Quote:
Originally Posted by L1nk1n*P4rK
Hello, Now I will share my tip.
This is for Admins!
You should login via SSH to your server and type the following for each IP:
iptables -A INPUT -s 127.0.0.1 -j DROP
Replace 127.0.0.1 with the actual IP address. Do this for each IP.
This will ban the IP from ever accessing the server again. Therefore if the person(s) involved try to DDoS you, it will not work.
If it happens again and you think your server is being DDoS, run this command:
netstat -n -p|grep SYN_REC | wc -l
It will give you how many SYN_RECV connections you have on the server. If it's above 20 or so, run this command to get the IPs involved:
netstat -n -p | grep SYN_REC | awk '{print $5}' | awk -F: '{print $1}'
And then you can run:
netstat -n -p | grep SYN_REC | awk '{print $5}' | sort -u | awk -F: '{print "ipdrop "$1 " on"}'
This will take all the IPs involved and ban them, just like the first command I gave you.
I would also recommend installing APF (firewall). It's free and it works very well with cPanel servers.
Let me know if you need anything else.Via Pm
|
Lovely but that drops all syn req packets thus also the legit ones. Same effect with shutting down the service and setting the port in a blocking state.
Dos/Ddos are targeting the service (server) not the ip. Also, dropping the incoming request of several thousand machines requires some computing power and potent network devices and , consequently , is not recommended to be done in the firewall of the hosting machine , but of a router ahead. The default policy should thus be drop and access should be granted only via an access list/firewall. Due to the magnitude of the attacks (number of sources and pps) the firewall/firegate is recommended to be a late generation hardware router ( higher freq cpus , larger memory sizes - for big acl implementation ) .
