millinux
(usa Red Hat)
Enviado em 29/12/2014 - 10:49h
Segue o que voce precisa.
Se o invasor for o mesmo IP, te recomendo a responder contra ele via cain & abel, hydra ou ab (apache-utils)
Fogo contra fogo.
Outra forma bloqueia o ip do cara no iptables para bloqueas as solicitações dele.
# Limpando Regras
iptables -F
iptables -X
iptables -Z
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -F -t nat
iptables -X -t nat
iptables -F -t mangle
iptables -X -t mangle
# Definindo Politica Padrão
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
# Proteções #
# evita ataques como 'syn flood atack'
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
echo " Protecao contra ping da morte"
iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
# rejeita todas as requisição de ICMP ECHO, ou apenas aquelas destinadas a endereçamento broadcasting ou multicasting
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# ignora mensagens falsas de icmp_error_responses
echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
# Kill timestamps. These have been the subject of a recent bugtraq thread
echo "0" > /proc/sys/net/ipv4/tcp_timestamps
# Permite o redirecionamento seguro dos pacotes
echo "1" > /proc/sys/net/ipv4/conf/all/secure_redirects
# Evita problema de resposta tamanho zero
echo "0" > /proc/sys/net/ipv4/tcp_ecn
# Tempo em segundos para manter um fragmento IP na memória
echo "15" > /proc/sys/net/ipv4/ipfrag_time
# Tempo máximo de Espera da Conexão sem Resposta
echo "1800" > /proc/sys/net/ipv4/tcp_fin_timeout
# Liberando todos os dados cacheados da memória
echo 3 > /proc/sys/vm/drop_caches
echo "2048" > /proc/sys/net/ipv4/tcp_max_syn_backlog
echo "4096" > /proc/sys/net/core/netdev_max_backlog
echo "3" > /proc/sys/net/ipv4/tcp_syn_retries
# permite determinar o n° de segundos que uma conexão precisa estar ociosa antes de o TCP enviar checagens de keep-alive
echo "1800" > /proc/sys/net/ipv4/tcp_keepalive_time
echo "30" > /proc/sys/net/ipv4/tcp_keepalive_intvl
# Permite ativar o TCP Selective Acknowledgements previsto pela RFC2018
echo "0" > /proc/sys/net/ipv4/tcp_sack
# permite ativar o TCP window scaling previsto pela RFC1323
echo "0" > /proc/sys/net/ipv4/tcp_window_scaling
# Confundir fingerprinting "
echo "255" > /proc/sys/net/ipv4/ip_default_ttl
# Esse parâmetro determina o nº de pacotes SYN+ACK enviados antes de o kernel liberar a conexão
echo "2" > /proc/sys/net/ipv4/tcp_synack_retries
echo " Carregando Proteções Adicionais...............[ OK ]"
##### Connlimit
##### Controle de conexão
iptables -t mangle -N CONNLIMIT
iptables -t mangle -A FORWARD -p TCP -d 0/0 -m multiport --destination-port 20,21,23,25,53,110,443 -j CONNLIMIT
iptables -t mangle -A FORWARD -p TCP -d 0/0 -m multiport --destination-port 1863,2210,3128,5600,8080,8081 -j CONNLIMIT
iptables -t mangle -A CONNLIMIT -p TCP -m state ! --state RELATED -m connlimit --connlimit-above 96 --connlimit-mask 32 -j DROP
echo " Connlimit porta nativa iniciado...............[ OK ]"
iptables -t mangle -N CONLIMIT
