This script can be used with csf to block connections on a server automatically if a client is getting really flooded. To use this you must change /etc/csf/csf.conf's deny limit from 100 to 0 and restart csf and load this script up.
#!/bin/bash
netstat -anp |grep ':80' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n > ~/curr
while read list
do
conns=`echo $list | awk '{print $1}'`
ip=`echo $list | awk '{print $2}'`
if [ "$conns" -ge 20 ]
then
exist=`cat /etc/csf/csf.deny | grep $ip`
if [ "$ip" != "$exist" ]
then
echo blocking $ip with $conns connections
iptables -I INPUT -s $ip -j DROP
echo $ip >> /etc/csf/csf.deny
blocked=`echo yes`
fi
blocked=`echo yes`
fi
done < ~/curr
if [ $blocked == "yes" ]
then
/etc/init.d/httpd stop
pkill httpd
/etc/init.d/httpd start
fi
put in ~ on server add to crontab as so:
*/1 * * * * /root/autoblock.sh >> /var/log/autoblock
and change the 20 next to -ge to whatever threshold you would like on port 80
No comments:
Post a Comment