DDos Angriff Abwehren, Server absichern, [ETC.]!

iptables -I INPUT -s 123.123.123.123 -j DROP

iptables -D INPUT -s 123.123.123.123 -j DROP

/sbin/route add -host 123.123.123.123 reject

useradd samp

mkdir /home/samp

chown -R samp /home/samp

passwd samp

vi /etc/ssh/sshd_config

# What ports, IPs and protocols we listen forPort 123456

#ListenAddress ::ListenAddress 123.123.123.123

sudo iptables -A INPUT -p tcp --dport 80 -m state --state NEW -m limit --limit 50/minute --limit-burst 200 -j ACCEPT

sudo iptables -A INPUT -m state --state RELATED,ESTABLISHED -m limit --limit 50/second --limit-burst 50 -j ACCEPT

iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT

iptables -A INPUT -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "Stealth Scan"

#!/bin/bash	### Block all traffic from AFGHANISTAN (af) and CHINA (CN). Use ISO code ###	ISO="af cn"	### Set PATH ###	IPT=/sbin/iptables	WGET=/usr/bin/wget	EGREP=/bin/egrep	### No editing below ###	CBLIST="countrydrop"	ZONEROOT="/var/iptables"	IPTCBRESTORE="/etc/sysconfig/iptables.cb"	ALLOWPORTS=80,443	MAXZONEAGE=7	DLROOT="http://www.ipdeny.com/ipblocks/data/countries"	cleanOldRules(){	$IPT -L $CBLIST > /dev/null 2>&1	if [ $? = 0 ] ; then	$IPT -D INPUT -j $CBLIST	$IPT -D OUTPUT -j $CBLIST	$IPT -D FORWARD -j $CBLIST	fi	TOPIP=`$IPT -L -n | grep Chain | cut -f 2 -d ' ' | grep '\-$CBLIST'`	for i in $TOPIP	do	$IPT -F ${i}	$IPT -X ${i}	done	$IPT -X $CBLIST	}	updateZoneFiles() {	ZONEARCH=${ZONEROOT}/arch	mkdir -p ${ZONEARCH}	find ${ZONEROOT} -maxdepth 1 -mindepth 1 -ctime +${MAXZONEAGE} -exec mv {} ${ZONEARCH} \;	for c in $ISO	do	# local zone file	tDB=$ZONEROOT/$c.zone	if [ -f $tDB ] ; then	printf "Zone file %s is new enough - no update required.\n" $tDB	else	# get fresh zone file if it is newer than MAXZONEAGE days	$WGET -O $tDB $DLROOT/$c.zone	fi	done	oldzones=`find ${ZONEROOT} -mindepth 1 -maxdepth 1 -type f -exec basename {} \; | cut -f 1 -d '.'`	# Archive old zones no longer blocked	for z in $oldzones ; do	archme=${c}	for c in $ISO ; do	if [ $c = $z ] ; then archme="X"; fi	done	if [ $archme = $z ] ; then	mv ${archme} ${ZONEARCH}	else	printf "Working from previous zone file for %s\n" ${z}	fi	done	}	createIPTLoadFile() {	printf "# Generated by %s on" $0 > ${IPTCBRESTORE}	printf "%s " `date` >> ${IPTCBRESTORE}	printf "\n*filter\n" >> ${IPTCBRESTORE}	# Create CBLIST chain	printf ":$CBLIST - [0:0]\n" >> ${IPTCBRESTORE}	printf "%s INPUT -j $CBLIST\n" "-I" > ${IPTCBRESTORE}.tmp	printf "%s OUTPUT -j $CBLIST\n" "-I" >> ${IPTCBRESTORE}.tmp	printf "%s FORWARD -j $CBLIST\n" "-I" >> ${IPTCBRESTORE}.tmp	if [ "Z${ALLOWPORTS}" = "Z" ] ; then	printf "Blocking all traffic from country - no ports allowed\n"	else	