iptables -t mangle -A FORWARD -p TCP -d 0/0 --dport 1:19 -j CONLIMIT
iptables -t mangle -A FORWARD -p TCP -d 0/0 -m multiport --destination-port 22,24 -j CONLIMIT
iptables -t mangle -A FORWARD -p TCP -d 0/0 --dport 26:52 -j CONLIMIT
iptables -t mangle -A FORWARD -p TCP -d 0/0 --dport 54:79 -j CONLIMIT
iptables -t mangle -A FORWARD -p TCP -d 0/0 --dport 81:109 -j CONLIMIT
iptables -t mangle -A FORWARD -p TCP -d 0/0 --dport 111:442 -j CONLIMIT
iptables -t mangle -A FORWARD -p TCP -d 0/0 --dport 444:1862 -j CONLIMIT
iptables -t mangle -A FORWARD -p TCP -d 0/0 --dport 1864:2209 -j CONLIMIT
iptables -t mangle -A FORWARD -p TCP -d 0/0 --dport 2211:3127 -j CONLIMIT
iptables -t mangle -A FORWARD -p TCP -d 0/0 --dport 3129:5599 -j CONLIMIT
iptables -t mangle -A FORWARD -p TCP -d 0/0 --dport 5601:8079 -j CONLIMIT
iptables -t mangle -A FORWARD -p TCP -d 0/0 --dport 8082:65535 -j CONLIMIT
iptables -t mangle -A CONLIMIT -p TCP -m state ! --state RELATED -m connlimit --connlimit-above 45 --connlimit-mask 32 -j DROP
echo " Connlimit portas nao nativa iniciado..........[ OK ]"
echo " Firewall Parceria Germinare & Bom Jesus.......[ OK ]"
##### FIM CONNLIMIT
### LIBERACOES CAIXA ( CONECTIVIDADE SOCIAL )
iptables -t nat -A PREROUTING -i eth0 -d 200.201.173.0/24 -j ACCEPT
iptables -t nat -A PREROUTING -i eth0 -d 200.201.174.0/24 -j ACCEPT
iptables -t nat -A PREROUTING -i eth0 -d 200.201.166.0/24 -j ACCEPT
iptables -t filter -A FORWARD -i eth1 -d 200.201.173.0/24 -j ACCEPT
iptables -t filter -A FORWARD -i eth1 -d 200.201.174.0/24 -j ACCEPT
iptables -t filter -A FORWARD -i eth1 -d 200.201.0.0/16 -j ACCEPT
### INICIO REGRAS BLOQUEIO ULTRASURF
# LIBERAÇOES
iptables -t filter -A INPUT -p tcp --sport 443 -j ACCEPT # PERMITIR A ENTRADA DE SSH
iptables -t filter -A FORWARD -p tcp --dport 8443 -j ACCEPT # PERMITIR ENCAMINHAMENTO
iptables -A FORWARD -p tcp -d 189.21.0.0/16 --dport 443 -j ACCEPT # IPS BRASIL
iptables -A FORWARD -p tcp -d 189.22.0.0/16 --dport 443 -j ACCEPT # IPS BRASIL
iptables -A FORWARD -p tcp -d 200.0.0.0/8 --dport 443 -j ACCEPT # IPS BRASIL
iptables -A FORWARD -p tcp -d 201.0.0.0/8 --dport 443 -j ACCEPT # IPS BRASIL
iptables -A FORWARD -p tcp -d 65.54.0.0/16 --dport 443 -j ACCEPT # MSN
iptables -A FORWARD -p tcp -d 65.55.0.0/16 --dport 443 -j ACCEPT # MSN
iptables -A FORWARD -p tcp -d 157.55.0.0/16 --dport 443 -j ACCEPT # MSN
iptables -A FORWARD -p tcp -d 64.233.163.0/24 --dport 443 -j ACCEPT # GMAIL
iptables -A FORWARD -p tcp -d 74.125.0.0/16 --dport 443 -j ACCEPT # GMAIL
iptables -A FORWARD -p tcp -d 209.85.195.0/24 --dport 443 -j ACCEPT # GMAIL
iptables -A FORWARD -p tcp -d 200.220.0.0/16 --dport 443 -j ACCEPT # SATANDER
iptables -A FORWARD -p tcp -d 170.66.52.0/24 --dport 443 -j ACCEPT # BANCODOBRASIL
iptables -A FORWARD -p tcp -d 64.215.158.0/24 --dport 443 -j ACCEPT # HOTMAIL
iptables -A FORWARD -p tcp -d 96.16.0.0/16 --dport 443 -j ACCEPT # HOTMAIL
iptables -A FORWARD -p tcp -d 184.84.0.0/16 --dport 443 -j ACCEPT # Hotmail*
iptables -A FORWARD -p tcp -d 77.247.0.0/16 --dport 443 -j ACCEPT #Hotmail *
