So if you don't block them from connecting, you'll just see the same origins come right back in again.

Hello cnamejj,

I am using PF to block the connections. These are my configuration lines:

Code:

block in quick on $externa inet proto tcp from <blocked> to any
block drop in quick on $externa inet proto { udp,icmp } from <blocked> to any

pass in  quick on $externa inet proto { tcp,udp } from any to any port { 80 } flags S/SA keep state (max-src-conn 200, max-src-conn-rate 250/3, overload <blocked> flush global)

The problem is that the IPs in "blocked" table continue to open connections to my server, and it keeps the state as "SYN_SENT", flooding the server. That's why I need the tcpdrop script.

I don't know if I'm setting the firewall wrong, but seems like the only way to drop the open connections to my server.

Thank you.

Got it... But unless I'm missing something, once an IP is on your firewall's block list any packets received will be ignored. So the only "SYN_SENT" connections will be the ones setup before the firewall rule was added. Are those sticking around long enough to cause a problem? Since it's a fixed number can't you just leave them to timeout on their own?

Maybe there are PF rules (I'm not familiar with that package) that would implement the maximum connection per-IP logic you want. Meaning, can you add broad rule that won't allow any untrusted IP to have more than 70 connections at once?

Then you wouldn't need to kill the ones that do manage to get through before the firewall kicks in.

Also, does PF have a way to show the current list of blocked IP's? If so then you do need to kill processes that managed to get setup, you could run that PF command to generate a list of bad IP's, then use something like "lsof" to find all the open sockets connected to that IP then kill those processes. I think it might be simpler than figuring out which IP's to target by counting the number of connections each one has.