printf "%s $CBLIST -p tcp -m multiport ! --dports ${ALLOWPORTS} -j RETURN\n" "-I">> ${IPTCBRESTORE}.tmp	fi	for c in $ISO	do	# local zone file	tDB=$ZONEROOT/$c.zone	# country specific log message	SPAMDROPMSG="$c Country Drop"	# Create drop chain for identified packets	CBLISTDROP=${c}-${CBLIST}-DROP	printf ":${CBLISTDROP} - [0:0]\n" >> ${IPTCBRESTORE}	printf "%s ${CBLISTDROP} -j LOG --log-prefix "$SPAMDROPMSG"\n" "-A" >> ${IPTCBRESTORE}.tmp	printf "%s ${CBLISTDROP} -j DROP\n" "-A" >> ${IPTCBRESTORE}.tmp	# Load IP ranges into chains correlating to first octet	BADIPS=$(egrep -v "^#|^$" $tDB)	for ipblock in $BADIPS	do	topip=`echo $ipblock | cut -f 1 -d '.'`	chainExists=`grep -c :${topip}-${CBLIST} ${IPTCBRESTORE}`	if [ $chainExists = 0 ] ; then	printf "Creating chain for octet %s\n" ${topip}	printf ":$topip-$CBLIST - [0:0]\n" >> ${IPTCBRESTORE}	sip=${topip}.0.0.0/8	printf "%s $CBLIST -s ${sip} -j $topip-$CBLIST\n" "-A" >> ${IPTCBRESTORE}.tmp	fi	printf " Adding rule for %s to chain for octet %s\n" ${ipblock} ${topip}	printf "%s $topip-$CBLIST -s $ipblock -j ${CBLISTDROP}\n" "-A" >> ${IPTCBRESTORE}.tmp	done	done	cat ${IPTCBRESTORE}.tmp >> ${IPTCBRESTORE} && rm -f ${IPTCBRESTORE}.tmp	printf "COMMIT\n# Completed on " >> ${IPTCBRESTORE}	printf "%s " `date` >> ${IPTCBRESTORE}	printf "\n" >> ${IPTCBRESTORE}	}	directLoadTables() {	# Create CBLIST chain	$IPT -N $CBLIST	$IPT -I INPUT -j $CBLIST	$IPT -I OUTPUT -j $CBLIST	$IPT -I FORWARD -j $CBLIST	if [ "Z${ALLOWPORTS}" = "Z" ] ; then	printf "Blocking all traffic from country - no ports allowed\n"	else	$IPT -I $CBLIST -p tcp -m multiport ! --dports ${ALLOWPORTS} -j RETURN	fi	for c in $ISO	do	# local zone file	tDB=$ZONEROOT/$c.zone	# country specific log message	SPAMDROPMSG="$c Country Drop"	# Create drop chain for identified packets	CBLISTDROP=${c}-${CBLIST}-DROP	$IPT -N ${CBLISTDROP}	$IPT -A ${CBLISTDROP} -j LOG --log-prefix "$SPAMDROPMSG"	$IPT -A ${CBLISTDROP} -j DROP	# Load IP ranges into chains correlating to first octet	BADIPS=$(egrep -v "^#|^$" $tDB)	for ipblock in $BADIPS	do	topip=`echo $ipblock | cut -f 1 -d '.'`	$IPT -L $topip-$CBLIST > /dev/null 2>&1	if [ $? = 1 ] ; then	printf "Creating chain for octet %s\n" ${topip}	$IPT -N $topip-$CBLIST	sip=${topip}.0.0.0/8	$IPT -A $CBLIST -s ${sip} -j $topip-$CBLIST	fi	printf " Adding rule for %s to chain for octet %s\n" ${ipblock} ${topip}	$IPT -A $topip-$CBLIST -s $ipblock -j ${CBLISTDROP}	done	done	}	loadTables() {	createIPTLoadFile	${IPT}-restore -n ${IPTCBRESTORE}	#directLoadTables	}	# create a dir	[ ! -d $ZONEROOT ] && /bin/mkdir -p $ZONEROOT	# clean old rules	cleanOldRules	# update zone files as needed	updateZoneFiles	# create a new iptables list	loadTables	exit 0