S dng Iptables chng Syn Flood attacks v cm IP Syn flood l 1 dng tn cng t chi dch v, k tn cng gi cc gi tin kt ni SYN n h thng. y l 1 loi tn cng rt ph bin. Loi tn cng ny s nguy him nu h thng cp pht ti nguyn ngay sau khi nhn gi tin SYN t k tn cng v trc khi nhn gi ACK.

Nu vic thit lp kt ni cha han tt 3 bc y (gi l half-open connection) m buc h thng server phi cp ti nguyn qun l th k tn cng c th ly ht ti nguyn ca h thng server bng cc "flooding" vo server vi cc gi tin SYN. Syn flood l 1 dng tn cng ph bin v n c th c ngn chn bng on lnh iptables sau:iptables -A INPUT -p tcp --syn -m limit --limit 1/s --limit-burst 3 -j RETURN Tt c cc kt ni n h thng ch c php theo cc thng s gii hn sau:

--limit 1/s: Tc truyn gi tin trung bnh ti a 1/s (giy)--limit-burst 3: S lng gi tin khi to ti a c php l 3

Dng iptables, thm rule sau vo:# Limit the number of incoming tcp connections

# Interface 0 incoming syn-flood protection

iptables -N syn_flood

iptables -A INPUT -p tcp --syn -j syn_flood

iptables -A syn_flood -m limit --limit 1/s --limit-burst 3 -j RETURN

iptables -A syn_flood -j DROP limit rate nlimitburst number m

Gii thch 1 cch d hiu l nh th ny "Rule trn gii hn s kt ni ti a n h thng l n trn mi 1 giy sau khi c m kt ni c thit lp"

Bn cn iu chnh thng s -limit-rate v -limit-burst ty theo yu cu v traffic ca mng ca bn.

Gi s bn cn gii hn cc kt ni SSH (port 22) khng c php hn 10 connections trn mi 10 pht, rule nh sau:iptables -I INPUT -p tcp -s 0/0 -d $SERVER_IP --sport 513:65535 --dport 22 -m state --state NEW,ESTABLISHED -m recent --set -j ACCEPT

iptables -I INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 600 --hitcount 11 -j DROP

iptables -A OUTPUT -p tcp -s $SERVER_IP -d 0/0 --sport 22 --dport 513:65 Vy sau khi xc nh c IP (v d ly 1 IP trong LAN 192.168.1.222) tn cng, vic quan trng vn l cch ly cc gi tin t IP (192.168.1.222) m bo cho h thng hot ng tt.# iptables -I INPUT -s 192.168.1.222 -j DROP Cu lnh ny s thm mt entry vo file cu hnh IPTable, ch dn n b qua bt k gi tin no n t a ch IP 192.168.1.222. Nu bn ang i mt vi rt nhiu cuc tn cng, tt hn ht bn nn s dng mt phng php t ng hn thm a ch IP t danh sch cm. lm vic ny, ta to on m sau:#!/bin/shfor i in $(< banned_IPs.cfg) ; doiptables -I INPUT -i eth1 -s "$i" -j DROPdone Lu on m trn vo mt file vi tn bt k nh banned_IPs.sh v gn cho n quyn thc thi:

# chmod +x banned_IPs.sh

By gi to mt file banned_IPs.cfg v nhp vo danh sch a ch IP bn mun kha, mi ci trn mt dng (v d):192.168.1.222192.168.1.123192.168.1.122 By gi chy file banned_IPs.sh a a ch cc a ch IP bn mun kha gi cho iptables "x l" big grin# ./banned_IPs.sh

SHELL SCRIPTSC ch hot ng ca n ch n gin l tm xem c nhng IP no ang thc hin kt ni dng SYN_RECV th s c a vo blacklist v kha li, c 2 pht 1 ln h thng s gi n file ny, nu nh ip khng thc hin tn cng SYN Flood na th IP s c xa ra khi danh sch cm.

Shell ny gm 3 file:

Files blocked.ips, y ch n gin l 1 file text bn ch vic to ra n bng lnh vi bnh thng, ni dung trng, n c dng lm ni lu nhng IP b nghi ng ang DOS.

File iptables.sh, c ni dung:#!/bin/bashIPT=/sbin/iptablesSPAMLIST=spamlistSPAMDROPMSG=SPAM LIST DROPBADIPS=$(egrep -v -E ^#|^$ /root/iptables/blocked.ips)# create a new iptables list$IPT -N $SPAMLISTfor ipblock in $BADIPSdo$IPT -A $SPAMLIST -s $ipblock -j LOG --log-prefix $SPAMDROPMSG$IPT -A $SPAMLIST -s $ipblock -j DROPdone$IPT -I INPUT -j $SPAMLIST$IPT -I OUTPUT -j $SPAMLIST$IPT -I FORWARD -j $SPAMLIST Tc dng ca file ny l c cc IP b cm trong file blocked.ips v thc hin cm i vi nhng IP ny v a vo log tin theo di.

Cui cng l file autoblock.sh, Ni dung ca file ny:#!/bin/bash/etc/init.d/iptables startcd /root/iptablesnetstat -atun | grep SYN_RECV | awk {print $5} | cut -d: -f1 |sort | uniq -d | sort -n > blocked.ipssh ./iptables.sh Tc dng ca file ny l tm xem c nhng IP no ang gi cc gi tin dng SYN_RECV, v a nhng IP ny vo file blocked.ips, sau gi file iptables.sh kha IP.Cch trin khai: Tt c 3 file ny chng ta lu vo mt th mc, y ti lu vo /root/iptables v c chmod cho php thc thi, thng mi ngi hay chmod 777Sau chng ta khai bo vo Crontab*/2 * * * * /root/iptables/autoblock.sh