Command to check number of connection for port 25:
#netstat -plan|grep :25|awk {'print $5'}|cut -d: -f 1|sort|uniq -c|sort -nk 1
#iptables -I INPUT -s xxx.xxx.xxx.xxx -j DROP
#iptables -I INPUT -s xxx.xxx.xxx.xxx -j DROP
DDOS Attack
Quick check for a ddos via number of connections
A quick and usefull command for checking if a server is under ddos is:
#netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
That will list the IPs taking the most amount of connections to a server. It is important to remember that the ddos is becoming more sophistcated and they are using fewer connections with more attacking ips. If this is the case you will still get low number of connections even while you are under a DDOS.
A quick and useful command for checking if a server is under ddos:
#netstat -anp |grep ‘tcp\|udp’ | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -n
That will list the IPs taking the most amounts of connections to a server. It is important to remember that ddos is becoming more sophisticated and they are using fewer connections with more attacking ips. If this is the case you will still get low number of connections even while you are under a DDOS.
Another very important thing to look at is how many active connections your server is currently processing.
#netstat -n | grep :80 |wc -l
#netstat -n | grep :80 | grep SYN |wc -l
The first command will show the number of active connections that are open to your server. Many of the attacks typically seen work by starting a connection to the server and then not sending any reply making the server wait for it to time out. The number of active connections from the first command is going to vary widely but if you are much above 500 you are probably having problems. If the second command is over 100 you are having trouble with a syn attack.
That will list the IPs taking the most amounts of connections to a server. It is important to remember that ddos is becoming more sophisticated and they are using fewer connections with more attacking ips. If this is the case you will still get low number of connections even while you are under a DDOS.
Another very important thing to look at is how many active connections your server is currently processing.
#netstat -n | grep :80 |wc -l
#netstat -n | grep :80 | grep SYN |wc -l
The first command will show the number of active connections that are open to your server. Many of the attacks typically seen work by starting a connection to the server and then not sending any reply making the server wait for it to time out. The number of active connections from the first command is going to vary widely but if you are much above 500 you are probably having problems. If the second command is over 100 you are having trouble with a syn attack.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
To Block a certain IP address that on server .Please use following commands
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#route add ipaddress reject
for example route add 192.168.0.168 reject
You can check whether given IP is blocked on server by using following command
#route -n |grep IPaddress
~~~~~~~~~~~~~~~~~~~
OR
Use following command to block an ip with iptables on server
To Block a certain IP address that on server .Please use following commands
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#route add ipaddress reject
for example route add 192.168.0.168 reject
You can check whether given IP is blocked on server by using following command
#route -n |grep IPaddress
~~~~~~~~~~~~~~~~~~~
OR
Use following command to block an ip with iptables on server
#iptables -A INPUT 1 -s IPADRESS -j DROP/REJECT
#service iptables restart
#service iptables save
Then KILL all httpd connection and restart httpd service by using following command:
#killall -KILL httpd
#service httpd startssl
#service iptables restart
#service iptables save
Then KILL all httpd connection and restart httpd service by using following command:
#killall -KILL httpd
#service httpd startssl