iptables -A FORWARD -p tcp -d 23.1.53.0/24 --dport 443 -j ACCEPT #Hotmail *
iptables -A FORWARD -p tcp -d 23.1.69.0/24 --dport 443 -j ACCEPT #Hotmail *
iptables -A FORWARD -p tcp -d 72.246.249.0/24 --dport 443 -j ACCEPT #HOTMAIL *
iptables -A FORWARD -p tcp -d 184.50.0.0/16 --dport 443 -j ACCEPT #hotmail *
iptables -A FORWARD -p tcp -d 72.247.0.0/16 --dport 443 -j ACCEPT #HOTmAIL *
iptables -A FORWARD -p tcp -d 23.1.53.0/24 --dport 443 -j ACCEPT #HOTMAIL
iptables -A FORWARD -p tcp -d 187.35.180.0/24 --dport 443 -j ACCEPT #hotmail*
iptables -A FORWARD -p tcp -d 200.126.0.0/16 --dport 443 -j ACCEPT #hotmail
iptables -A FORWARD -p tcp -d 187.19.0.0/16 --dport 443 -j ACCEPT #UNOPAR
iptables -A FORWARD -p tcp -d 72.49.0.0/16 --dport 443 -j ACCEPT #SKYPE
iptables -A FORWARD -p tcp -d 70.91.0.0/16 --dport 443 -j ACCEPT #SKYPE
iptables -A FORWARD -p tcp -d 71.111.0.0/16 --dport 443 -j ACCEPT #SKYPE
iptables -A FORWARD -p tcp -d 189.0.0.0/8 --dport 443 -j ACCEPT #SKYPE
iptables -A FORWARD -p tcp -d 66.165.0.0/16 --dport 443 -j ACCEPT #SKYPE
iptables -A FORWARD -p tcp -d 64.4.0.0/16 --dport 443 -j ACCEPT #SKYPE
iptables -A FORWARD -p tcp -d 149.5.45.0/24 --dport 443 -j ACCEPT #SKYPE
iptables -A FORWARD -p tcp -d 190.74.30.0/24 --dport 443 -j ACCEPT #SKYPE
iptables -A FORWARD -p tcp -d 208.88.186.0/24 --dport 443 -j ACCEPT #SKYPE
iptables -A FORWARD -p tcp -d 213.166.51.0/24 --dport 443 -j ACCEPT #SKYPE
iptables -A FORWARD -p tcp -d 213.146.189.0/24 --dport 443 -j ACCEPT #SKYPE
iptables -A FORWARD -p tcp -d 184.51.254.0/24 --dport 443 -j ACCEPT #SKYPE
iptables -A FORWARD -p tcp -d 170.66.1.0/24 --dport 443 -j ACCEPT #UNOPAR BB
iptables -A FORWARD -p tcp -d 190.191.69.0/24 --dport 443 -j ACCEPT #BB
iptables -A FORWARD -p tcp --dport 33033 -j ACCEPT #SKYPE
iptables -A FORWARD -p tcp -d 170.66.2.0/24 --dport 443 -j ACCEPT #BB
iptables -A FORWARD -p tcp -d 174.120.93.0/24 --dport 443 -j ACCEPT #CITY LAR
iptables -A FORWARD -p tcp -d 208.70.188.0/24 --dport 443 -j ACCEPT #TERRA
iptables -A FORWARD -p tcp -d 201.77.87.0/24 --dport 443 -j ACCEPT #SICREDI
### LIBERADOS PORTA 443
iptables -I FORWARD -s 192.168.10.112 -p tcp --dport 443 -j ACCEPT # NEIA
iptables -I FORWARD -s 192.168.10.201 -p tcp --dport 443 -j ACCEPT # DOUGLAS
iptables -I FORWARD -s 192.168.10.202 -p tcp --dport 443 -j ACCEPT # JOSE C
iptables -I FORWARD -s 192.168.10.203 -p tcp --dport 443 -j ACCEPT # ILDO C
iptables -I FORWARD -s 192.168.10.204 -p tcp --dport 443 -j ACCEPT # CAMILA C
iptables -I FORWARD -s 192.168.10.205 -p tcp --dport 443 -j ACCEPT # ILTON CESAR
## BLOQUEIO
iptables -A FORWARD -p tcp --dport 443 -j DROP
### FIM REGRAS BLOQUEIO ULTRASURF
# Libera MSN
iptables -I FORWARD 1 -i eth1 -s 192.168.10.0/24 -p tcp --dport 1863 -j ACCEPT
# Bloqueia MSN
iptables -I FORWARD 1 -i eth1 -s 192.168.10.156 -p tcp --dport 1863 -j DROP
echo "1" > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 80 -j REDIRECT --to 3128
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
exit 0